Comments about technological history, system fractures, and human resilience from James R. Chiles, the author of Inviting Disaster: Lessons from the Edge of Technology (HarperBusiness 2001; paperback 2002) and The God Machine: From Boomerangs to Black Hawks, the Story of the Helicopter (Random House, 2007, paperback 2008)

Saturday, January 28, 2012

Delta Mariner: Bridge meets ship, gets carried away

Following the rocket-part-carrying Delta Mariner's crash into the Eggner Ferry Bridge on the Tennessee River yesterday evening (photo AP):
The bridge was in use at the time, but apparently no vehicles were on the portion that went down (Photo AP):
Here's the ship's information page from MarineTraffic. Courtesy of the blog DieselDuck at Mariner, here's a cached blurb about the ship's work for NASA from Foss Maritime, the operator. 

On investigators' to-do list will be these questions:
  • Height of the river, given recent rains;
  • Whether the ship was in the usual channel;
  • Whether reconstruction of the bridge had changed anything;
  • Whether all the bridge lights were illuminated; and
  • The ship's navigational information, if recorded
The ship was laid down 12 years ago, so it may not have a Voyage Data Recorder/Marine Event Recorder, but I'm guessing that it does, given the work for NASA and the high-value cargo. In that case the first job of the officer on watch would have been to hit the "emergency save button." Here's a photo of a VDR control panel, from the Australian investigation into the grounding of the cruise ship Astor in Platypus Channel, 2004:
Following an explosion, fire, collision, or allision like the Delta Mariner's, for a VDR panel like the one on the Astor, the important button is the one on the upper left. A crewmember has to know to go the panel immediately, raise the plastic guard, press the emergency-save button, and keep holding it down until it starts flashing. 

Capt. Francesco Schettino of the Costa Concordia says that the VDR on his ship had been on the blink for 15 days, so the police won't find much in it. Perhaps it's true that the VDR had been problematic and that the crew had reported it to the operator, but in my quick scan of investigative shipping reports involving troubles with VDR records, I could only find one in which the VDR completely failed to record, and that was due to a glitch nobody had understood until the mishap. That was the European Pioneer; here's the MAIB report. In a few other VDR cases, some channels of information didn't record because a wire was loose. 

But in the majority of cases the crew failed to activate the emergency backup button, so all the data was overwritten in the following hours. Human error has been the most common problem, and it was the subject of this marine advisory from Gard.

So to summarize, VDRs on ships have this important practical difference from Flight Data Recorders on aircraft. In a typical crash, the aircraft is demolished and the unit stops recording, so there's no danger of inadvertently overwriting pre-crash data. 

Not so with most shipping incidents, in which the ship's power stays on for hours or even days. Unless instructed otherwise, the VDR continues to function, which means it saves only a few hours of data (the time span depends on the model) before overwriting the memory. Wait a few hours, and there's nothing useful to be had.


Tuesday, January 24, 2012

Leap Seconds: The Why and the When-For

Readers may have noted last week that the International Telecommunication Union (ITU) nearly decided earlier this month whether to continue or discontinue use of the leap second, but in the end, agreed not to agree until 2015 (or later) given the deadlock between anti-leap forces and pro-leap forces.

In general, pro-leapers are led by astronomers and England, who point to the odd consequence that if official clocks are freed from Earth's rotational speed, the clocks of the distant future will eventually show twelve noon when common sense says it's time for dinner from the replicator or whatever. Why? Not because atomic clocks are inaccurate, but because Earth is. Here's one of the atomic troublemakers in Switzerland:
Anti-leapers fret over the risk that intermittent leap-second-insertion might pose to the stability of complex, safety-critical networks that depend on exact synchronization. Anti-leapers feel that atomic-based time needs to be freed from the cruel rule of the Earth's rotation. The debate has gone on for almost ten years, and no resolution is in sight. 

Tacking on leap seconds is one of the very few human events that happens simultaneously, worldwide. The first leap for mankind came in 1972.

