Who Protects the Public

other supplemental inspection procedures to contain defects, must this additional information be evaluated in judging whether the component meets the Code?"

The reply of the ASME Committee was unfortunately couched in the diplomatic language typical of bureaucratic caution. It contained the following statements which contradict each other.

Here is the first: "If the inspector were aware of a harmful defect which was not disclosed by the Code examination but which did affect the safety of the vessel, he would have a moral responsibility to consider this information before certifying the vessel."

Here is the second: "Decisions based on such supplementary examinations are not Code matters and must be resolved by agreement between the manufacturer and the purchaser."

From this I conclude that morality requires that all available inspection results be considered, but the Code does not.

As a consequence of the refusal of the Code inspection agency to meet with the buyer unless so requested by the manufacturer, it was recommended that the ASME make it a Code requirement that inspection and certification be carried out by an organization independent of the manufacturer whose product is being inspected. The ASME Committee's answer was that in their view present practice already complies with this recommendation. They said that while the inspector's employer is paid by the manufacturer, this does not place either the inspector or his employer under the direction of the manufacturer, in the usual contractual sense. The ASME Committee did not, however, discuss or explain why the inspection agency, supposedly not under the direction of the manufacturer, would not meet with the buyer unless requested to do so by the manufacturer. I find myself completely at a loss how to reconcile their views with the facts.

Recently, in order to shed some light on this cloudy subject, I had inquiries made of insurance companies providing Code inspection services for vessels being manufactured to Code requirements. The inquiries sought to determine, first, whether the inspection agency actually serves the buyer's interest; second, what records it keeps of any independent inspections made by its own inspectors; third, whether these records are available to the buyer. My hope is that clarification of these three points can be used to determine what additional steps buyers will have to take to fulfill their responsibilities to the public. I urge other buyers to ask the same questions. Also, I urge them to take account of the fact that in practice the insurance company's Code inspector generally checks only the manufacturer's inspection records.

Further, it should be understood that the training requirements and procedures used by a typical insurance company for upgrading its inspectors after their initial qualification are not available outside the insurance company itself. Thus no one--neither the public, nor the manufacturer, nor the buyer--can find out what actually is being done.

More important, it must be fully understood that the Code inspection agency accepts no responsibility for adequacy of the product. The manufacturer's data report, which is the official inspection record he makes available to the state or to the buyer, includes a certificate of inspection signed by the code inspector.

But this "certificate" contains the following disclaimer:

"By signing this certificate neither the inspector nor his employer makes any warranty expressed or implied, concerning the pressure vessel described in this manufacturer's data report. Furthermore, neither the inspector nor his employer shall be liable in any manner for any personal injury or property damage or a loss of any kind arising from or connected with this inspection."

In addition to this disclaimer, a typical contract under which an insurance company provides Code inspection service requires the manufacturer to indemnify the insurance company against any liability.

Let me emphasize that the shortcomings I have been discussing do not lie primarily in the technical content of this ASME Code itself; they are inherent in the system of setting and enforcing voluntary standards. This ASME Code is, in fact, ahead of some other codes in recognizing the need for inspection by an agency other than the manufacturer. Many other safety codes do not even require inspection by a so-called "independent" agency.

Another major shortcoming of present code practices is: The codes do not set up adequate requirements for design and inspection in many areas important for assuring safety--areas that are often not obvious, and may therefore well be overlooked by an unwary purchaser. An example is the need for an independent check of design work.

Several years ago there was a case which illustrates this need.

New heat exchangers were to be installed in a central station power plant. An architect-engineer was hired to evaluate adequacy of the existing support structure which was to be reused, and to design additional new support structures. During initial filling of the heat exchangers, a failure of one of the steel support structures was discovered quite by accident. Had this failure not been discovered at that time it is likely the support would have broken during subsequent operation, with consequences that could have been serious.

Detailed investigation of this failure revealed several significant facts. For example, the original design of the support that had failed, and of several other supports was found to have been inadequate. These supports did not meet the American Institute for Steel Construction Code. Moreover, the architect-engineer responsible for the redesign work had apparently not checked the design of the original supports although his contract required him to do so. Then too, it was found that some of the new structures which he had designed did not meet this construction Code. In addition, there was a lack of clear definition as to which industry code applied to those parts where equipment and structures were joined together. The architect-engineer chose to apply a less restrictive code than the one the buyer considered to be applicable under the contract.

As a result of this investigation and subsequent action by the Government, the architect-engineer and his insurance company paid over half a million dollars for additional engineering and construction costs incurred in correcting the faulty design work. This shows that a designer--in this case the architect-engineer--is liable if he fails to do his job properly, much as a manufacturer is liable for a defective product.

