Methods for Accident Investigation R O S S Reliability
Short Description
Acc inv...
Description
Methods for accident invesgaon R O S S Reliability, Safety, and Security Studies at NTNU Dept. of roducon and !uality "ngineering #ddress$ %ising address$ Telephone$ &acsi'ile$ N()*+ Trondhei' S.. #ndersens vei - *) )/ -+ /0 11 *) )/ -+ ) ) T2T3" Methods for accident invesgaon #UT4OR Snorre S5let SUMM#R6 This report gives an overvie7 of so'e i'portant, recogni8ed, and co''only used 'ethods for invesgaon of 'a9or accidents. 2nvesgaon of 'a9or accidents usually caused by 'ulple, interrelated causal factors should be perfor'ed by a 'ul(disciplinary invesgaon tea', and supported by suitable, for'al 'ethods for accident invesgaon. "ach of the 'ethods has di:erent areas of applicaon and a set of 'ethods ought to be used in a co'prehensive accident invesgaon. The 'ethods dealt 7ith are li'ited to 'ethods used for in(depth analysis of 'a9or accidents. #R;42%" NTNU? =11=10 2S@N 0=())1A(0( D#T" =11=((1 S2BN#TUR" Marvin Rausand #B"SC#"ND. )- #"@? Method ......... -/ *.=.0 TR2OD................................................................................... -A *.=.+ #cci( 'ap.................................................................................. A * - D2S;USS2ON #ND ;ON;3US2ON................................................ A) -. D2S;USS2ON.................................................................................. A) -.= ;ON;3US2ON................................................................................ ) A R"&"R"N;"S ................................................................................... )/ Methods for accident invesgaon - 2ntroducon . 2ntroducon to accident invesgaon and deli'itaons of the report The accident invesgaon process consists of a 7ide range of acvies, and is described so'e7hat di:erent by di:erent authors. DO" >+++? divide the invesgaon process into three phasesK collecon of evidence and facts, analysis of these facts, and develop'ent of conclusions and develop'ent develop'ent of 9udg'ents of need and 7ring the report, see &igure . These are all overlapping phases and the 7hole process is iterave. So'e authors also include the i'ple'entaon and follo7(up of reco''endaons in the invesgaon phase >e.g., see &igure =? $ This approach is not li'ited to 'a9or accidents, but also include occupaonal accidents. accidents. ;ollecon of evidence and facts #nalysis of evidence and factsK Develop'ent of conclusions Develop'ent of 9udg'ents of needK ring the report Methods for accident invesgaon A . #ll reported incidents >accidents and near accidents? are invesgated i''ediately at the Hrst level by the supervisor and safety representave. =. # selecon of serious incidents, i.e. freGuently recurring types of incidents and incidents 7ith high loss potenal >actual or possible? are subseGuently invesgated by a proble'(solving group. /. On rare occasions, 7hen the actual or potenal loss is high, an accident invesgaon co''ission carries out the invesgaon. This co''ission has an independent status in relaon to the organisaons that are responsible for the occurrence. &igure =. #ccident invesgaon at three levels >Reason, ++)?. Organisaonal accidents are the co'paravely rare, but oen catastrophic, events that occur 7ithin co'ple, 'odern technologies such as nuclear po7er plants, co''ercial aviaon, petroche'ical industry, etc. Organisaonal accidents have 'ulple causes involving 'any people operang at di:erent levels of their respecve co'panies. @y contrast, individual accidents are accidents in 7hich a speciHc person or a group is oen both the agent and the vic' of the accident. Organisaonal accidents 2ndependant invesgaon co''ission or5 place roble'(solving group 2''ediate invesgaon by Hrst(line supervisor Reporng 2'ple'entaon of re'edial acons #ccidents Near accidents #ll events #ll events 2n eceponal cases &reGuent or severe events Methods for accident invesgaon ) are according to Reason >++)? a product of technological innovaons that have radically altered the relaonship bet7een syste's and their hu'an ele'ents. Ras'ussen >++)? proposes di:erent ris5 'anage'ent strategies for di:erent 5inds of accidents, see &igure /. The accident invesgaon 'ethods dealt 7ith in this report are li'ited to
'ethods used for evoluonary safety control, i.e. in(depth analysis of 'a9or accidents >ref. e.g., DO", ++)?, others focus on deter'ining factors >e.g., e.g., 4op5ins, =111?, acve failures and latent condions >e.g., Reason, ++)? or safety proble's >4endric5 @enner, +0)?. 4op5ins >=111? deHnes cause in the follo7ing 7ay$ Pone thing is said to be a cause of another if 7e can say but for the Hrst the second 7ould not have occurredQ. 3eplat >++)? epresses this in a 'ore for'al 7ay by saying that in general, the follo7ing type of deHnion of cause is accepted$ accepted$ Pto say that event is the cause of event 6 is to say that the accidentQ period instead of on the 'igaon of the conseGuence of the accident. Methods for accident invesgaon + occurrence of is a necessary condion to the producon of 6, in the circu'stances consideredQ. Such a deHnion i'plies that if any one of the causal path7ays idenHed are re'oved, the outco'e 7ould probably not have occurred. Using the ter' contribung factor 'ay be less for'al, if an event has not occurred, this 7ould necessarily not prevented the occurrence of the accident. =11? reco''ends avoiding the 7ord cause in accident invesgaons and rather tal5 about 7hat 'ight have prevented the accident. #ccident invesgators 'ay use di:erent fra'es for their analysis of accidents, but nevertheless the conclusions about 7hat happened, 7hy did it happen and 7hat 'ay be done in order to prevent future accidents 'ay be the sa'e. So'e deHnions are included in this chapter. These deHnions are 'eant as an introducon to the ter's. Several of the ter's are deHned in di:erent 7ays by di:erent authors. The deHnions are Guoted 7ithout any co''ents or discussions in this report in order to sho7 so'e of the specter. Therefore, these deHnions represent the authorsE
opinions. #ccident # seGuence of logically and chronologically related deviang events involving an incident that results in in9ury to personnel or da'age to the environ'ent or 'aterial assets. >DO", ++)? @arrier #nything used to control, prevent, or i'pede energy Fo7s. ;o''on types of barriers include eGuip'ent, ad'inistrave procedures and processes, supervisionC'anage'ent, 7arning devices, 5no7ledge and s5ills, and physical. @arriers 'ay be either control or safety. >DO", ++)? @arrier analysis #n analycal techniGue used to idenfy the energy sources and the failed or deHcient barriers and controls that contributed to an accident. >DO", ++)? Methods for accident invesgaon 1 ;ausal factor #n event or condion in the accident seGuence necessary and sucient to produce or contribute to the un7anted result. ;ausal factors fall into three categoriesK direct cause, contribung cause and root cause. >DO", ++)? ;ause of accident ;ontribung factor or root cause. >DO", ++)? ;ontribung factor More lasng ris5(increasing condion at the 7or5place related to design, organisaon or social syste'. >;;S, ++=? The causal factor>s? that, if corrected, 7ould prevent recurrence of the accident. >DO", ++)? Most basic cause of an accidentCincident, i.e. a lac5 of adeGuate 'anage'ent control resulng in deviaons and contribung factors. >bla'e? "valuate the Gueson of guilt in order to assess the liability for co'pensaon >pay? #s 7e see, there 'ay be di:erent purposes in 7hich iniate accident invesgaons. The di:erent purposes 7ill not be discussed any'ore in this report. =.* Responsibility for accident invesgaon ho should be responsible for perfor'ing accident invesgaons and ho7 thoroughly should the accident be invesgatedI The history of accident invesgaon in the past decades sho7s a trend to go further and further bac5 in the analysis, i.e., fro' being sasHed 7ith idenfying hu'an errors by front(personnel or technical failures to idenfy 7ea5nesses in the govern'ental policies as root causes. 2n order to 5no7 7hen 7e should stop our invesgaon, 7e need 7hat Ras'ussen >++1? called stop(rules. Reason >++)? suggests that 7e should stop 7hen the causes idenHed are no longer controllable. The stopping rule suggested by Reason >++)?, leads to di:erent stopping points for di:erent pares. ;o'panies should trace causes bac5 to failures in their o7n 'anage'ent syste's and develop ris5reducing 'easures that they have authority to i'ple'ent. Supervisory authories >e.g., The Nor7egian etroleu' Directorate?, appointed govern'ental co''issions of inGuiries >e.g., the Sleipnerco''ission, and the Vsta(co''ission? or per'anent invesgaon boards >e.g., The Nor7egian #ircra #ccident 2nvesgaon @oard? Methods for accident invesgaon A should in addion focus on regulatory syste's and as5 7hether 7ea5nesses in these syste's contributed to the accident. The police and the prosecung authority are responsible for evaluang the basis for potenal cri'inal prosecuon, 7hile the court of 9usce is responsible for passing sentence on a person or a co'pany. The liability for co'pensaon is 7ithin the insurance co'paniesE and the la7yerEs range of responsibility. =.- ;riteria for accident invesgaons hat is a PgoodQ accident invesgaonI This Gueson is dicult to ans7er in a si'ple 7ay, because the ans7er depends on the purpose of the invesgaon. Nevertheless, 2 have included ten funda'ental criteria for accident invesgaons stated by 4endric5 @enner >+0)?. Three criteria are related to ob9ecves and