The leap second is not connected to the leap year, which will add one day to February in 2012 and again at four year intervals (same as the US presidential election cycle.)

The following explanation is condensed from an article I wrote for Air&Space. The news hook was a leap second on New Year's Day, 2009.

At the direction of the International Earth Rotation Service (I love that name -- as grand as the Planetary Protection Officer at NASA) the world's timekeepers add leap seconds to line up the 86,400-second day as clocked by Coordinated Universal Time (abbreviated UTC) with how humans measure the length of a day: from the Sun's position.

UTC is tied to microwaves emitted by an isotope of cesium. Its basic unit, the second — defined in 1967 and one of seven standard units presided over by the International Bureau of Weights and Measures in Sevres, France — is how long it takes for 9,192,631,770 cycles of that specific energy to tick by. The atomic clocks that measure the frequency are the most accurate scientific instruments in existence, neither losing nor gaining a second over hundreds of millions of years.

Our home planet has been slowing down for eons. Earth went around so much faster in the Paleozoic era that a day back then was two hours shorter than today's day. The forces that affect Earth's rotational speed include seasonal effects on oceans and winds, the swirlings of molten metal deep in the core, a tightening of the middle latitudes that is making the planet slightly rounder than before, and thinning of glaciers caused by global warming. 

Occasionally, the Earth's RPM speeds up over short periods. If Earth’s densest molten rock settles closer to the core, all of us Earth-riders speed up—a little. This may sometimes counter the tidal action that slows us down. Here's a chart from Wiki's earth rotation page showing how the amount of slowing varies a good deal from year to year:
For reasons not yet clear, says Richard Gross, a geophysicist at NASA’s Jet Propulsion Laboratory in California, Earth ran unusually slow for a few months in 1912, making for the longest days in the 20th century. By contrast, on July 13, 2003, the Earth was speedy enough that it beat the clock by one millisecond, going around in 86,399.999 seconds flat. Still, on average, the days of our lives must get longer.

But no expert or computer can predict when forces will combine to require another second to straighten out the clocks. Although leap seconds usually come every year or two, Earth had something unusual going on in its core during a six-year stretch after the New Year’s of 1999. During that period, timekeepers tolled only one extra leap second.

How does anybody know that a given day in 2003 took a millisecond less than the standard day? The answer comes from radio antennas spaced on continents around the world. Together they make up the Very Large Baseline Interferometry, or VLBI, network. Signal processing and precision timing turn the global network into one giant antenna, thousands of miles in diameter. That size gives it very sharp vision in the radio spectrum.

The VLBI network was set up to plumb the depths of the distant universe, the farthest objects of which are quasars, giant galactic cores that blast radio waves and X-rays across billions of light years. Because they are so far away, quasars appear to receivers on Earth almost stationary, so astronomers use them as a fixed frame of reference. Using radio antennas to pick up signals from quasars, scientists can monitor the rotation of Earth with great precision. Here's a diagram:
Using atomic clocks, geodetic researchers measure the slight time differences between the arrival of a quasar’s signals at several widely separated radio telescopes. The delays in arrival times change as the Earth rotates. Knowing the fixed positions of the telescopes and the changes in the time differences makes it possible to calculate the rate of the Earth’s rotation.

Jet Propulsion Laboratory needs to track Earth’s rotation because it uses tracking measurements taken by telescopes located on the rotating Earth to help spacecraft navigate around the solar system. That’s why the lab has a geophysicist—Richard Gross—among its astrophysicists.

The growing complexity of electrical transmission, broadcast, Internet, and telephone systems, all of which rely on precise synchronization, could make frequent insertions risky. The 2005 leap second revealed a programming problem at the Swiss time-broadcasting station HBG, and some “network time protocol” servers on the Internet suffered computer hiccups. Such dangers have prompted several scientific organizations, including the U.S. Naval Observatory, to recommend in 2008 that leap seconds be discontinued.

