In Part C2 of this report we apply Layers of Protection Analysi (LOPA). LOPA was developed within the chemical process industry as a method of examining the mitigations in place or available for a subset of the initiating events identified during preliminary hazard analysis. It was first documented in 2001 by the American Institute of Chemical Engineers. The basis of LOPA is a set of “Independent Protective Layers.” Protection against the initiating event is provided separately by each layer. The method provides a standard set of layers which can be instantiated for any specific system and initiating event.
To perform the analysis, we being by specifying the system, the initiating event of interest and the consequences of concern. The system in this case is the Death Star power core. This core consisted of a single “hypermatter” reactor, capable of powering all of the systems on the Death Star. The initating event is entry of hostile craft into the superstructure, and the consequences of concern are an uncontained reaction within the core.
IPL1 – Design:
Ideal protection against any hazard is to design the system to exclude the hazard. Typically, this is achieved through substitution – finding a less dangerous way to provide the same functionality. For example, convection-cooled nuclear reactors eliminate the hazard of loss of coolant pump power by not using coolant pumps. In the case of the Death Star, it would be unreasonable to expect the possibility of an explosion to be designed out. The oxygen rich “space vacuum” of the Star Wars Universe renders all power sources vulnerable to explosions, particularly under circumstances of enemy fire or dramatic tension. No non-explosive power core was available.
However, what about the initiating event? Could the Death Star not have been designed such that small attack craft could not penetrate to the heart of the vessel? Probably this was the case in the “steady state” of the Death Star, but proper risk analysis should consider startup and shutdown of the system as well. Clearly this analysis was performed, resulting in the placement of a shield generator on the Endor moon. “Bolting on” protection in this way is a clear sign of safety analysis lagging behind design processes. An actively-generated shield was always a weaker protection than designing-in physical security.
IPL2 – Basic Controls:
Basic controls are used to keep chemical plants within normal operating conditions. Most initiating events involve progressive drift from normal conditions, and this can be detected and corrected before the event can even be considered part of an emergency incident.The assumption that hostile craft would not penetrate the shield meant that little consideration was given to this layer of protection.
IPL3 – Alarms and Manual Intervention:
When things go wrong, it is important that operators have sufficient information to detect the crisis and act. This layer of protection was certainly in place, and functioned as designed. The staff on board the Death Star were immediately informed when the small craft penetrated the super-structure, and were able to direct manual interventions precisely. Unfortunately no system of manual intervention is 100% reliable against any threat.
IPL4 – Automated Safety
Automated safety in this circumstance was provided by the Power Regulator located on the North Tower of the hypermatter reactor. Enemy fire destroyed this regulator shortly before the explosion – it is arguable that destruction of the regulator alone may have been sufficient to cause an uncontained reaction.
Here our analysis shows a flaw in the reactor protective systems. Rather than providing a separate layer of protection, the Power Regulator provided an alternate mechanism for the accident. Whilst good design would require failure of both the core and the power regulator, in fact failure of either may have been sufficient. Even were this not the case, the near simultaneous destruction of both systems shows that they were not independent layers of protection.
Far more appropriate would be an automated system which forced the reactor core into a fail-safe state in the event of an attack. Whilst this would be operationally undesirable, a power-less Death Star would certainly be preferable to no Death Star at all.
IPL5 – Physical Protection
Physical protection can take two forms – containment, and isolation. Clearly containment was not an option, as the energy generated from the uncontained reaction was sufficient to destroy the entire structure. Given that that was the case, however, why put the reactor in the middle of the Death Star at all? A logical design would be a multi-hull craft, with the majority of the crew in one hull, and the dangerously explosive core in the other. This is, in fact, the prevailing design philosophy in the Star Trek universe, explicitly due to the dangers presented by breech of the warp-cores.
IPL6 – Emergency Response
It is uncertain what, if any, actions were taken in response to the destruction of the reactor core. Options available may have included venting pressure into space, or rapid evacuation. The fact that the attacking craft and a personnel shuttle were able to depart in the time between the collision with Executor and the final explosion suggests that with adequate emergency response in place, a significant portion of the crew may have managed to evacuate, even if the explosion could not be mitigated.
IPL7 – Community Response
Emergency response at the community level was limited by two factors. Firstly, there was a lack of independence between the emergency and the ability to respond. This is unfortunately not unusual. In a large number of cases response has been hindered by damage to communication and rescue equipment by the incident requiring response. Secondly, there was a lack of competence and training on the part of the Rebel Alliance management. Promotion of an ex-pirate, a gambler and a religious acolyte to leadership positions takes the “Peter Principle” to new heights. It may have been effective in winning the battle, but that was small consolation to the Ewok populace.
Part C considers the circumstances of the accident up until the time of the explosion. Part D will consider the post-explosion response.
In Part C1 we apply the Kaoro Ishikawa method of analysis.
Ishikawa diagrams, also known as “fishbone diagrams” and “cause and effect diagrams” were invented byKaoro Ishikawa as a way of illustrating the way various factors causing a problem in quality control. They were adopted by Boeing Aerospace, first for quality control, then for analysis of accidents and incidents.
The strength of the technique is that it applies categories (traditionally the six Ms – Manpower, Methods, Machines, Materials, Measurements, Mother Nature) which result in considering a broader range of factors than would otherwise be thought about.