purposes of the accident invesgaon, four to invesgave procedures, and three to the outputs fro' the invesgaon and its usefulness. ;riteria related to ob9ecves and purposes Realisc The invesgaon should result in a realisc descripon of the events that have actually occurred. Non( causal #n invesgaon should be conducted in a non(causal fra'e7or5 and result in an ob9ecve descripon of the accident process events. #Wribuon of cause or fault can only be considered separate fro', and aer the understanding of the accident process is co'pleted to sasfy this criterion. ;onsistent The invesgaon perfor'ance fro' accident to accident and a'ong invesgaons of a single accident to di:erent invesgators should be consistent. Only consistency bet7een results of di:erent invesgaons enables co'parison bet7een the'. Methods for accident invesgaon ) ;riteria related to invesgaon procedures Disciplining #n invesgaon process should provide an orderly, syste'ac fra'e7or5 and set of procedures to discipline the invesgatorsE tas5s in order to focus their e:orts on i'portant and necessary tas5s and avoid duplicave or irrelevant tas5s. &unconal #n invesgaon process should be funconal in order to 'a5e the 9ob ecient, e.g. by helping the invesgator to deter'ine 7hich events 7ere part of the accident process as 7ell as those events that 7ere unrelated. DeHnive #n invesgaon process should provide criteria to idenfy and deHne the data that is needed to describe 7hat happened. ;o'prehensive #n invesgaon process should be co'prehensive so there is no confusion about 7hat happened, no unsuspected gaps or holes in the eplanaon, and no conFict of understanding a'ong those 7ho read the report. ;riteria related to output and usefulness Direct The invesgaon process should provide results that do not reGuire collecon of 'ore data before the needed controls can be idenHed and changes 'ade. Understandable The output should be readily understandable. Sasfying The results should be sasfying for those 7ho inialised the invesgaon and other individuals that de'and results fro' the invesgaons. So'e of these criteria are debatable. &or instance 7ill the second criterion related to causality be disputable. 2nvesgators using the causal(seGuence accident 'odel 7ill in principle focus on causes during their invesgaon process. #lso the last criterion related to sasfacon 'ight be discussed. 2'agine an invesgaon inialised by the top 'anage'ent in a co'pany. 2f the top 'anage'ent is cricised Methods for accident invesgaon 0 in the accident report, they are not necessarily sasHed 7ith the results, but nevertheless it 'ay be a PgoodQ invesgaon. Methods for accident invesgaon + / The accident invesgaon process &igure - sho7s the detailed accident invesgaon process as described by DO" >+++?. #s sho7n in the Hgure, the process starts i''ediately 7hen an accident occurs, and the 7or5 is not Hnished before the Hnal report is accepted by the appoinng ocial. This report focuses on the process of analysing evidence to deter'ine and evaluate causal factors >see chapter *?, but Hrst a fe7 co''ents to the other 'ain phases. &igure -. DO"Es process for accident invesgaon >DO", +++?. @oard acvites #ccident occurs Develop conclusions and deter'ine 9udg'ents of need "valuate causal factors 2ntegrate, organise, and analyse evidence to deter'ine causal factors ;ollect, preserve, and verify evidence @oard chairperson ta5es responsibility for accident scene @oard arrives at accident scene #ppoinng ocial Selects @oard chairperson and 'e'bers Readiness tea' responds Secures scene Ta5es 7itness state'ents reserves evidence 2nial reporng and categorisaon ;onduct reGuire'ents veriHcaon analysis repare dra report @oard 'e'bers Hnalise dra report #ppoinng ocial accepts report Site organisaons conduct fractual accurace revie7 @oard chairperson conducts closeout brieHng Methods for accident invesgaon =1 /. ;ollecng evidence and facts ;ollecng data is a crical part of the invesgaon. Three 5ey types of evidence are collected during the invesgaon process$ 4u'an or testa'entary evidence 4u'an or testa'entary evidence includes 7itness state'ents and observaons. hysical evidence hysical evidence is 'aWer related to the accident >e.g. eGuip'ent, parts, debris,
hard7are, and other physical ite's?. Docu'entary evidence Docu'entary evidence includes paper and electronic infor'aon, such as records, reports, procedures, and docu'entaon. The 'a9or steps in gathering evidence are collecng hu'an, physical and docu'entary evidence, ea'ining organisaonal concerns, 'anage'ent syste's, and line 'anage'ent oversight and at last preserving and controlling the collected evidence. ;ollecng evidence can be a lengthy, 'e(consu'ing, and piece'eal process. itnesses 'ay provide s5etchy or conFicng accounts of the accident. hysical evidence 'ay be badly da'aged or co'pletely destroyed, Docu'entary evidence 'ay be 'ini'al or dicult to access. Thorough invesgaon reGuires that board 'e'bers are diligent in pursuing evidence and adeGuately eplore leads, lines of inGuiry, and potenal causal factors unl they gain a suciently co'plete understanding of the accident. This topic 7ill not be discussed any'ore in this report, but for those interested in the topic are the follo7ing references usefulK DO" >+++?, ;;S >++=? and 2ngstad >+00?. Methods for accident invesgaon = /.= #nalysis of evidence and facts #nalysis of evidence and facts is the process of deter'ining causal factors, idenfy latent condions or contribung factors >or 7hatever you 7ant to call it? and see5s to ans7er the follo7ing t7o Guesons$ hat happened 7here and 7henI hy did it happenI DO" >+++? describes three types of causal factors$ . Direct cause =. ;ontribung causes /. Root causes # direct cause is an i''ediate event or condion that caused the accident >DO", ++)?. # contribung cause is an event or condion that together 7ith other causes increase the li5elihood of an accident but 7hich individually did not cause the accident >DO", ++)?. # root cause is the causal factor>s? that, if corrected, 7ould prevent recurrence of the accident >DO", ++)?. There are di:erent opinions of the concept of causality of accidents, see co''ents in secon .=., but this topic 7ill not be discussed any further here. ;;S >++=? lists three analycal approaches by 7hich conclusions can be reached about an accident$ Deducve approach 2nducve approach. Morphological approach 2n addion, there eists di:erent concepts for accident invesgaon not as co'prehensive as these syste'(oriented techniGues. These are categori8ed as non(syste'(oriented techniGues. The deducve approach involves reasoning fro' the general to the speciHc. 2n the deducve analysis, it is postulated that a syste' or process has failed in a certain 7ay. Net an aWe'pt is 'ade to deter'ine 7hat 'odes of syste', co'ponent, operator and organisaon behaviour contribute to the failure. The 7hole accident Methods for accident invesgaon == invesgaon process is a typical ea'ple of a deducve reasoning. &ault tree analysis is also an ea'ple of a deducve techniGue. The inducve approach involves reasoning fro' individual cases to a general conclusion. #n inducve analysis is perfor'ed by postulang that a parcular fault or iniang event has occurred. 2t is then deter'ined 7hat the e:ects of the fault or iniang event are on the syste' operaon. ;o'pared 7ith the deducve approach, the inducve approach is an Povervie7Q 'ethod. #s such it bring an overall structure to the invesgave process. To probe the details of the causal factors, control and barrier funcon, it is oen necessary to apply deducve analysis. "a'ples of inducve techniGues are failure 'ode and e:ects analysis >&M";#?, 4#XOEs and event tree analysis. The 'orphological approach to analycal incident invesgaon is based on the structure of the syste' being studied. The 'orphological approach focuses directly on potenally ha8ardous ele'ents >for ea'ple operaon, situaons?. The ai' is to concentrate on the factors having the 'ost signiHcant inFuence on safety. hen perfor'ing a 'orphological analysis, the analyst is pri'arily applying his or her past eperience of incident invesgaon. Rather than loo5ing at all possible deviaons 7ith and 7ithout a potenal safety i'pact, the invesgaon focuses on 5no7n ha8ard sources. Typically, the 'orphological approach is an adaptaon of deducve or inducve approaches, but 7ith its o7n guidelines. S2NT"& has developed a useful Hve(step 'odel for invesgaon of causes of accidents. The 'odel is illustrated in &igure A. Step
is idenHcaon of the event seGuences 9ust before the accident. Step = is idenHcaon of deviaons and failures inFuencing the event seGuence that led to the accident. This includes deviaons fro' eisng procedures, deviaons fro' co''on pracce, technical failures and hu'an failures. Step / is idenHcaon of 7ea5nesses and defects 7ith the 'anage'ent syste's. The ob9ecve is to detect possible causes of the deviaons or failures idenHed in Step =. Step * is idenHcaon of 7ea5nesses and defects related to the top 'anage'ent of the co'pany, because it is their responsibility to establish the necessary 'anage'ent syste's and ensure that the syste's are co'plied 7ith. Step - is idenHcaon of potenal Methods for accident invesgaon =/ deHciencies related to the public safety fra'e7or5, i.e. 'ar5ed condions, la7s and regulaons. &igure A. S2NT"&Es 'odel for analysis of accident causes >#rbeids'il9Ysenteret, =11?. Di:erent 'ethods for analysis of evidence and facts are further discussed in chapter *. DeHciencies related to the public safety fra'e7or5 Z "cono'y Z 3abour Z 3a7s and regulaons etc. "vent seGuence Z Decisions Z #cons Z O'issions Deviaons and failures inFuencing the event seGuence Z rocedures not follo7ed Z Technical failures Z 4u'an failures ea5nesses and defects 7ith the 'anage'ent syste's Z 3ac5 of or inadeGuate procedures Z 3ac5 of i'ple'entaon Z 2nsucient trainingCeducaon Z 2nsucient follo7(up ea5nesses and defects related to the top 'anage'ent Z olicy Z Organisaon and responsibilites Z 2nFuence on aJtudes Z &ollo7(up by 'anage'ent Undesirable event 3oss C in9uries on Z ersonnel Z roperes Z "nviron'ent #nalysis of causes #nalysis of conseGuences Step Step - Step * Step / Step = #nalysis of organisaon ST"analysis Methods for accident invesgaon =* /./ Reco''endaons and reporng One of the 'ain ob9ecves of perfor'ing accidents invesgaons is to idenfy reco''endaons that 'ay prevent the occurrence of future accidents. This topic 7ill not be discussed any further, but the reco''endaons should be based on the analysis of evidence and facts in order to prevent that the revealed direct and root causes 'ight lead to future accidents. #t the co'pany level the reco''ended ris5 reducing 'easures 'ight be focused on technical, hu'an, operaonal andCor organisaonal factors. Oen, it is even 'ore i'portant to focus aWenon to7ards changes in the higher levels in &igure *, e.g., by changing the regulaons or the authoritave supervisory pracce. # useful p is to be open('inded in the search for ris5 reducing 'easures and not to be narro7 in this part of the 7or5. 