What this proves is that an independent design review is essential. Designers are just as fallible as anyone else. Some codes have taken halfway steps by requiring the design to be certified by a professional engineer. But these steps do not fully meet the problem, since they specifically allow the professional engineer to be an employee of the organization doing the design work. Here again we have a fundamental weakness of present code practice; the design engineer may review and certify his own work.

Another example illustrates that the codes are not kept sufficiently up-to-date on inspection methods.

This case involved the purchase of welded piping for the main cooling water system in a large power plant. Subsequent to delivery of some of the piping, the purchaser learned that the manufacturer had discovered cracking in batches of additional piping being made for this same order. Whereupon the purchaser subjected samples of the already delivered pipe to destructive examination. He found cracks. This piping had passed all inspections required by the applicable American Society for Testing Materials specification, plus X-ray inspection prescribed in the contract by the buyer. Additional tests and analyses conducted by the purchaser established that the cracks--some of which were one-half inch long--rendered the material unfit for the intended service. Here was a clear-cut case where piping supplied and inspected by the manufacturer in accordance with industry requirements was in fact unfit for use and had to be replaced by the purchaser at his own expense.

This and similar experiences notwithstanding, most piping codes still do not require the use of such modern techniques as ultrasonic inspection which has been successfully used on many occasions and would, in this particular instance, have undoubtedly shown up the presence of cracks. An avoidable risk of failures in service due to undetected defects is still being accepted by the code committees, by manufacturers, and purchasers.

It is essential that as technology advances and products and systems become more complex, the best available inspection methods be incorporated in the codes. Code committees ought promptly and continually to be specifying use of improved inspection methods. As they now stand, the codes provide little incentive to develop and apply better inspection techniques. This is perhaps not surprising given the fact that committee members are generally drawn from manufacturers whose products are to be inspected. Recently an ASME committee stated that use of a new inspection method cannot be required by their Code until the method is capable of standardization. Since the inspections specified by the codes are, in practice, all that the manufacturer will normally carry out, development of new and improved inspection methods is bound to be extremely slow. If no one applies a new technique unless it has become standardized, inspection methods specified by the codes will always lag technology, and the public will always be the loser. The difficulty here is, of course, the consensus rule which prevents the code committee from keeping the codes abreast of new ways to protect the public.

So far I have spoken of specific problems encountered in applying industry codes. There are other deficiencies inherent in the present system, to which I can only refer briefly. For example:

1. Important areas that directly affect safety are covered only by so-called "recommended" or "optional" practices and not by specific requirements. Are you aware that many industry codes do not set up or require uniform methods for inspection, or even require qualification of the manufacturer's own inspectors? Some codes, for example the ASME Boiler and Pressure Vessel Code, do require the manufacturer's inspection personnel to be qualified. But the extent of qualification in this ASME Code is defined merely by "recommended practices" issued by the Society for Nondestructive Testing. These recommended practices state that they may be modified and adapted by each manufacturer at his own discretion. Thus, even in this "better" Code neither the Society for Nondestructive Testing, the Code committee, nor the states invoking this Code exercise any real control. Control is left to the individual manufacturer.

2. Failure of products manufactured under industry codes generally need not be reported to or investigated by an independent central agency. Thus, important lessons that could prevent future failures are not disseminated among persons with a legitimate interest in the matter. Great Britain has the edge on us here. Her laws require that all boiler failures be reported to and investigated by an independent competent commission.

3. There is also a subtle aspect to the use of industry codes; this has to do with their psychological effect. Described by the code committees and by the language of the codes themselves as providing rules of safety for design and construction of equipment, they impart an unwarranted sense of security. Confidence in the codes may and often does inhibit persons legally responsible for protecting the public from taking additional action needed to safeguard health and well-being.

There is a widespread misconception about the codes and their effectiveness. They are believed to constitute an authoritative national standard. It is generally thought that because of them the harsh Roman rule of caveat emptor--let the buyer beware--no longer governs the relations among buyer, seller, and affected third parties. I suggest that no one allow himself to disregard this ancient warning. As I have tried to show, insofar as power plants are concerned, current code practice does not justify letting down one's guard.

The cause of these problems becomes more obvious if we look at the roles and responsibilities of the parties involved in the design, construction, and inspection of power plants--more specifically with construction and installation of pressure vessels in such plants. How would you answer this question: "Who among these parties looks out for the public interest?"