The main limitation of the technique is that causality is only loosely defined. In theory the method is based on “necessary and sufficient” causes, but in practice a wider range of influencing factors need to be considered. The method also struggles when people, methods and equipment are inter-related rather than being causally distinct.
In the diagram presented here, it is clear that the accident could be naively analysed as a technical design problem (an exposed reactor core), as human error (allowing a small band of plucky heroes within the protective shield), enemy action (the rebel attack) or poor safety process (failing to learn lessons from the first death star, and not considering whole-of-lifecycle risk).In fact, the accident was all of these things. The Ishikawa approach allows us to find a range of areas in which our organisation can be improved by learning from this accident.
One thing that the approach does not tell us is why this particular accident occurred. The features present in the accident were equally features of many Imperial operations. For example, a very similar diagram could be drawn for the Imperial attack on the Hoth Ice World, a near-complete success. On the one hand, this shows that careful analysis of past operations could cause organisational learning in time to prevent accidents such as the destruction of the Death Star. On the other hand, if the diagrams look the same for both events, we may have failed to consider important factors which caused the accident.
The Death Star
The Death Star (see Figure 1) was the second platform of that name. It commenced construction after the destruction of the first Death Star at the Battle of Yavin in 0 ABY. The Death Star was spherical in construction, with a diameter of 900 kilometres. The main power supply was a hyper-matter reactor. Propulsion was via Ion drives, although these were not operational at the time of the Death Star’s destruction.
In addition to the main armament (a Superlaser) the Death Star carried turbo-lasers and tractor beams for point defence, and small-craft docking and re-arming facilities. On-board accommodation was provided for up to 15 million crew and civilian contractors. The accident occurred whilst the Death Star was still under construction in orbit around the second moon of the gas giant Endor. All weaponry was fully operational, but the shields, ion-drives and portions of the superstructure had not yet been assembled and commissioned.
The Executor was the lead vessel of a class of capital ships for the Imperial Navy. SSD Executor was approximately 20 kilometres in length, and was build from titanium-reinforced alusteel. Her primary armament consisted of several thousand turbo-laser batteries and ion cannons. Defences included laser batteries and deflector shield generators.
The Battle of Endor was a planned counter-terrorist operation involving co-ordination between the Death Star, the Imperial Battle Fleet and ground forces on the 2nd Moon of Endor (the “forest moon”). In response to the asymmetrical warfare tactics employed by terrorist forces, the operation made use of carefully planted mis-information to expose the terrorist forces to a set-piece battle.
The plan for the operation called for a shield around the Death Star, generated from a bunker on the forest moon, to be maintained constantly. This shield failed due to catastrophic battle damage to the bunker approximately thirty minutes after the main phase of the operation began.
Subsequently, multiple small craft evaded both the fixed and mobile small-craft defences of the Death Star and entered the unfinished portion of the superstructure.
At approximately the same time the SSD Executor suffered battle damage to the primary command deck, losing attitude and propulsion control. The Death Star was unable to manoeuvre to avoid the path of the Executor, and the bow of the Executor struck the Death Star. It is believed that most of the casualties on board the Executor occurred during this collision.
The small craft within the Death Star superstructure fired on the reactor, and both vessels were destroyed by the explosion of the reactor core.
Timing for subsequent events has not been determined. Eye-witness reports suggest that there were survivors alive directly below the Death Star’s orbit on Endor for several hours following the explosion. Some theories suggest that portions of the Ewok population residing on the far side of Endor may have survived for several months before radiation and nuclear-winter effects rendered the surface uninhabitable.
Despite the availability of numerous Imperial and Rebel platforms in the region, no attempt at evacuation appears to have occurred at any time.
The Imperial Navy Death Star was a bespoke counter-insurgency platform. In 4 ABY the Death Star collided with SSD Executor, a Star Dreadnought. All crew aboard the Executor were killed, and both vessels received substantial damage from the impact. The Death Star subsequently incurred further damage from small craft operated by terrorist agents, and exploded. The estimate of direct casualties is 13 million, but due to poor record keeping the precise numbers of civilians and military personnel on board the Death Star at the time of the accident is unknown. Further casualties occurred when the wreckage fell to Endor, causing substantial environmental damage and killing the entire Ewok species.
- Whilst the incident occured during active operations, it cannot be dismissed as attrition through enemy action. The puny rebel fleet should have been no match for the power of a fully operational battlestation.
- The Imperial Navy responded to the destruction of the first death star by introducing technical improvements to platforms and equipment, without responding to the wider organisational problems. These structural and cultural issues led directly to the circumstances of the second Death Star accident.
- The trade-offs between safety, operational effectiveness, and project schedule were made without due regard for the level of risk involved in this decision making. In particular, the visible importance that senior management placed on meeting deadlines overshadowed all other considerations.
- There was systematic misalignment of authority and responsibility throughout the Imperial Navy, leading to poor decision making in times of crisis.
- The absence of a Just Culture within the Imperial Fleet discouraged staff from raising concerns. This choked vital reporting mechanisms which could have alerted senior management to the systematic problems.
- The rebel fleet was overly reliant on “heroic individuals” to achieve organisational goals. This ad-hoc approach to management achieved short-term effectiveness at the expense of addressing systemic risk and longer-term fallout from their actions.
- The design of the Death Star incorporated defence-in-depth protection mechanisms, but these were subverted by common-cause failures.
- The effects of the accident were made significantly worse by overconfidence and lack of emergency response planning.