4endric5 and @enner >+0)? says that t7o thoughts should be 5ept in 'ind regarding accident reports$ 2nvesgaons are re'e'bered trough their reports The best invesgaon 7ill be 7asted by a poor report. Methods for accident invesgaon =- * Methods for accident invesgaons # nu'ber of 'ethods for accident invesgaon have been developed, 7ith their o7n strengths and 7ea5nesses. So'e 'ethods of great i'portance are selected for further ea'inaon in this chapter. The selecon of 'ethods for further descripon is not based on any scienHc selecon criteria. @ut the 'ethods are 7idely used in pracce, 7ell ac5no7ledged, 7ell described in the literature* and so'e 'ethods that are relavely recently developed. 2n order to sho7 the span in di:erent accident invesgaon 'ethods, Table sho7s an oversight over 'ethods described by DO" >+++? and Table = sho7s an oversight described by ;;S >++=?. So'e of the 'ethods in the tables are overlapping, 7hile so'e are di:erent. Table . #ccident invesgaon analycal techniGues presented in DO" >+++?. ;ore #nalycal TechniGues "vents and ;ausal &actors ;harng and #nalysis @arrier #nalysis ;hange #nalysis Root ;ause #nalysis ;o'ple #nalycal TechniGues &or co'ple accidents 7ith 'ulple syste' failures, there 'ay in addion be need of analycal techniGues li5e analyc tree analysis, e.g. &ault Tree #nalysis MORT >Manage'ent Oversight and Ris5 Tree? "T >ro9ect "valuaon Tree #nalysis? SpeciHc #nalycal TechniGues 4u'an &actors #nalysis 2ntegrated #ccident "vent Matri &ailure Modes and ":ects #nalysis So7are 4a8ards #nalysis ;o''on ;ause &ailure #nalysis Snea5 ;ircuit #nalysis )=(4our roHle Materials and Structural #nalysis ScienHc Modelling
>e.g., for incidents involving cricality and at'ospheric despersion? * So'e 'ethods are co''ercialised and therefore li'ited described in the public available literature. Methods for accident invesgaon =A Table =. #ccident invesgaons 'ethods described by ;;S >++=?. 2nvesgaon 'ethod #ccident #nato'y 'ethod >##M? #con "rror #nalysis >#"#? #ccident "voluon and @arrier #nalysis >#"@? ;hange "valuaonC#nalysis ;ause(":ect 3ogic Diagra' >;"3D? ;ausal Tree Method >;TM? &ault Tree #nalysis >&T#? 4a8ard and Operability Study >4#XO? 4u'an erfor'ance "nhance'ent Syste' >4"S? 4u'an Reliability #nalysis "vent Tree >4R#("T? Mulple(;ause, Syste's(oriented 2ncident 2nvesgaon >M;SO22? Mullinear "vents SeGuencing >M"S? Manage'ent Oversight Ris5 Tree >MORT? Syste'ac ;ause #nalysis TechniGue >S;#T? SeGuenally Ti'ed "vents loJng >ST"? TapRoot[ 2ncident 2nvesgaon Syste' TechniGue of Operaons Revie7 >TOR? or5 Safety #nalysis roprietary techniGues that reGuires a license agree'ent. These t7o tables list 'ore than =1 di:erent 'ethods, but do not include a co'plete list of 'ethods. Other 'ethods are described else7here in the literature. Since DO"Es or5boo5 ;onducng #ccident 2nvesgaon >DO", +++? is a co'prehensive and 7ell( 7riWen handboo5, the descripon of accident invesgaon 'ethods starts 7ith DO"Es core analycal techniGues in secon *.. Their core analycal techniGues are$ "vents and ;ausal &actors ;harng and #nalysis @arrier #nalysis ;hange #nalysis Root ;ause #nalysis &urther, so'e other 'ethods are described in secon *.=$ &ault tree analysis "vent tree analysis MORT >Manage'ent Oversight and Ris5 Tree? Methods for accident invesgaon =) S;#T >Syste'ac ;ause #nalysis TechniGue? ST" >SeGuenal Ti'ed "vents loJng? MTO(analysis #"@ Method TR2OD(Delta #cci(Map The four last 'ethods are neither listed in Table nor Table =, but are co''only used 'ethods in di:erent industries in several "uropean countries. The readers should be a7are of that this chapter is purely descripve. #ny co''ents or assess'ents of the 'ethods are 'ade in chapter -. *. DO"Es core analycal techniGues- *.. "vents and causal factors charng >";&;? "vents and causal factors charng is a graphical display of the accidentEs chronology and is used pri'arily for co'piling and organising evidence to portray the seGuence of the accidentEs events. The events and causal factor chart is easy to develop and provides a clear depicon of the data. DO", +++?A . A Si'ilar to M"S in Table =. ;ondion #ccident event ;ondion Secondary event "vent Secondary event = "vent = "vent / "vent * Secondary events seGuence ri'ary events seGuence ;ondion ;ondion ;ondion "vents #ccidents ;ondions ;onnector Transfer bet7een lines 3T# 3ess than adeGuate >9udg'ent? ( #re acve >e.g. ]crane stri5es building]? ( Should be stated using one noun and one acve verb ( Should be GuanHed as 'uch as possible and 7here applicable ( Should indicate the date and 'e, 7hen they are 5no7n ( Should be derived fro' the event or events and conditons i''ediately preceding it ( #re passive >e.g. ]fog in the area]? ( Describe states or circu'stances rather than occurrences or events ( #s praccal, should be GuanHed ( Should indicate date and 'e if praccalCapplicable ( #re associated 7ith the corresponding event "nco'passes the 'ain events of the accident and those that for' the 'ain events line of the chart "nco'passes the events that are secondary or contribung events and those that for' the secondary line of the chart Secondary event seGuence ri'ary event seGuence ;ondions Sy'bols "vents resu'pve events resu'pve condions or assu'pons Methods for accident invesgaon /1 *..= @arrier analysis @arrier analysis is used to idenfy ha8ards associated 7ith an accident and the barriers that should have been in place to prevent it. # barrier is any 'eans used to control, prevent, or i'pede the ha8ard fro' reaching the target. @arrier analysis addresses$ @arriers that 7ere in place and ho7 they perfor'ed @arriers that 7ere in place but not used @arriers that 7ere not in place but 7ere reGuired The barrier>s? that, if present or strengthened, 7ould prevent the sa'e or si'ilar accidents fro' occurring in the future. &igure + sho7s types of barriers that 'ay be in place to protect 7or5ers fro' ha8ards. &igure +. "a'ples on barriers to protect 7or5ers fro' ha8ards >DO", +++?) hysical barriers are usually easy to idenfy, but 'anage'ent syste' barriers 'ay be less obvious >e.g. eposure li'its?. The invesgator 'ust understand each barrierEs intended funcon and locaon, and ho7 it failed to prevent the accident. There eists di:erent 7ays in ) There eists di:erent barrier 'odels for prevenon of accidents based on the defence(in(depth principle in di:erent industries, see. e.g. =111? for prevenon of Hres and eplosions in hydrocarbon processing plants and 2NS#B(= for basic safety principles for nuclear po7er plants. Types of barriers Manage'ent barriers ( 4a8ard analysis ( hat 7as the barrierEs purposeI as the barrier in place or not in placeI Did the barrier failI as the barrier used if it 7as in placeI? Record in colu'n t7o. Step * 2denfy and consider probable causes of the barrier failure. Record in colu'n three. Step - "valuate the conseGuences of the failure in this accident. Record in colu'n four. Methods for accident invesgaon /= Table /. @arrier analysis 7or5sheet. 4a8ard$ /.= 5% electrical cable Target$ #cng pipeHWer hat 7ere the barriersI 4o7 did each barrier perfor'I hy did the barrier failI 4o7 did the barrier a:ect the accidentI "ngineering dra7ings Dra7ings 7ere inco'plete and did not idenfy electrical cable at su'p locaon "ngineering dra7ings and construcon speciHcaons 7ere not procured Dra7ings used 7ere preli'inary No as(built dra7ings 7ere used to idenfy locaon of ulity lines "istence of electrical cable un5no7n 2ndoor ecavaon per'it 2ndoor ecavaon per'it 7as not obtained ipeHWers and ulity specialist 7ere una7are of indoor ecavaon per'it reGuire'ents Opportunity to idenfy eistence of cable 'issed *../ ;hange analysis ;hange is anything that disturbs the PbalanceQ of a syste' operang as planned. ;hange is oen the source of deviaons in syste' operaons. ;hange analysis ea'ines planned or unplanned changes that caused undesired outco'es. 2n an accident invesgaon, this techniGue is used to ea'ine an accident by analysing the di:erence bet7een 7hat has occurred before or 7as epected and the actual seGuence of events. The invesgator perfor'ing the change analysis idenHes speciHc di:erences bet7een the accident\free situaon and the accident scenario. These di:erences are evaluated to deter'ine 7hether the di:erences caused or contributed to the accident. The change analysis process is described in &igure . hen conducng a change analysis, invesgators idenfy changes as 7ell as the results of those changes. The disncon is i'portant, because idenfying only the results of change 'ay not pro'pt invesgators to Methods for accident invesgaon // idenfy all causal factors of an accident. hen conducng a change analysis, it is i'portant to have a baseline situaon that the accident seGuence 'ay be co'pared to. &igure . The change analysis process. >DO", +++? Table * sho7s a si'ple change analysis 7or5sheet. The invesgators should Hrst categorise the changes according to the Guesons sho7n in the le colu'n of the 7or5sheet, i.e., deter'ine if the change pertained to, for ea'ple, a di:erence in$ hat events, condions, acvies, or eGuip'ent 7ere present in the accident situaon that 7ere not present in the baseline >accident(free, prior, or ideal? situaon >or vice versa? hen an event or condion occurred or 7as detected in the accident situaon versus the baseline situaon here an event or condion occurred in the accident situaon versus 7here an event or condion occurred in the baseline situaon ho 7as involved in planning, revie7ing, authorising, perfor'ing, and supervising the 7or5 acvity in the accident versus the accident(free situaon. 4o7 the 7or5 7as 'anaged and controlled in the accident versus the accident(free situaon. To co'plete the re'ainder of the 7or5sheet, Hrst describe each event or condion of interest in the second colu'n. Then describe the related event or condion that occurred >or should have occurred? in the baseline situaon in the third colu'n. The di:erence bet7een the event and condions in the accident and the baseline situaons should Describe accident situaon Describe co'parable accident(free situaon 2nput results into events and causal factors chart #nalyse di:erences for e:ect on accident 2denfy di:erences ;o'pare Methods for accident invesgaon /* be brieFy described in the fourth colu'n. 2n the last colu'n, discuss the e:ect that each change had on the accident. The di:erences or changes idenHed can generally be described as causal