Let us take the case of a pressure vessel and observe the sequence of events. First as to the ASME Boiler and Pressure Vessel Code itself: A committee develops the Code which sets rules governing design, construction, and inspection of pressure vessels. Members of the committee are drawn primarily from manufacturers organizations, with minor representation from users, insurance companies, and government agencies. Code procedure requires near unanimous agreement among members to set requirements or to change them. However strong their personal integrity, committee members will be influenced by their responsibility to their employer. Such responsibility may not be compatible with the need for objectivity in regard to safety rules. The members from manufacturer organizations are thus able to block committee action from the start and at any time a code change is advocated. Finally, and this to me is extremely significant, committee members are not responsible to the public. To my knowledge, no code committee has ever been held liable for having written an inadequate code.

As for the buyer, he writes a specification invoking the Code, and includes such additional requirements as he considers necessary. Often he lacks the technical knowledge to set adequate specifications or to assess the integrity of the pressure vessel, so he relies on the Code design and inspection requirements. He is necessarily concerned with minimizing his costs, and this often conflicts with requiring the necessary quality and integrity.

The manufacturer then designs and builds the vessel to the specification set by the buyer. He, too, is concerned with minimizing costs, and is restrained by competitive economic pressures to manufacture a vessel which meets no more than the minimum requirements specified.

During manufacture of the vessel, the Code inspector inspects solely to the Code requirements, regardless of any additional requirements the purchaser may have specified. The inspection agency, moreover, disclaims legal liability for adequacy of the vessel or for failures which may subsequently occur.

The state or municipality in which the pressure vessel is to be operated then licenses it. But since the laws of many states and municipalities merely require compliance with this industry Code, the public authorities have, in effect, relegated their responsibility for protecting the public to the Code committee and to the Code inspection agent.

Let me pose a sobering thought in this regard. Recent court decisions have extended manufacturers' liability for failures due to product defects which they could have prevented. The courts, in these decisions, have held that a manufacturer is strictly liable for his product, not only to the immediate purchaser, but also to third parties who are damaged. This liability is being interpreted as going well beyond any express warranty the manufacturer gives, and the manufacturer's disclaimers do not relieve him of it. Technical societies which through their committees develop codes and describe them as providing adequate safety requirements have no contractual relationship with the user. But these societies do provide a product--the codes themselves.

Thus far, these societies have enjoyed immunity from legal responsibility for their codes. However, just as manufacturers are being held liable for their products--regardless of the contractual relationship--I question how long technical societies and members of their committees will be able to retain their present immunity.

The same question applies to the insurance companies which provide inspection services and certify that these codes have been met, regardless of any disclaimers they may make.

There obviously are parallel situations in other areas affecting public health and well-being. In each of them there is initially little recognition of the threat to the public. Some companies or municipalities do, of course, take steps to provide protection; many do not. Then an accident occurs that focuses public attention on the hazard. There may be widespread damage--as by the sale of contaminated meat or harmful drugs. Or a series of accidents may occur--such as airplane crashes. This generally sparks discussion and proposals for government action. To forestall intrusion of government, the industry concerned will usually propose voluntary safety requirements. Depending as they do on industry consensus, these requirements represent the minimum safety measures all are willing to accept. This is not enough. There will be more accidents. Only after the lapse of much time are laws finally enacted. Much harm will have been done in the interval--harm which could have been prevented.

Let me remind you of the dramatic natural gas pipeline story. As you may know, industry standards governing gas pipeline construction went into effect in 1935. They were not adequate. Many deaths and injuries were sustained because of pipeline explosions. The public was aroused; the matter came before Congress. The Congressional hearings on this subject highlighted many deficiencies in this self-imposed industry piping Code. For example, the Code was not mandatory; it did not require checking the pipe once it was installed; it was not adopted uniformly by the states; it had no provision for enforcement. Further, it did not define welding inspection procedures; it merely suggested inspection during various stages of construction; it did not require retesting when a failure occurred during initial tests.

During testimony on this bill, a former chairman of the piping Code Committee stated: "Standard specification committees tend to be dominated by the manufacturers..... This very often results in the tolerances being so broad that a user cannot be sure that the material or equipment purchased under this specification is going to be suitable for his specific use."

The recently enacted Federal law charges the Secretary of Transportation with responsibility to set and enforce requirements insuring safe transport of natural gas through interstate pipelines. To assist him in developing these requirements, the law sets up a committee, composed of technically qualified members representing Federal and state governments, the natural gas industry, as well as the general public. In principle, this would seem to be the proper approach for setting and enforcing safety codes.

