Accident Analysis of the Death Star (C2 – Layers of Protection Analysis)


In Part C2 of this report we apply Layers of Protection Analysi (LOPA). LOPA was developed within the chemical process industry as a method of examining the mitigations in place or available for a subset of the initiating events identified during preliminary hazard analysis. It was first documented in 2001 by the American Institute of Chemical Engineers. The basis of LOPA is a set of “Independent Protective Layers.” Protection against the initiating event is provided separately by each layer. The method provides a standard set of layers which can be instantiated for any specific system and initiating event.

Layers of Protection

To perform the analysis, we being by specifying the system, the initiating event of interest and the consequences of concern. The system in this case is the Death Star power core. This core consisted of a single “hypermatter” reactor, capable of powering all of the systems on the Death Star. The initating event is entry of hostile craft into the superstructure, and the consequences of concern are an uncontained reaction within the core.

IPL1 – Design:

Ideal protection against any hazard is to design the system to exclude the hazard. Typically, this is achieved through substitution – finding a less dangerous way to provide the same functionality. For example, convection-cooled nuclear reactors eliminate the hazard of loss of coolant pump power by not using coolant pumps.  In the case of the Death Star, it would be unreasonable to expect the possibility of an explosion to be designed out. The oxygen rich “space vacuum” of the Star Wars Universe renders all power sources vulnerable to explosions, particularly under circumstances of enemy fire or dramatic tension. No non-explosive power core was available.

However, what about the initiating event? Could the Death Star not have been designed such that small attack craft could not penetrate to the heart of the vessel? Probably this was the case in the “steady state” of the Death Star, but proper risk analysis should consider startup and shutdown of the system as well. Clearly this analysis was performed, resulting in the placement of a shield generator on the Endor moon. “Bolting on” protection in this way is a clear sign of safety analysis lagging behind design processes. An actively-generated shield was always a weaker protection than designing-in physical security.

IPL2 – Basic Controls:

Basic controls are used to keep chemical plants within normal operating conditions. Most initiating events involve progressive drift from normal conditions, and this can be detected and corrected before the event can even be considered part of an emergency incident.The assumption that hostile craft would not penetrate the shield meant that little consideration was given to this layer of protection.

IPL3 – Alarms and Manual Intervention:

When things go wrong, it is important that operators have sufficient information to detect the crisis and act. This layer of protection was certainly in place, and functioned as designed. The staff on board the Death Star were immediately informed when the small craft penetrated the super-structure, and were able to direct manual interventions precisely. Unfortunately no system of manual intervention is 100% reliable against any threat.

IPL4 – Automated Safety

Automated safety in this circumstance was provided by the Power Regulator located on the North Tower of the hypermatter reactor. Enemy fire destroyed this regulator shortly before the explosion – it is arguable that destruction of the regulator alone may have been sufficient to cause an uncontained reaction.

Here our analysis shows a flaw in the reactor protective systems. Rather than providing a separate layer of protection, the Power Regulator provided an alternate mechanism for the accident. Whilst good design would require failure of both the core and the power regulator, in fact failure of either may have been sufficient. Even were this not the case, the near simultaneous destruction of both systems shows that they were not independent layers of protection.

Far more appropriate would be an automated system which forced the reactor core into a fail-safe state in the event of an attack. Whilst this would be operationally undesirable, a power-less Death Star would certainly be preferable to no Death Star at all.

IPL5 – Physical Protection

Physical protection can take two forms – containment, and isolation. Clearly containment was not an option, as the energy generated from the uncontained reaction was sufficient to destroy the entire structure. Given that that was the case, however, why put the reactor in the middle of the Death Star at all? A logical design would be a multi-hull craft, with the majority of the crew in one hull, and the dangerously explosive core in the other. This is, in fact, the prevailing design philosophy in the Star Trek universe, explicitly due to the dangers presented by breech of the warp-cores.

IPL6 – Emergency Response

It is uncertain what, if any, actions were taken in response to the destruction of the reactor core. Options available may have included venting pressure into space, or rapid evacuation. The fact that the attacking craft and a personnel shuttle were able to depart in the time between the collision with Executor and the final explosion suggests that with adequate emergency response in place, a significant portion of the crew may have managed to evacuate, even if the explosion could not be mitigated.

IPL7 – Community Response

Emergency response at the community level was limited by two factors. Firstly, there was a lack of independence between the emergency and the ability to respond. This is unfortunately not unusual. In a large number of cases response has been hindered by damage to communication and rescue equipment by the incident requiring response. Secondly, there was a lack of competence and training on the part of the Rebel Alliance management. Promotion of an ex-pirate, a gambler and a religious acolyte to leadership positions takes the “Peter Principle” to new heights. It may have been effective in winning the battle, but that was small consolation to the Ewok populace.

Advertisements


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s