factors and should be noted on the events and causal factors chart and used in the root cause analysis. # potenal 7ea5ness of change analysis is that it does not consider the co'pounding e:ects of incre'ental change >for ea'ple, a change that 7as instuted several years earlier coupled 7ith a 'ore recent change?. To overco'e this 7ea5ness, invesgators 'ay choose 'ore than one baseline situaon against 7hich to co'pare the accident scenario. Table *. # si'ple change analysis 7or5sheet. >DO", +++? &actors #ccident situaon rior, ideal, or acciden^ree situaon Di:erence "valuaon of e:ect hat ;ondions Occurrences #cvies "Guip'ent hen Occurred 2denHed &acility status Schedule here hysical locaon "nviron'ental condions ho Sta: involved Training !ualiHcaon Supervision 4o7 ;ontrol chain 4a8ard analysis Monitoring Other Methods for accident invesgaon /- *..* "vents and causal factors analysis The events and causal factors chart 'ay also be used to deter'ine the causal factors of an accident, as illustrated in &igure =. This process is an i'portant Hrst step in later deter'ining the root causes of an accident. "vents and causal factors analysis reGuires deducve reasoning to deter'ine 7hich events andCor condions that contributed to the accident. &igure =. "vents and causal factors analysis. >DO", +++? @efore starng to analyse the events and condions noted on the chart, an invesgator 'ust Hrst ensure that the chart contains adeGuate detail. "a'ine the Hrst event that i''ediately precedes the accident. "valuate its signiHcance in the accident seGuence by as5ing$ P2f this event had not occurred, 7ould the accident have occurredIQ 2f the ans7er is yes, then the event is not signiHcant. roceed to the net event in the chart, 7or5ing bac57ards fro' the accident. 2f the ans7er is no, then deter'ine 7hether the event represented nor'al acvies 7ith the epected conseGuences. 2f the event 7as intended and had the epected outco'es, then it is not signiHcant. 4o7ever, if the event deviated fro' 7hat 7as intended or had un7anted conseGuences, then it is a signiHcant event. ;ondion ;ausal factor ;ausal factor ;ondion ;ondion "vent "vent "vent "vent 4o7 did the condions originateI hy did the syste' allo7 the condions to eistI hy did this event happenI #s5 Guesons to deter'ine causal factors >7hy, ho7, 7hat, and 7ho? "vent chain Methods for accident invesgaon /A ;arefully ea'ine the events and condions associated 7ith each signiHcant event by as5ing a series of Guesons about this event chain, such as$ hy did this event happenI hat events and condions led to the occurrence of the eventI hat 7ent 7rong that allo7ed the event to occurI hy did these condions eistI 4o7 did these condions originateI ho had the responsibility for the condionsI #re there any relaonships bet7een 7hat 7ent 7rong in this event chain and other events or condions in the accident seGuenceI 2s the signiHcant event lin5ed to other events or condions that 'ay indicate a 'ore general or larger deHciencyI The signiHcant events, and the events and condions that allo7ed the signiHcant events to occur, are the accidentEs causal factors. *..- Root cause analysis Root cause analysis is any analysis that idenHes underlying deHciencies in a safety 'anage'ent syste' that, if corrected, 7ould prevent the sa'e and si'ilar accidents fro' occurring. Root cause analysis is a syste'ac process that uses the facts and results fro' the core analyc techniGues to deter'ine the 'ost i'portant reasons for the accident. hile the core analyc techniGues should provide ans7ers to Guesons regarding 7hat, 7hen, 7here, 7ho, and ho7, root cause analysis should resolve the Gueson 7hy. Root cause analysis reGuires a certain a'ount of 9udg'ent. # rather ehausve list of causal factors 'ust be developed prior to the applicaon of root cause analysis to ensure that Hnal root causes are accurate and co'prehensive. One 'ethod for root cause analysis described by DO" is T2"R diagra''ing. T2"R(diagra''ing is used to idenfy both the root causes of an accident and the level of line 'anage'ent that has the responsibility and authority to correct the accidentEs causal factors. The invesgators use T2"R(diagra's to hierarchically categorise the causal factors derived fro' the events and causal factors analysis. Methods for accident invesgaon /)
3in5ages a'ong causal factors are then idenHed and possible root causes are developed. # di:erent diagra' is developed for each organisaon responsible for the 7or5 acvies associated 7ith the accident. The causal factors idenHed in the events and causal factors chart are input to the T2"R( diagra's. #ssess 7here each causal factor belong in the T2"R(diagra'. #er arranging all the causal factors, ea'ine the causal factors to deter'ine 7hether there is lin5age bet7een t7o or 'ore of the'. "valuate each of the causal factors state'ents if they are root causes of the accident. There 'ay be 'ore than one root cause of a parcular accident. &igure / sho7s an ea'ple on a T2"R(diagra'. &igure /. 2denfying the lin5ages to the root causes fro' a T2"R(diagra'. *.= Other accident invesgaon 'ethods *.=. &ault tree analysis0 &ault tree analysis is a 'ethod for deter'ining the causes of an accident >or top event?. The fault tree is a graphic 'odel that displays the various co'binaons of nor'al events, eGuip'ent failures, hu'an errors, and environ'ental factors that can result in an accident. #n ea'ple of a fault tree is sho7n in &igure *. 0 The descripon is based on 4Yyland Rausand, ++*. Tier ;ausal &actors Tier -$ Senior 'anage'ent Tier $ or5er acons Tier =$ Supervision Tier /$ 3o7er 'anage'ent Tier *$ Middle 'anage'ent Tier 1$ Direct cause Root causes >oponal colu'n? Root cause _ Root cause _ / Root cause _ = Methods for accident invesgaon /0 &igure *. 2llustraon of a fault tree >ea'ple fro' the Vsta(accident?. # fault tree analysis 'ay be Gualitave, Guantave, or both. ossible results fro' the analysis 'ay be a lisng of the possible co'binaons of environ'ental factors, hu'an errors, nor'al events and co'ponent failures that 'ay result in a crical event in the syste' and the probability that the crical event 7ill occur during a speciHed 'e interval. The strengths of the fault tree, as a Gualitave tool is its ability to brea5 do7n an accident into root causes. The undesired event appears as the top event. This event is lin5ed to the basic failure events by logic gats and event state'ents. # gate sy'bol can have one or 'ore inputs, but only one output. # su''ary of co''on fault tree sy'bols is given in &igure -. 4Yyland and Rausand >++*? give a 'ore detailed descripon of fault tree analysis. Malfuncon of the signalling syste' 4u'an error >engine driver? 3ine secon already ]occupied] by another train SabotageC act of terros "ngine failure >runa7ay train? Or Or No signal Breen signal >green Fash? Methods for accident invesgaon /+ &igure -. &ault tree sy'bols. *.=.= "vent tree analysis+ #n event tree is used to analyse event seGuences follo7ing aer an iniang event. The event seGuence is inFuenced by either success or failure of nu'erous barriers or safety funconsCsyste's. The event seGuence leads to a set of possible conseGuences. The conseGuences 'ay be considered as acceptable or unacceptable. The event seGuence + The descripon is based on %ille'eur, ++. # #nd " " "= / # Or " " "= / The OR(gate indicates that the output event # occurs if any of the input events "i occur. The #ND(gate indicates that the output event # occurs 7hen all the input events "i occur si'ultaneously. @asic event Undeveloped event ;o''ent rectangle The basic event represents a basic eGuip'ent failure that reGuires no further develop'ent of failure causes The undeveloped event represents an event that is not ea'ined further because infor'aon is unavailable or because its conseGuences is insigniHcant The co''ent rectangle is for supple'entary infor'aon The transfer(out sy'bol indicates that the fault tree is developed further at the occurrence of the corresponding Transfer(in sy'bol Transfer(out Transfer(in 3ogic gates 2nput events Descripon of state Transfer sy'bols #ND(gate OR(gate Sy'bol Descripon Methods for accident invesgaon *1 is illustrated graphically 7here each safety syste' is 'odelled for t7o states, operaon and failure. &igure A illustrates an event tree of the situaon on RYrosbanen 9ust before the Vsta(accident. This event tree reveals the lac5 of reliable safety barriers in order to prevent train collision at RYrosbanen at that 'e. #n event tree analysis is pri'arily a proacve ris5 analysis 'ethod used to idenfy possible event seGuences. The event tree 'ay be used to idenfy and illustrate event seGuences and also to obtain a