This approach is consistent with that followed by the Atomic Energy Commission. Written into the Atomic Energy Act of 1954 is the mandate that the Commission shall carry out "development and utilization of Atomic Energy to the maximum extent consistent with..... health and safety of the public." The Commission through its licensing process has exercised a substantial amount of control over nuclear safety matters, and the safety record has been good. Rapid expansion in the number of commercial nuclear power plants will require that even greater care be given to designing, building, and operating them with maximum safety and reliability. To this end, the Atomic Energy Commission is finding it increasingly necessary to develop and enforce supplementary safety requirements above and beyond industry codes for equipment such as pressure vessels, heat exchangers, pumps, and valves. The Atomic Energy Commission has paid particular attention to the nuclear aspects of these plants. Equal attention must be given by others to the conventional parts of the plants in order to avoid the kind of problems I have described.

Other examples of government agencies using this approach will also come to mind as you consider the fundamental problem I have described. But I must repeat that all too often action is taken too late. Common sense and history tell us that we must take steps to control potential hazards before we have to pay a needlessly high price in harm to the public.

As to the general question of how to provide necessary protection for the public, I submit we must change our basic approach. Above all, we must clearly define and understand the proper role and responsibility of each of the parties involved--buyers, manufacturers, code committees, government agencies, and the public.

1. The buyer--the immediate user of the equipment--should actively engage in the development of the safety codes to make them more effective in serving his needs and interests. But his responsibility extends beyond mere participation in preparing codes and beyond the setting of specifications in the contract. He must not rely on codes, on the manufacturer working to code requirements, or on code inspectors. He must recognize that codes do not of themselves relieve him of his responsibility to protect the public, and of his liability if he does not. This means that he must set specifications which clearly prescribe the service conditions the equipment must meet, and he must specify whatever level of quality and integrity is needed to achieve the required degree of safety. He must then make certain that his specifications are met by providing independent, competent surveillance of design, manufacture, and inspection.

2. The manufacturer's responsibility is to design and make a product that is adequate for its intended service, not just one that meets minimum inspection requirements. In light of recent court decisions regarding liability for product defects, manufacturers should, for their own protection, and for the protection of the public, encourage rather than resist the upgrading and strict enforcement of safety codes.

3. Technical societies and their code committees must continue to play an important--though a contributory--role in developing safety codes. The technical competence and experience of their members is needed to develop practical, usable codes and to provide improved design methods

and inspection techniques. However, these industry groups should recognize that by their very nature, they cannot and should not control establishment and enforcement of safety codes. In this connection, it is interesting to note that, in a recent speech, a past chairman of the ASME Boiler and Pressure Vessel Committee said, in effect, that voluntary codes will never be fully effective. He suggested that industry committees continue to control preparation of these codes but predicted that government will take over their enforcement. This suggestion would be an improvement, but I do not believe it goes far enough. What is needed are code committees patterned after the one set up by Congress for the natural gas pipeline industry.

Obviously, what I am proposing involves basic changes in the way we set and enforce safety codes. But having read a little history and having dealt with many humans, I know that changes will not occur overnight. Present code committees must therefore undertake, as an urgent task, correction of some of the basic deficiencies I have described today. As a minimum, they should promptly effect four basic changes:

(a) Product quality should be defined in terms of unacceptable defects, regardless of how they are found.

(b) Truly independent design review and product inspection must be required.

(c) All failures should be formally reported, independently investigated, and the results widely disseminated.

(d) Finally, uniform and stringent qualification requirements should be specified for both manufacturer's inspection personnel and for independent code inspectors.

4. The responsibility of government agencies at local, state, and Federal levels is to require buyers and manufacturers to meet their own particular responsibilities. It must be recognized that no private organization can completely and objectively represent the public interest. Government agencies--whose responsibility is to the public--must see to it that adequate safety codes are established and enforced. The government agencies concerned must continue to obtain and consider the assistance of industry in preparing these codes--but they must not continue to permit industry to control them.

5. The responsibility of the ultimate user--the public--is to recognize the need for protection in our increasingly complex technical society and to demand of their government that it be met.

I realize that my recommendations appear to be directly opposed to the belief of some that the less government control the better; that somehow American industry will rise above its own interests and altruistically give overriding consideration to public health and well-being. This is a naive idea, as has been proven time and again. No person or group can be depended on to police itself. No man can serve two masters: his own interest and the interest of the public. Men should not be placed in a position where they have to reconcile the two. It is the function of government to do so.

To protect man and his environment against damage from the technology he himself creates is perhaps the most important problem facing modern society. You and I should consider it our personal responsibility to contribute whatever we can to the solution.