Observatories, which rely on UTC when steering automated telescopes, have joined to fight off a proposal from anti-leap-seconders to drop the little leap second and make only big changes, perhaps once every 600 to 900 years, by inserting a full hour instead. “Civil time that tracks the sun means that we keep a conventional meaning of time that is consistent with all of human history,” argues researcher Steve Allen of the University of California’s Lick Observatory. 

In the meantime, given the deep divisions, leap we must: the next leap second comes on June 30.

Saturday, January 21, 2012

Concordia Update: More investigative tools

Authorities have recovered the Voyage Data Recorder (see previous post) so the ship's onboard data will be emerging soon.

Meantime, Quality Positioning Services BV has put together a vessel track from the navigational info that Concordia was transmitting in its last hour. Check it out:

The initial allision happens just short of a minute into the video. You might well wonder how it's possible for anyone to put this together when the VDR data and shore radar records haven't been released yet. It's because under ship-safety treaties, ships like the Concordia must carry an Automatic Identification System (AIS) transmitter, which sends a constant update of the ship's position, speed, and course. ("Course" reflects the direction the ship's bow is pointing, regardless of which way the hull is moving.) 

Ships trade the AIS information with each other as a collision-avoidance system, supplementing their radar sets.

AIS information is also captured on shore by the Vessel Tracking Service and AIS base stations. That's the data stream that QPS used in preparing the track video.

Here's a link to a PDF document explaining the company's methodology. QPS notes that the ship first struck the rocks at a speed of 15 knots. Here's one of those boulders, which the ship broke off and carried away, until it returned to shore for the last time:
Self-correction on the ship's propulsion: In this post I wrote that the Costa Concordia might have used thruster pods for propulsion. (Thruster pods, also called azipods, are swiveling units that house electric thrusters, mounted under the hull.)  Rather, Concordia used a variable pitch propeller, powered by marine diesel engines running most of the time on heavy fuel oil (HFO) that's so thick it only flows when heated. Here's my Rena post on HFO and how it differs from diesel fuel. 

Photos of the hull on its side, while confirming that Concordia didn't have azipods, do show that it had a pair of roll stabilizers, which help to prevent parametric rolling from getting out of hand, as on the Pacific Sun. Here's what the Sperry's brand of stabilizer looks like:
 Here's the port stabilizer - it's the red rectangle jutting out:
 Here's a closeup of the stabilizer:
It pivots into the hull to avoid damage during tug movements or docking - that's the purpose of the notch. 

The ship's roll stabilizer is visible from space (photo by DigitalGlobe, from the QuickBird satellite). It's the tiny white object on the ship's port side, about two-thirds the way down the length of the hull, measured from the stern, which is at the top of the image.
I find it interesting that the stabilizer is apparently undamaged, despite the scraping of the hull abaft that position. Such damage to the aft hull on the port side suggests to me that the ship was making a hard turn to starboard at the time it struck the rocks. 

With a stern drive like the Concordia had, a hard turn to starboard (right) shoves the stern to port (the left), which forces the stern against obstacles lying on that side. It might explain why the roll stabilizer appears to be undamaged, even though it juts well away from the hull. Another possibility is that the roll stabilizers were stowed at the time of first impact and popped out later. The VDR data should settle that. In any case it seems likely that the helm was hard over at the time of impact.

Monday, January 16, 2012

Costa Concordia: Investigative tools

Sit-rep on the Costa Concordia: six bodies have been found; sixteen people who were on board have not reported to authorities; the ship may come off the rocks at any time and slide into deep water; and the owners have issued a statement about possible human error that distances them from the captain. An Italian helicopter pulled off an employee yesterday (photo in the Telegraph, from AFP):
Here's the flotilla of used lifeboats, from Wiki Commons:
Because of the rapid heeling of the ship in the final moments, many passengers had to climb down ropes or jump.