Gualitave and Guantave representaon and assess'ent. 2n an accident invesgaon 7e 'ay illustrate the accident path as one of the possible event seGuences. This is illustrated 7ith the thic5 line in &igure A. &igure A. Si'pliHed event tree analysis of the ris5 at RYrosbanen 9ust before the Vsta( accident. *.=./ MORT1 MORT provides a syste'ac 'ethod >analyc tree? for planning, organising, and conducon a co'prehensive accident invesgaon. Through MORT analysis, invesgators idenfy deHciencies in speciHc 1 The descripon is based on ohnson .B., +01. T7o trains at the sa'e secon of the line #T; >#uto'ac Train ;ontrol? The rail trac controller detects the ha8ardous situaon Train drivers stop the train The rail trac controller alerts about the ha8ard 6es 6es 6es 6es No No No No ;ollision ;ollison avoided ;ollision ;ollision ;ollison avoided Methods for accident invesgaon * control factors and in 'anage'ent syste' factors. These factors are evaluated and analysed to idenfy the causal factors of the accident. @asically, MORT is a graphical chec5list in 7hich contains generic Guesons that invesgators aWe'pt to ans7er using available factual data. This enables invesgators to focus on potenal 5ey causal factors. The upper levels of the MORT diagra' are sho7n in &igure ). MORT reGuires etensive training to e:ecvely perfor' an in(depth analysis of co'ple accidents involving 'ulple syste's. The Hrst step of the process is to select the MORT chart for the safety progra' area of interest. The invesgators 7or5 their 7ay do7n through the tree, level by level. "vents should be coded in a speciHc colour relave to the signiHcance of the accident. #n event that is deHcient, or 3ess Than #deGuate >3T#? in MORT ter'inology is 'ar5ed red. The sy'bol is circled if suspect or coded in red if conHr'ed. #n event that is sasfactory is 'ar5ed green in the sa'e 'anner. Un5no7ns are 'ar5ed in blue, being circled inially and coloured if sucient data do not beco'e available, and an assu'pon 'ust be 'ade to connue or conclude the analysis. hen the appropriate seg'ents of the tree have been co'pleted, the path of cause and e:ect >fro' lac5 of control by 'anage'ent, to basic causes, contributory causes, and root causes? can easily be traced bac5 through the tree. The tree highlights Guite clearly 7here controls and correcve acons are needed and can be e:ecve in prevenng recurrence of the accident. Methods for accident invesgaon *= &igure ). The upper levels of the MORT(tree. "T >ro9ect "valuaon Tree? and SMORT >Safety Manage'ent and Organisaons Revie7 TechniGue? are both 'ethods based on MORT but si'pliHed and easier to use. "T and SMORT 7ill not be described further. "T is described by DO" >+++? and SMORT by +0)?. *.=.* Syste'ac ;ause #nalysis TechniGue >S;#T? The 2nternaonal 3oss ;ontrol 2nstute >23;2? developed S;#T for the support of occupaonal incident invesgaon. The 23;2 3oss ;ausaon Model is the fra'e7or5 for the S;#T syste' >see &igure 0?. The descripon of S;#T is based on ;;S >++=? and the descripon of the 23;2('odel is based on @ird Ber'ain >+0-?. 2n9uries, da'age, other costs, perfor'ance lost or degraded &uture undesired events Or 2'ple'entaon 3T# #ccident #'elioraon 3T# Manage'ent syste' factos 3T# SpeciHc controls factors 3T# Oversights and o'issions #ssu'ed ris5s Ris5 assess'ent syste' 3T# Ris5 Ris5 = Ris5 / Ris5 n #nd Or Or olicy 3T# T SCM S M S# S#= M# M#/ M#= Or hat happenedI hyI # @ ; D R # Dra7ing brea5. Transfer to secon of tree indicated by sy'bol idenHcaon leWer(nu'ber Methods for accident invesgaon */ &igure 0. The 23;2 3oss ;ausaon Model >@ird and Ber'ain, +0-?. The result of an accident is loss, e.g. har' to people, properes, products or the environ'ent. The incident >the contact bet7een the source of energy and the Pvic'Q? is the event that precedes the loss. The i''ediate causes of an accident are the circu'stances that i''ediately precede the contact. They usually can be seen or sensed. &reGuently they are called unsafe acts or unsafe condions, but in the 23;2('odel the ter's substandard acts >or pracces? and substandard condions are used. Substandard acts and condions are listed in &igure +. &igure +. Substandard acts and condions in the 23;2('odel. @asic causes are the diseases or real causes
behind the sy'pto's, the reasons 7hy the substandard acts and condions occurred. @asic causes help eplain 7hy people perfor' substandard pracces and 3ac5 of control 2ncident 3oss 2''ediate causes @asic causes 2nadeGuate$ rogra' rogra' standards ;o'pliance to standards ersonal factors ob factors eople roperty roduct "nviron'ent Service ;ontact 7ith energy, substance or people Substandard acts Substandard condions Substandard praccesCacts Substandard condions . Operang eGuip'ent 7ithout authority =. &ailure to 7arn /. &ailure to secure *. Operang at i'proper speed -. Ma5ing safety devices inoperable A. Re'oving safety devices ). Using defecve eGuip'ent 0. Using eGuip'ent i'properly +. &ailing to use personal protecve eGuip'ent 1. 2'proper loading . 2'proper place'ent =. 2'proper liing /. 2'proper posion for tas5 *. Servicing eGuip'net in operaon -. 4orseplay A. Under inFuence of alcoholCdrugs . 2nadeGuate guards or barriers =. 2nadeGuate or i'proper protecve eGuip'ent /. Defecve tools, eGuip'ent or 'aterials *. ;ongeson or restricted acon -. 2nadeGuate 7arning syste' A. &ire and eplosion ha8ards ). oor house5eeping, disorderly 7or5place 0. 4a8ardous environ'ental condions +. Noise eposures 1. Radiaon eposures . 4igh or lo7 te'perature eposures =. 2nadeGuate or ecessive illu'inaon /. 2nadeGuate venlaon Methods for accident invesgaon ** 7hy substandard condions eists. #n overvie7 of personal and 9ob factors are given in &igure =1. &igure =1. ersonal and 9ob factors in the 23;2('odel. There are three reasons for lac5 of control$ . 2nadeGuate progra' =. 2nadeGuate progra' standards and /. 2nadeGuate co'pliance 7ith standards &igure = sho7s the ele'ents that should be in place in a safety progra'. The ele'ents are based on research and eperience fro' successful safety progra's in di:erent co'panies. &igure =. "le'ents in a safety progra' in the 23;2('odel. The Syste'ac ;ause #nalysis TechniGue is a tool to aid an invesgaon and evaluaon of incidents through the applicaon of a S;#T chart. The chart acts as a chec5list or reference to ensure that an invesgaon has loo5ed at all facets of an incident. There are Hve ersonal factors ob factors . 2nadeGuate capability ( hysicalCphysiological ( MentalCpsychological =. 3ac5 of 5no7ledge /. 3ac5 of s5ill *. Stress ( hysicalCphysiological ( MentalCpsychologica -. 2'proper 'ovaon . 2nadeGuate leadership andCor supervision =. 2nadeGuate engineering /. 2nadeGuate purchasing *. 2nadeGuate 'aintenance -. 2nadeGuate tools, eGuip'ent, 'aterials A. 2nadeGuate 7or5 standards ). ear and tear 0. #buse or 'isuse "le'ents in a safety progra' . 3eadership and ad'inistraon =. Manage'ent training /. lanned inspecon *. Tas5 analysis and procedures -. #ccidentCincident invesgaon A. Tas5 observaons ). "'ergency preparedness 0. Organisaonal rules +. #ccidentCincident analysis 1. "'ployee training . ersonal protecve eGuip'ent =. 4ealth control /. rogra' evaluaon syste' *. "ngineering controls -. ersonal co''unicaons A. Broup 'eengs ). Beneral pro'oon 0. 4iring and place'ent +. urchasing controls =1. O:(the(9ob safety Methods for accident invesgaon *- bloc5s on a S;#T chart. "ach bloc5 corresponds to a bloc5 of the loss causaon 'odel. 4ence, the Hrst bloc5 contains space to 7rite a descripon of the incident. The second bloc5 lists the 'ost co''on categories of contact that could have led to the incident under invesgaon. The third bloc5 lists the 'ost co''on i''ediate causes, 7hile the fourth bloc5 lists co''on basic causes. &inally, the boWo' bloc5 lists acvies generally accepted as i'portant for a successful loss control progra'. The techniGue is easy to apply and is supported by a training 'anual. The S;#T see's to correspond to the S6N"RB2 tool for accident registraon used in Nor7ay. #t least, the accident causaon 'odels used in S;#T and S6N"RB2 are eGuivalent. *.=.- ST" >SeGuenal 'ed events ploJng?= The ST"('ethod 7as developed by 4endric5 and @enner >+0)?. They propose a syste'ac process for accident invesgaon based on 'ul(linear events seGuences and a process vie7 of the accident pheno'ena. ST" builds on four concepts$ . Neither the accident nor its invesgaon is a single linear chain or seGuence of events.
Rather, several acvies ta5e place at the sa'e 'e. =. The event @uilding @loc5 for'at for data is used to develop the accident descripon in a 7or5sheet. # building bloc5 describes one event, i.e. one actor perfor'ing one acon. /. "vents Fo7 logically during a process. #rro7s in the ST" 7or5sheet illustrate the Fo7. *. @oth producve and accident processes are si'ilar and can be understood using si'ilar invesgaon procedures. They both involve actors and acons, and both are capable of being repeated once they are understood. ith the process concept, a speciHc accident begins 7ith the acon that started the transfor'aon fro' the described process to an = The descripon is based on 4endric5 @enner, +0). Methods for accident invesgaon *A accident process, and ends 7ith the last connected har'ful event of that accident process. The ST"(7or5sheet provides a syste'ac 7ay to organise the building bloc5s into a co'prehensive, 'ul(linear descripon of the accident process. The ST"( 7or5sheet is si'ply a 'atri, 7ith ro7s and colu'ns. There is one ro7 in the 7or5sheet for each actor. The colu'ns are labelled di:erently, 7ith 'ar5s or nu'bers along a 'e line across the top of the 7or5sheet, as sho7n in &igure ==. The 'e scale does not need to be dra7n on a linear scale, the 'ain point of the 'e line is to 5eep events in order, i.e., ho7 they relate to each other in ter's of 'e. &igure ==. ST"(7or5sheet. #n event is one actor perfor'ing one acon. #n actor is a person or an ite' that directly inFuences the Fo7 or events constung the accident process. #ctors can be involved in t7o types of changes, adapve changes or iniang changes. They can either change reacvely to sustain dyna'ic balance or they can introduce changes to 7hich other actors 'ust adapt. #n acon is so'ething done by the actor. 2t 'ay be physical and observable, or it 'ay be 'ental if the actor is a person. #n acon is so'ething that the actor does and 'ust be stated in the acve voice. The ST" 7or5sheet provides a syste'ac 7ay to organise the building bloc5s >or events? into a co'prehensive, 'ul(linear descripon of the accident process. &igure =/ sho7s an ea'ple on a #ctor # #ctor D #ctor ; #ctor @ T1 Ti'e "tc. Methods for accident invesgaon *) ST"(diagra' of an accident 7here a stone bloc5 falls o: a truc5 and hits a car/. &igure =/. #n ea'ple on a si'ple ST"(diagra' for a car accident. The ST"(diagra' in &igure =/ also sho7s the use of arro7s to lin5 tested relaonships a'ong events in the accident chain. #n arro7 convenon is used to sho7 precedeCfollo7 and logical relaons bet7een t7o or 'ore events. hen an earlier acon is necessary for a laWer to occur, an arro7 should be dra7n fro' the preceding event to the resultant event. The thought process for idenfying the lin5s bet7een events is related to the change of state concepts underlying ST" 'ethods. &or each event in the 7or5sheet, the invesgator as5s, P#re the preceding acons sucient to iniate this acons >or event? or 7ere other acons necessaryIQ Try to visuali8e the actors and acons in a P'ental 'ovieQ in order to develop the lin5s. So'e'es it is i'portant to deter'ine 7hat happened during a gap or 'e interval for 7hich 7e cannot gather any speciHc evidence. "ach re'aining gap in the 7or5sheet represents a gap in the understanding of the accident. @ac5ST" is a techniGue by 7hich you reason your 7ay bac57ards fro' the event on the right side of the 7or5sheet gap / The ST"(diagra' is based on a descripon of the accident in a ne7spaper arcle. T1 Ti'e ;ar ;ar driver Drap Stone bloc5 Truc5 Truc5 driver loads stone on truc5 Truc5 driver drives truc5 fro' # to @ Truc5 drives fro' # to @ ;ar driver dies Truc5 driver fastens the stone bloc5 ;ar drive fro' @ to # ;ar driver tries to avoid to hit the stone The car hits the stone bloc5 Stone falls o: the truc5 Drap fails The car ]collapses] >collision da'aged? ;ar driver starts the car 3egend Truc5 driver Drap fails #ctor "vent lin5 #ctor Truc5 driver ;ar driver observes the stone ;ar driver stri5es Methods for accident invesgaon *0 to7ard the event on the le side of the gap. The @ac5ST" procedure consists of as5ing a series of Phat could have led to thatIQ Guesons and 7or5ing bac57ard through the pyra'id 7ith the ans7ers. Ma5e tentave event building bloc5s for each event that ans7ers the Gueson. hen doing a @ac5ST", it is not unco''on to idenfy 'ore than one
