Human error-power supply failure to air traffic controller radar screen at IGI, New Delhi

In an incident involving human error, an electrician at Indira Gandhi International (IGI) airport, New Delhi switched off a miniature circuit breaker (MCB) while fixing an electrical fitting. This MCB as it is reported, is on the line supplying power to air traffic controller (ATC)  radar screens and screens went blank. The standby power (may be diesel generator) came into line in a few seconds and rebooting of all consoles and restoration took about 45 minutes.

Meanwhile, the air traffic controllers having tough time,  guided the planes for safe landing with their experience. All departures were put on hold in between. As it is during such emergency times, Murphy's law showed its application once again. But the experienced personnel guided even a plane or two, low on fuel to land safely without panic.

From various reports in the internet about the incident, there seems to be failure of, or no uninterrupted power supply (UPS) / inverter backup directly connected to ATC radar system, as the screens went blank. That it took sometime for standby power to come into line, indicates that this is a diesel generator (DG) set power supply. This takes about 30 seconds as we experience in apartment complexes or cinema halls. Generally, people use UPS even for domestic computers, because of fear of losing data. Also, because of power cuts,  people use inverter widely at home and business houses. For critical systems, normal power supply should be through inverter/UPS so that any failure of power supply on upstream side will not affect the operations. Now-a-days, solar powered inverters are also available in the market. This should be in addition to the other backups for use. MCB/any other switch should be located on upstream side of these UPS/inverter, rather than on the downstream end so that mistakes like these will not happen. May be the authorities were confident of their backup systems.

Generally, risk assessment is same for aviation and nuclear industries. The risk assessment should be reviewed and measures should be taken to reduce risk levels. It is horrible to think of so many planes in the air without guidance for landing. 

To avoid such mistakes as in this case, there is a need for safety work permit system as practiced in all industrial facilities, for carrying out any job having impact on human lives, property and or environment. Also, that this important MCB could be switched off by mistake indicates that critical safety systems are not protected or its importance is not recognized. Authorities have to review entire safety practices, identify critical systems having impact on persons/property/environment and prepare documented procedure for implementation. Suitable caution boards/warning signs/names and contact numbers of authorities to be contacted in case of need should be displayed near these critical items. A nodal authority (safety officer) should be identified for entire ATC under  whom, permission/approval should be given for various works so that there will not be any lapse. If more than an authority is identified, there may be a situation that one will not know about permission/approval given by the other. Also, lockout/tagout (LOTO) system, if feasible needs to be put in place. 

Apart from power failure like above, it is possible that due to hardware or software glitch or even entry of insects/lizards, the screens can go blank or computer system can hang and for such a situation also, one has to plan for diverse redundant systems to avoid surprise/panic. Whenever, there is no communication between computers or computer and signal receiving/emitting towers or no change in data for a specified time (may be a second or milli second or some other duration depending upon the criticality), audio-visual alarms should be incorporated to alert the concerned personnel for immediate action.

http://www.dnaindia.com/india/report_radar-screens-at-igi-airport-atc-go-blank-outgoing-flights-hit_1797953

http://www.indianexpress.com/news/igia-radar-screens-go-blank-flights-disrupted/1071724/

http://timesofindia.indiatimes.com/india/Power-put-off-by-mistake-IGI-Airport-radars-go-dead/articleshow/18410667.cms?

http://www.indianexpress.com/news/radar-screens-go-blank-again-at-igi-airport/572005/2

Some statements on safety

Following are some of the statements in "Process Safety Analysis - An Introduction"  by Bob Skelton published by Institution of Chemical Engineers, UK.

1. A good safety culture ensures that both the spirit and the letter of the law are fulfilled.
2. Attitude to safety should be highly visible and shared at all levels within the company.
3. A well managed company is almost invariably not only a profitable company but a safe company.
4. Changes in existing plant are costlier than that introduced in design stage.
5. Design should be such that operator intervention is not needed for at least 30 minutes after an incident. Experience has shown that operators can not always be relied upon to make the correct decisions under immediate post-accident conditions.
6. Safety in design must be both proactive and reactive. Changes, once a plant is built, are very expensive compared with changes at the design stage.  It is not sufficient and cost efficient to make safety review after completing the design and then BOLT ON safety devices. It will not be cost effective. Engineered safety is BOLT ON safety. Engineered protective devices can fail and never place too much reliance on BOLT ON safety.
7. Commissioning is one of the most hazardous parts of any process plant operation. Not only do design errors which escaped previous checks manifest themselves but problems due to construction errors also become obvious. In addition commissioning generates hazards of its own as the plant moves from construction to operating status. It is essential that a formal set of checks be carried out before process fluids are introduced for the the first time.
8. Fire and explosions can be prevented  by not exceeding 25% of LEL. Flammable atmospheres can be avoided by ensuring that fuel lines and tanks are pressurized so the flammable material leaks out rather than air leaking in. good ventilation of vessels and plant areas can maintain safe working conditions.
9. Dust explosions are best prevented by good housekeeping - that is, by keeping the concentrations of dust down and perhaps keeping the dust damp. Inerting by dilution with non-combustible dust is another effective technique, frequently used in coal mines.
10. The risk is serious in case of static electricity, if the relative humidity is below about 60%.
11. Explosives manufacturing facilities are usually designed so that the buildings are separated by safe distance, surrounded by earth mounds so that any explosion will go upwards rather than affect other plants in the area. In addition there is usually a limit on the number of people allowed in a building.
12. Fire fighting water causes more damage than the fire itself, when polluted water is let into rivers. There may be a conflict between accepting the atmospheric pollution caused by letting the fire burn out and the water-borne pollution caused by fighting it.
13. Non-process hazards account more than 70% of all accidents in process plant.
14. Many of the worst accidents in the process industries are the result of bad maintenance practice. Ex: Piper Alpha and Flixborough
15. As many people die by asphyxiation as from toxic gases.
16. A good health and safety policy is always cost effective; most organisations grossly under estimate the cost of accidents, often by an order of magnitude. The organisation should be such that the attitude to safety is highly visible and shared at all levels within the company. Active participation is encouraged to promote the objectives of not just preventing accidents and industrial illness but motivating and empowering everyone to work safely.
17. A safety culture, once established, must be maintained, any any tendency to careless practices stamped out at once. Experience shows that 80% of accidents tend to happen to 20% of the workforce - the young and the old being particularly vulnerable.  Many accidents are caused by operators not fully appreciating the significance of small, but nevertheless important changes.
18. A good system of accident reporting is proactive and reactive, whereas most tend to be purely reactive.
19. Effective safety at all stages of a project - from inception to demolition - can only be achieved if there is a commitment at all levels. The senior management must see health and safety as being just as important as profitability and they must make certain that all their workers are aware of this fact.
20. A well managed company is almost invariably not only a profitable company but a safe company.
21. In hazard analysis, a distinction must be made between routine operator action and operator intervention in an emergency.  For routine operator action, the operator can usually take time and is under no great stress. Safety assessments involve the prediction of the likelihood of errors when the operator is taking corrective action against alarms. The time for corrective action may short, the operator is liable to be under some stress and so the probability of errors is greater.
22. Total elimination of human error will never be possible. Use must be made of the science of ergonomics to ensure that everything possible is done to enhance the strengths of human operators whilst at the same time allowing for the weaknesses.
23. The most important rule is, 'inherent safety is better than engineered safety', ' what you have not got can not leak'. Even elaborate safety devices can't reduce risk to zero due to the escape of a noxious substance, but replacing a noxious substance by a more benign one could well eliminate that risk altogether.