In my previous post I mentioned the black box required on newbuild passenger ships like the Costa Concordia after 2002, the voyage data recorder, aka marine event recorder. Here's a photo of such a rig from Transas:
Here's a brochure for one brand, a Raytheon model, of VDR. For a ship of the Costa Concordia's class, a VDR captures the following:
  • Position, date, time using GPS.
  • Speed log – Speed through water or speed over ground.
  • Gyro compass – Heading.
  • Radar – As displayed or AIS data if no off-the-shelf converter available for the Radar video.
  • Audio from the bridge, including bridge wings.
  • VHF radio communications.
  • Echo sounder – Depth under keel.
  • Hull openings – Status of hull doors as indicated on the bridge.
  • Watertight & fire doors status as indicated on the bridge.
  • Hull stress – Accelerations and hull stresses.
  • Rudder (or Azipod) angle– Order and feedback response.
  • Engine/Propeller – Order and feedback response.
  • Thrusters – Status, direction, amount of thrust percentage or RPM.
  • Anemometer and weather vane – Wind speed and direction
  • Main alarms – All alarms mandated by the International Maritime Organization
One channel of main-alarm data that interests me is a time plot of degrees from vertical. When did the ship start to heel over? Late-model cruise ships with a shallow draft and a high stack of hotel-like cabins have a metacentric height that can make them tippy under certain conditions. Here's a Globalspec link to how metacentric height is calculated:
Some conditions that can lead to a capsize are improper loading or a tight turn, particularly if these combine with a stiff wind. Here's a link to the following detailed graphic from the Daily Mail, showing such a U-turn before the ship rolled onto its side:
Note the bow-on profile of the ship on the right of the graphic, comparing how much structure was above the waterline compared to how much below.

While blogging about containerships in distress (such as Rena, another ship that hit the rocks) I promised a post about parametric rolling, in which a ship's physical features interact with heavy seas of a specific wavelength. The result is a harmonic that can dangerously magnify a ship's tendency to roll, particularly when the ship is almost bow-on to the waves. (Traditionally, shipmasters head directly into the waves during a storm, because that was thought to be the safest course.)

While parametric rolling wasn't a factor in the Costa Concordia's loss, I mention it because it's a remarkable phenomenon of the open sea and was unrecognized until the modern era. It's already damaged some containerships, and may have imperiled the cruise ship Pacific Sun during a South Pacific storm in 2008. Dozens of passengers were injured, many by furnishings on the move. Still, Pacific Sun made it back to shore from its "Summer Daydream" cruise, which is pretty amazing since video taken from a helicopter shows rolling so extreme (31 degrees off vertical) that the underside of her hull is visible. Here's an image from the British investigative report, tilted to indicate to readers what the roll felt like from inside:

Saturday, January 14, 2012

Wreck of the Costa Concordia: Update

Watching early reports about the allision of the cruise liner Costa Concordia on a reef, followed by capsizing. This Getty image:
Three are reported dead, and four dozen missing, but it's extremely difficult to keep track of 4,000-plus people when a ship sinks close to shore, so we can hope some of the missing crew and passengers are safe but unreported. 

The ship struck after 10 pm Friday evening. Here's an Associated Press photo of the hull the next day.
While it looks like two photographs stitched together, the brown section between the ocean and the white upper hull is the wrecked lower hull. That's some serious damage! And a big rock too.

It may be hard to believe that a ship traveling weekly on the same Mediterranean cruise route would smash into rocks after so many trips, it's more believable if the ship suffered some kind of power failure shortly before grounding. Modern computerized ships, particularly those relying on thruster pods like the Costa Concordia, are vulnerable to catastrophic power failures. While redundant generators and buses should prevent this, sometimes it happens.

Some reports point to a possible flaw in the navigational charts (a mischarted reef, or an unknown one), but I'd doubt that here. Here are graphics and charts on the Concordia's last voyage, from gCaptain. Fishermen and others who knew the waters said that the ship was off its usual route. 

The ship should have a record of events stored on its VDR (voyage data recorder), so the cause of the sinking won't remain a mystery for long. My particular interest is gathering lessons about time-critical, high-stress evacuation, so that's the aspect I'm watching as information emerges about how passengers crawled and climbed off the listing ship and found their way into the lifeboats.