possible path7ay bet7een the le and right events at the gap. This tells that there 'ay be 'ore than one 7ay the accident process could progress and 'ay led to develop'ent of hypothesis in 7hich should be further ea'ined. The ST"(procedure also includes so'e rigorous technical truthtesng procedures, the ro7 test, the colu'n test, and the necessaryand(sucient test. The ro7 >or hori8ontal? test tells you if you need 'ore building bloc5s for any individual actor listed along the le side of the 7or5sheet. 2t also tells you if you have bro5en each actor do7n suciently. The colu'n >or vercal? test chec5s the seGuence of events by pairing the ne7 event 7ith the acons of other actors. To pass the colu'n test, the event building bloc5 being tested 'ust have occurred #er all the event in all the colu'ns to the le of that event, @efore all the events in all colu'ns to the right of that event, and #t the sa'e 'e as all the events in the sa'e colu'n. The ro7 test and the colu'n test are illustrated in &igure =*. &igure =*. or5sheet ro7 test and colu'n test. #ctor # #ctor D #ctor ; #ctor @ T1 Ti'e "tc. ;olu'ns Ro7s Ro7 tests 2s ro7 co'pleteI ;olu'n tests 2s event seGuenced Ocollision da'aged? ;ar driver starts the car Truc5 driver ;ar driver observes the stone ;ar driver bra5es @u'by road due to lac5 of 'aintenance 2naWenve car driver A ) 0 Narro7 road oor bra5es + 1 3ac5 of airbag Methods for accident invesgaon - invesgaon. The 'ethod is based on 4"S >4u'an erfor'ance "nhance'ent Syste'? 7hich is 'enoned in Table =, but not described further in this report. The MTO( analysis is based on three 'ethods$ . Structured analysis by use of an event( and cause(diagra'). =. ;hange analysis by describing ho7 events have deviated fro' earlier events or co''on pracce0. /. @arrier analysis by idenfying technological and ad'inistrave barriers in 7hich have failed or are 'issing+. &igure =A illustrates the MTO(analysis 7or5sheet. The Hrst step in an MTO(analysis is to develop the event seGuence longitudinally and illustrate the event seGuence in a bloc5 diagra'. 2denfy possible technical and hu'an causes of each event and dra7 these vercally to each event in the diagra'. &urther, analyse 7hich technical, hu'an or organisaonal barriers that have failed or 7as 'issing during the accident progress. 2llustrate all 'issing or failed barriers belo7 the events in the diagra'. #ssess 7hich deviaons or changes in 7hich di:er the accident progress fro' the nor'al situaon. These changes are also illustrated in the diagra' >see &igure =A?. The basic Guesons in the analysis are$ hat 'ay have prevented the connuaon of the accident seGuenceI hat 'ay the organisaon have done in the past in order to prevent the accidentI The last i'portant step in the MTO( analysis is to idenfy and present reco''endaons. The reco''endaons should be as realisc and speciHc as possible, and 'ight be technical, hu'an or organisaonal. ) See subsecon *... 0 See subsecon *../. + See subsecon *..=. Methods for accident invesgaon -= &igure =A. MTO(analysis 7or5sheet. # chec5list for idenHcaon of failure causes >Pfelorsa5erQ? is also part of the MTO( 'ethodology >@ento, +++?. The chec5list contains the follo7ing factors$ . Organisaon =. or5 organisaon /. or5 pracce *. Manage'ent of 7or5 -. ;hange procedures A. "rgono'ic C deHciencies in the technology ). ;o''unicaon 0. 2nstruconsCprocedures +. "ducaonCco'petence 1. or5 environ'ent ;hange analysis "vents and causes chart @arrier analysis Nor'al Deviaon = >;hain of events? >;auses? Methods for accident invesgaon -/ &or each of these failure causes, there is a detailed chec5list for basic or funda'ental causes >Pgrundorsa5erQ?. "a'ples on basic causes for the failure cause 7or5 pracce are$ Deviaon fro' 7or5 instrucon oor preparaon or planning 3ac5 of self inspecon Use of 7rong eGuip'ent rong use of eGuip'ent *.=.) #ccident #nalysis and @arrier &uncon >#"@? Method=1 The #ccident "voluon and @arrier &uncon >#"@? 'odel provides a 'ethod for analysis of incidents and accidents that 'odels the evoluon to7ards an incidentCaccident as a series of interacons bet7een hu'an and technical syste's. The interacon consists of failures, 'alfuncons or errors that could lead to or have resulted in an accident. The 'ethod forces analysts to integrate hu'an and technical syste's si'ultaneously 7hen perfor'ing an accident analysis starng 7ith the si'ple Fo7 chart techniGue of the 'ethod. The Fo7 chart inially consists of e'pty boes in t7o parallel colu'ns, one for the hu'an syste's and one for the technical syste's. &igure =) provides an illustraon of this diagra'. During the analysis these error boes are idenHed as the failures,
'alfuncons or errors that constute the accident evoluon. 2n general, the seGuence of error boes in the diagra' follo7s the 'e order of events. @et7een each pair of successive error boes there is a possibility to arrest the evoluon to7ards an incidentCaccident. @arrier funcon syste's >e.g. co'puter progra's? that are acvated can arrest the evoluon through e:ecve barrier funcons >e.g. the co'puter 'a5ing an incorrect hu'an intervenon 'odelled in the net error bo i'possible through bloc5ing a control?. &actors that have an inFuence on hu'an perfor'ance have been called perfor'ance shaping factors >by S7ain and BuW'an, +0/?. "a'ples of such factors are alcohol, lac5 of sleep and stress. 2n applicaon of the #"@ 'odel those factors are included in the Fo7 =1 The descripon is based on Svensson, =111. Methods for accident invesgaon -* diagra' only as S&s and they are analysed aer the diagra' has been co'pleted. S&s are included in the Fo7 diagra' in cases 7here it is possible that the factor could have contributed to one or 'ore hu'an error events. &actors such as alcohol and age are 'odelled as S&s, but never as hu'an error events or failing barrier funcons. Organisaonal factors 'ay be integrated as a barrier funcon 7ith failing or inadeGuate barrier funcons. Organisaonal factors should al7ays be treated in a special 7ay in an #"@ analysis because they include both hu'an and technical syste's. &igure =). 2llustraon of an #"@ analysis. #n #"@ analysis consists of t7o 'ain phases. The Hrst phase is to 'odel the accident evoluon in a Fo7 diagra'. 2t is i'portant to re'e'ber that #"@ only 'odels errors and that it is not an event seGuence 'ethod. #rro7s lin5 the error event boes together in order to sho7 the evoluon. The course of events is described in an approi'ate chronological order. 2t is not allo7ed to let 'ore than one arro7 lead to an error bo or to have 'ore than one arro7 going fro' a bo. The second phase consists of the barrier funcon analysis. 2n this phase, the barrier funcons are idenHed >ine:ecve andCor non eistent?. # barrier funcon represents a funcon that can arrest the accident evoluon so that the net event in the chain 7ill not be realised. # barrier funcon is al7ays idenHed in relaon to the syste's it protects, protected or could have protected. @arrier funcon syste's are the syste's perfor'ing the barrier funcons. @arrier funcon syste's can be an operator, an instrucon, a physical 4u'an error event Technical error event 4u'an error event / 4u'an error event = #ccident C incident Technical error event = 4u'an factors syste' Technical syste' ;o''ents S& erfor'ance shaping factors &ailing orCand possible barrier funcon 3egend "rror event bo #ccidentCincident #rro7s describing the accident evoluon ossible barrier funcons ":ecve barrier funcon S& erfor'ing shaping factors Methods for accident invesgaon -- separaon, an e'ergency control syste', other safety(related syste's, etc. The sa'e barrier funcon can be perfor'ed by di:erent barrier funcon syste's. ;orrespondingly, a barrier funcon syste' 'ay perfor' di:erent barrier funcons. #n i'portant purpose of the #"@(analysis is to idenfy bro5en barrier funcons, the reasons for 7hy there 7ere no barrier funcons or 7hy the eisng ones failed, and to suggest i'prove'ents. @arrier funcons belong to one of the three 'ain categories$ 2ne:ecve barrier funcons \ barrier funcons that 7ere ine:ecve in the sense that they did not prevent the develop'ent to7ard an accident Non(eisng barrier funcons \ barrier funcons that, if present, 7ould have stopped the accident evoluon. ":ecve barrier funcons \ barrier funcons that actually prevented the progress to7ard an accident. 2f a parcular accident should happen, it is necessary that all barrier funcons in the seGuence are bro5en and ine:ecve. The ob9ecve of an #"@( analysis is to understand 7hy a nu'ber of barrier funcons failed, and ho7 they could be reinforced or supported by other barrier funcons. &ro' this perspecve, idenHcaon of a root(cause of an accident is 'eaningless. The starng point of the analysis cannot be regarded as the root cause because the re'oval of any of all the other errors in the accident evoluon 7ould also eli'inate the accident. 2t is so'e'es dicult to 5no7 if an error should be 'odelled as an error or as a failing barrier funcon. #s
a rule of thu'b, 7hen uncertain the analysts should choose a bo and not a barrier funcon representaon in the inial #"@(analysis. The barrier funcon analysis phase 'ay be used for 'odelling of subsyste's interacons that cannot be represented seGuenally in #"@. #ll barriers funcon failures, incidents and accidents ta5e place in 'an \ technology \ organisaons contets. Therefore, an #"@( analysis also includes issues about the contet in 7hich the accident too5 place. Therefore, the follo7ing Guesons have to be ans7ered$ Methods for accident invesgaon -A . To increase safety, ho7 is it possible to change the organisaon, in 7hich the failure or accident too5 placeI =. To increase safety, ho7 is it possible to change the technical syste's contet, in 7hich the failure or accident too5 placeI 2t is i'portant to bear in 'ind that 7hen changes are 'ade in the organisaonal and technical syste's at the contet level far reaching e:ects 'ay be aWained. *.=.0 TR2OD= The 7hole research into the TR2OD concept started in +00 7hen a study that 7as contained in the report PTR2OD, # principled basis for accident prevenonQ >Reason et al, +00? 7as presented to Shell 2nternaonale etroleu' Maatschappi9, "ploraon and roducon. The idea behind TR2OD is that organisaonal failures are the 'ain factors in accident causaon. These factors are 'ore PlatentQ and, 7hen contribung to an accident, are al7ays follo7ed by a nu'ber of technical and hu'an errors. The co'plete TR2OD( 'odel== is illustrated in &igure =0. &igure =0. The co'plete TR2OD 'odel. Substandard acts and situaons do not 9ust occur. They are generated by 'echanis's acng in organisaons, regardless 7hether there has been an accident or not. Oen these 'echanis's result fro' decisions = This descripon is based on Broene7eg, ++0. == The TR2OD('odel described here 'ight be di:erent fro' previously published 'odels based on the TR2OD theory, but this 'odel is fully co'pable 7ith the 'ost resent version of the accident invesgaon tool TR2OD @eta described later in this chapter. Decision 'a5ers Substandard acts sychological precursors Operaonal disturbance ;onseGuences #ccident @reached barriers @reached barriers 3atent failures 1 @R&s 3atent failures @R& Defences Methods for accident invesgaon -) ta5en at high level in the organisaon. These underlying 'echanis's are called @asic Ris5 &actors=/ >@S&s?. These @S&s 'ay generate various psychological precursors in 7hich 'ay lead to substandard acts and situaons. "a'ples on psychological precursors of slips, lapses and violaons are 'e pressure, being poorly 'ovated or depressed. #ccording to this 'odel, eli'inang the latent failures categori8ed in @R&s or reducing their i'pact 7ill prevent psychological precursors, substandard acts and the operaonal disturbances. &urther'ore, this 7ill result in prevenon of accidents. The idenHed @R&s cover hu'an, organisaonal and technical proble's. The di:erent @asic Ris5 &actors are deHned in Table -. Ten of these @R&s leading to the Poperaonal disturbanceQ >the PprevenveQ @R&s?, and one @R& is ai'ed at controlling the conseGuences once the operaonal disturbance has occurred >the P'igaonQ @R&?. There are Hve generic prevenon @R&s >A \ 1 in Table -? and Hve speciHc @R&s > \ - in Table -?. The speciHc @R&s relate to latent failures that are speciHc for the operaons to be invesgated >e.g. the reGuire'ents for Tools and "Guip'ent are Guite di:erent in a oil drilling environ'ent co'pared to an intensive care 7ard in a hospital?. These @R&s have been idenHed as a result of brainstor'ing, a study of audit reports, accident scenarios, a theorecal study, and a study on o:shore pla^or's. The division is deHnive and has sho7n to be valid for all industrial applicaons. =/ These 'echanis's 7ere inially called Beneral &ailure Types >B&Ts?. Methods for accident invesgaon -0 Table -. The deHnions of the basic ris5 factors >@R&s? in TR2OD. No @asic Ris5 &actor #bbr. DeHnion Design D" "rgono'ically poor design of tools or eGuip'ent >user( unfriendly? = Tools and eGuip'ent T" oor Guality, condion, suitability or availability of 'aterials, tools, eGuip'ent and co'ponents / Maintenance 'anage'ent MM No or inadeGuate perfor'ance of 'aintenance tas5s and repairs * 4ouse5eeping 4< No or insucient aWenon given to 5eeping the 7or5
Foor clean or died up - "rror enforcing condions "; Unsuitable physical perfor'ance of 'aintenance tas5s and repairs A rocedures R 2nsucient Guality or availability of procedures, guidelines, instrucons and 'anuals >speciHcaons, Ppaper7or5Q, use in pracce? ) Training TR No or insucient co'petence or eperience a'ong e'ployees >not suciently suitedCinadeGuately trained? 0 ;o''unicaon ;O No or ine:ecve co''unicaon bet7een the various sites, depart'ents or e'ployees of a co'pany or 7ith the ocial bodies + 2nco'pable goals 2B The situaon in 7hich e'ployees 'ust choose bet7een op'al 7or5ing 'ethods according to the established rules on one hand, and the pursuit of producon, Hnancial, polical, social or individual goals on the other 1 Organisaon OR Shortco'ings in the organisaonEs structure, organisaonEs philosophy, organisaonal processes or 'anage'ent strategies, resulng in inadeGuate or ine:ecve 'anage'ent of the co'pany Defences D& No or insucient protecon of people, 'aterial and environ'ent against the conseGuences of the operaonal disturbances TR2OD @eta The TR2OD @eta(tool is a co'puter(based instru'ent that provides the user 7ith a tree(li5e overvie7 of the accident that 7as invesgated. 2t is a 'enu driven tool that 7ill guide the invesgator through the process of 'a5ing an electronic representaon of the accident. Methods for accident invesgaon -+ The @"T#(tool 'erges t7o di:erent 'odels, the 4"M >The 4a8ard and ":ects Manage'ent rocess? 'odel and the TR2OD 'odel. The 'erge has resulted in an incident causaon 'odel that di:ers conceptually fro' the original TR2OD 'odel. The 4"M 'odel is presented in &igure =+. &igure =+. P#ccident 'echanis'Q according to 4"M. The TR2OD @eta accident causaon 'odel is presented in &igure /1. This string is used to idenfy the causes that lead to the breaching of the controls and defences presented in the 4"M 'odel. &igure /1. TR2OD @eta #ccident ;ausaon Model. #lthough the 'odel presented in &igure /1 loo5s li5e the original TR2OD 'odel, its co'ponents and assu'pons are di:erent. 2n the @eta('odel the defences and controls are directly lin5ed to unsafe acts, precondions and latent failures. Unsafe acts describe ho7 the barriers 7ere breached and the latent failures 7hy the barriers 7ere breached. #n ea'ple of a TR2OD @eta accident analysis is sho7n in &igure /. 4a8ard #ccidentC event %ic' or target &ailed control &ailed defence #ccident &ailed controls or defences 3atent failure>s? recondion>s? #cve failure>s? Methods for accident invesgaon A1 &igure /. "a'ple on a TR2OD @eta analysis. The ne7 7ay of invesgang accidents >see &igure /=? is Guite di:erent fro' the convenonal ones. No research is done to idenfy all the contribung substandard acts or clusters of substandard acts, the target for invesgaon is to Hnd out 7hether any of the @asic Ris5 &actors are acng. hen the @R&s have been idenHed, their i'pact can be decreased or even be eli'inated. The real source of proble's is tac5led instead of the sy'pto's. 4a8ard$ ointed table corner "'ployee hits table. 2n9ured 5nee %ic' oor ha8ard register oor ha8ard register Missing control Rounded or rubber corners Missing control #udit for obstacles Missing defence the targets of control?, and the up7ard Fo7 of state infor'aon >the 'easure'ents of control?. Decision recondion Order &uncon lan Decision Order 2ndirect conseGuence Tas5 or #con Tas5 or acon Direct conseGuence ;onseGuence recondion evaluated no further riories Syste' level . Bovern'ent. olicy budgeng =. Regulatory bodies and #ssociaons /. 3ocal area govern'ent ;o'pany 'anage'ent lanning budgeng ;rical event 3oss of control or loss of contain'ent Direct conseGuence *. Technical operaonal 'anage'ent -. hysical processes #ctor acvites A. "Guip'ent surroundings 0 - Reference to annotaons 2nFuence Methods for accident invesgaon A- &igure /-. rincipal illustraon of an #ctorMap. #ctor Syste' level . Bovern'ent =. Regulatory bodies /. Regional 3ocal govern'ent ;o'pany 'anage'ent *. Technical operaonal 'anage'ent #ssociaons -. Operators #ctor #ctor #ctor #ctor #ctor #ctors #ctor #ctor #ctor #ctor #ctor #ctor #ctor #ctor #ctor #ctor Methods for accident invesgaon A) - Discussion and conclusion -. Discussion ithin the Held of accident invesgaon, there are no co''on agree'ent of deHnions of concepts, it tend to be a liWle confusion of ideas. "specially the noon of cause has been discussed. hile so'e invesgators focus on causal factors >e.g. DO", ++)?, others focus on deter'ining factors >e.g. e.g. 4op5ins, =111?, acve failures and latent condions >e.g. Reason, ++)? or safety proble's >4endric5 @enner, +0)?. @R&? >Pevent triosQ?. The third colu'n covers the level of scope of the di:erent analysis 'ethods. The levels correspond to the di:erent levels of the sociotechnical syste' involved in ris5 'anage'ent illustrated in &igure *. The di:erent levels are$ . The 7or5 and technological syste' =. The sta: level /. The 'anage'ent level *. The co'pany level -. The regulators and associaons level A. The Bovern'ent level #s sho7n in Table A, the scope of 'ost of the 'ethods is li'ited to level \ *. #lthough ST" 7as originally developed to cover level \ *, eperience fro' S2NT"&Es accident invesgaons sho7s that the Methods for accident invesgaon A+ 'ethod also 'ay be used to analyse events inFuenced by the regulators and the Bovern'ent. 2n addion to ST", only #cci(Map put focus on level - and A. This 'eans that invesgators focusing on the Bovern'ent and the regulators in their accident invesgaon to a great etend need to base their analysis on eperience and praccal 9udge'ent 'ore than on results fro' for'al analysis 'ethods. The fourth colu'n states 7hether the 'ethods are a pri'ary 'ethod or a secondary 'ethod. ri'ary 'ethods are stand(alone techniGues 7hile secondary 'ethods provide special input as supple'ent to other 'ethods. "vents and causal factors charng, ST", MTO( analysis, TR2OD and #cci('ap are all pri'ary 'ethods. The fault tree analysis and event tree analysis 'ight be both pri'ary and secondary 'ethods. The other 'ethods are secondary 'ethods. 