Monday, January 9, 2012

After the Storm: Rena's Breakup

As predicted by salvage experts, the weekend storm broke the containership Rena in two, leaving the bow section on the reef:
Two days on, the bottom had fallen out of one section, along with the containers, leaving this strange skeleton of hatchway openings and hull:
To recap: On October 5 Rena crashed full speed onto Astrolabe Reef 14 miles outside the harbor at Tauranga, NZ. Remarkably, it held together for months, even though half the 47,000-ton ship was free to rise and fall with the waves, putting enormous stress on the midships section between the floating part and the grounded part. A crack in the hull developed early, and widened:
The numbers at the point of breakup:
  • Containers lifted off by salvors and taken to shore: 389
  • Containers that fell off before the storm: about 100
  • Containers still on board at the time of the breakup: about 900
  • Oil pumped out by salvage crews: 1,000 tons
  • Oil still on board last weekend: about 400 tons, some of which is now headed out to sea:
There's no report out yet on why the ship went full speed onto rocks that are well known to mariners.

Friday, January 6, 2012

Deadly Elevator Accident: Interlocks under suspicion

Thoughts on information that's been released about the circumstances of Suzanne Hart's death December 14 in an elevator at the Young & Rubicam office building, 285 Madison Avenue, NYC. Here's a photo of the building entrance from NY Daily News, with an NYPD Emergency Service Unit heavy-rescue truck parked outside:
The office building opened in 1926. The accident happened in an elevator in the lower-floor bank, covering floors 1-12. The elevator is a traction device, which rolls along steel tracks while suspended from a steel cable or belt. The prime mover is an electric winch with electronic controls. 

Being licensed by NYC's Department of Buildings, and inspected by contractors, it's supposed to have multiple safety devices that prevent doors closing on people, and to prevent the car from moving without proper command.

December 13: A company called Transel Elevator comes to the building to perform routine work on the elevator. Here's a link to a Transel site. Transel advertises its reliance on non-proprietary control systems for construction and repairs.

December 14: Transel puts the car at 285 Madison Ave. back into service in the morning. It's unclear how much time passes, but at about 10 am the elevator car is on the ground floor, with two passengers inside, its doors open. As Hart begins to step in, a passenger presses the button for an upper floor. The car shoots upward when Hart is halfway in and pins her at the second floor, between the top of the hoistway opening and the floor of the car. The other two passengers in the car are trapped in this horrifying space for over an hour, until emergency workers get enough control of the machinery to extricate them. One has sued for emotional distress. 

There are reports that the impact was so violent the other elevators in the bank had to be checked for damage.

I looked through accounts of other mishaps involving uncommanded elevator movements, and what turned up. Here's a list of factors that investigators (including a firm hired by the Department of Buildings, and consultants hired by the parties) are likely to check.

Timing of events: After the elevator went back into service that morning, were any trouble reports posted before the fatality?

Electronic controls:  These include control panels up in the machinery room, near the hoist motor. Were jumper wires still in place from the repairs? Jumpers -- temporary wires with alligator clips at each end -- are a possible cause when electronics go crazy soon after repair work on it. It's not necessarily a problem to use jumpers for diagnosis while the car is out of service, but the machine must not be restored to service with jumpers still in place; they could short-circuit the interlocks that keep passengers safe.

Counterweights: Were these in proper balance, such that the car had no strong tendency to lurch upward when lightly loaded?

Overspeed governor: Probably not relevant here given the very short distance of travel, but these devices clamp the car to the rails when velocity exceeds a set value, commonly 125% of the maximum speed. They're standard on traction systems to guard against excessive downward speeds, in case of cable break. Some models protect against upward movement.

Doorway detectors and associated interlocks: Depending on the model, these can include photoelectric light beams, safety edges on the doors (the gadgets that look like retracting bumpers at the door edges), and infrared curtains. Any of these should have detected that Hart was in the doorway, which with safety interlocks should have kept the doors from closing. And with the car doors and hoistway doors standing open, the elevator shouldn't have moved at all. 

Thus the recent speculation about some kind of serious problem remaining in the electronics at 10 am.