2n the Hh colu'n the di:erent 'ethods are categori8ed as deducve, inducve, 'orphological or non(syste' oriented. &ault tree analysis and MORT are deducve 'ethods 7hile event three analysis is an inducve 'ethod. #cci('ap 'ight be both inducve and deducve. The #"@('ethod is characteri8ed as 'orphological, 7hile the other 'ethods are non(syste' oriented. 2n the sith colu'n the 'ethods are lin5ed to di:erent types of accident 'odels in 7hich have inFuenced the 'ethods. The follo7ing accident 'odels are used$ # ;ausal(seGuence 'odel @ rocess 'odel ; "nergy 'odel D 3ogical tree 'odel " S4"('anage'ent 'odels Root cause analysis, S;#T and TR2OD are based on causal(seGuence 'odels. "vents and causal charng, change analysis, events and causal factors analysis, ST", MTO( analysis and #"@('ethod are based on process 'odels. The barrier analysis is based on the energy 'odel. &ault tree analysis, event tree analysis and MORT are based on logical tree 'odels. MORT and S;#T are also based on S4"('anage'ent 'odels. The #cci('ap is based on a co'binaon of a causal( seGuence 'odel, a process 'odel and a logical tree 'odel. Methods for accident invesgaon )1 2n the last colu'n, there is 'ade an assess'ent of the need of educaon and training in order to use the 'ethods. The ter's P"pertQ, PSpecialistQ and PNoviceQ are used in the table. "pert indicates that there is need of for'al educaon and training before people are able to use the 'ethods in a proper 7ay. So'e eperience is also beneHcial. &ault tree analysis, MORT and #cci('ap enter into this category. Novice indicates that people are able to use the 'ethods aer and orientaon of the 'ethods 7ithout
hands(on training or eperience. "vents and causal factors charng, barrier analysis, change analysis and ST" enter into this category. Specialist is so'e7here bet7een epert and novice and events and causal factors analysis, root cause analysis, event tree analysis, S;#T, MTO(analysis, #"@'ethod and TR2OD enter into this category. Methods for accident invesgaon ) Table A. ;haracteriscs of di:erent accident invesgaon 'ethods. Method #ccident seGuence 3evels of analysis ri'ary C secondary #nalycal approach #ccident 'odel Training need "vents and causal factors charng 6es (* ri'ary Non(syste' oriented @ Novice @arrier analysis No (= Secondary Non(syste' oriented ; Novice ;hange analysis No (* Secondary Non(syste' oriented @ Novice "vents and causal factors analysis (* Secondary Non(syste' oriented @ Specialist Root cause analysis No (* Secondary Non(syste' oriented # Specialist &ault tree analysis No (= ri'aryC Secondary Deducve D "pert "vent Tree analysis No (/ ri'aryC Secondary 2nducve D Specialist MORT No =(* Secondary Deducve D C " "pert S;#T No (* Secondary Non(syste' oriented # C " Specialist ST" 6es (A ri'ary Non(syste' oriented @ Novice MTOanalysis 6es (* ri'ary Non(syste' oriented @ SpecialistC epert #"@'ethod No (/ Secondary Morphological @ Specialist TR2OD 6es (* ri'ary Non(syste' oriented # Specialist #cci(Map No (A ri'ary Deducve inducve # C @ C D "pert -.= ;onclusion Ma9or accidents al'ost never result fro' one single cause, 'ost accidents involve 'ulple, interrelated causal factors. #ll actors or decision( 'a5ers inFuencing the nor'al 7or5 process 'ight also Methods for accident invesgaon )= inFuence accident scenarios, either directly or indirectly. This co'pleity should also reFect the accident invesgaon process. The ai' of accident invesgaons should be to idenfy the event seGuences and all >causal? factors inFuencing the accident scenario in order to be able to suggest ris5 reducing 'easures in 7hich 'ay prevent future accidents. This 'eans that all 5ind of actors, fro' technical syste's and front(line operators to regulators and the Bovern'ent need to be analysed. Oen, accident invesgaons involve using of a set of accident invesgaon 'ethods. "ach 'ethod 'ight have di:erent purposes and 'ay be a liWle part of the total invesgaon process. Re'e'ber, every piece of a pu88le is as i'portant as the others. Braphical illustraons of the event seGuence are useful during the invesgaon process because it provides an e:ecve visual aid that su''aries 5ey infor'aon and provide a structured 'ethod for collecng, organising and integrang collected evidence to facilitate co''unicaon a'ong the invesgators. Braphical illustraons also help idenfying infor'aon gaps. During the invesgaon process di:erent 'ethods should be used in order to analyse arising proble' areas. #'ong the 'ul(disciplinary invesgaon tea', there should be at least one 'e'ber having good 5no7ledge about the di:erent accident invesgaon 'ethods, being able to choose the proper 'ethods for analysing the di:erent proble's. ust li5e the 'echanicians have to choose the right tool on order to repair a technical syste', an accident invesgator has to choose proper 'ethods analysing di:erent proble' areas. Methods for accident invesgaon )/ A References #ndersson R. Menc5el "., ++-. On the prevenon of accidents and in9uries. # co'parave analysis of conceptual fra'e7or5s. #ccident #nalysis and revenon, %ol. =), No. A, )-) \ )A0. #rbeids'il9Ysenteret, =11. %eiledning i uly55esgrans5ing, #rbeids'il9Yforlaget, =11 @ento, (., +++. MTO(analys av hndelsesrapporter, OD( 11(= @ird, &.". r Ber'ain, B.3., +0-. raccal 3oss ;ontrol 3eadership. 2S@N 1(001A(1-*(+, 2nternaonal 3oss ;ontrol 2nstute, Beorgia, US#. ;;S, ++=. Buidelines for 2nvesgang ;he'ical rocess 2ncidents. 2S@N 1(0A+(1---(, ;enter for ;he'ical rocess Safety of the #'erican 2nstute of ;he'ical "ngineers, ++=. DO", ++). 2'ple'entaon Buide &or Use ith DO" Order ==-.#, #ccident 2nvesgaons, DO" B ==-.#( Nove'ber =A, ++)CRev. , U.S. Depart'ent of "nergy, ashington D.;, US#. DO", +++. ;onducng #ccident 2nvesgaons DO" or5boo5, Revision =, May , +++, U.S. Depart'ent of "nergy, ashington D.;, US#. &erry T.S., +00. Modern accident invesgaon and
analysis >=nd ed.?. 2S@N 1.*)(A=*0(1, iley 2nterscience publicaon, United States. Bil9e, N. og Bri'en, 4., ++/. Sa'funnsvitens5apenes forutsetninger 2nnfYring i sa'funnsvitens5apenes vitens5apsHlosoH, Universitetsforlaget, Oslo. Broene7eg, ., ++0. ;ontrolling the controllable The 'anage'ent of safety. &ourth edion. DSO ress, 3eiden University, The Netherlands, ++0. 4ale #, ilpert @, &reitag M, ++). #er the event ( fro' accident to organisaonal learning. 2S@N 1 10 1*/1)*1, erga'on, ++). 4endric5 #"@? Method ......... -/ *.=.0 TR2OD................................................................................... -A *.=.+ #cci( 'ap.................................................................................. A * - D2S;USS2ON #ND ;ON;3US2ON................................................ A) -. D2S;USS2ON.................................................................................. A) -.= ;ON;3US2ON................................................................................ ) A R"&"R"N;"S ................................................................................... )/ Methods for accident invesgaon - 2ntroducon . 2ntroducon to accident invesgaon and deli'itaons of the report The accident invesgaon process consists of a 7ide range of acvies, and is described so'e7hat di:erent by di:erent authors. DO" >+++? divide the invesgaon process into three phasesK collecon of evidence and facts, analysis of these facts, and develop'ent of conclusions and develop'ent of 9udg'ents of need and 7ring the report, see &igure . These are all overlapping phases and the 7hole process is iterave. So'e authors also include the i'ple'entaon and follo7(up of reco''endaons in the invesgaon phase >e.g., see &igure =? $ This approach is not li'ited to 'a9or accidents, but also include occupaonal accidents. ;ollecon of evidence and facts #nalysis of evidence and factsK Develop'ent of conclusions Develop'ent of 9udg'ents of needK ring the report Methods for accident invesgaon A . #ll reported incidents >accidents and near accidents? are invesgated i''ediately at the Hrst level by the supervisor and safety representave. =. # selecon of serious incidents, i.e. freGuently recurring types of incidents and incidents 7ith high loss potenal >actual or possible? are subseGuently invesgated by a proble'(solving group. /. On rare occasions, 7hen the actual or potenal loss is high, an accident invesgaon co''ission carries out the invesgaon. This co''ission has an independent status in relaon to the organisaons that are responsible for the occurrence. &igure =. #ccident invesgaon at three levels >Reason, ++)?. Organisaonal accidents are the co'paravely rare, but oen catastrophic, events that occur 7ithin co'ple, 'odern technologies such as nuclear po7er plants, co''ercial aviaon, petroche'ical industry, etc. Organisaonal accidents have 'ulple causes involving 'any people operang at di:erent levels of their respecve co'panies. @y contrast, individual accidents are accidents in 7hich a speciHc person or a group is oen both the agent and the vic' of the accident. Organisaonal accidents 2ndependant invesgaon co''ission or5 place roble'(solving group 2''ediate invesgaon by Hrst(line supervisor Reporng 2'ple'entaon of re'edial acons #ccidents Near accidents #ll events #ll events 2n eceponal cases &reGuent or severe events Methods for accident invesgaon ) are according to Reason >++)? a product of technological innovaons that have radically altered the relaonship bet7een syste's and their hu'an ele'ents. Ras'ussen >++)? proposes di:erent ris5 'anage'ent strategies for di:erent 5inds of
accidents, see &igure /. The accident invesgaon 'ethods dealt 7ith in this report are li'ited to 'ethods used for evoluonary safety control, i.e. in(depth analysis of 'a9or accidents >ref. e.g., DO", ++)?, others focus on deter'ining factors >e.g., e.g., 4op5ins, =111?, acve failures and latent condions >e.g., Reason, ++)? or safety proble's >4endric5 @enner, +0)?. 4op5ins >=111? deHnes cause in the follo7ing 7ay$ Pone thing is said to be a cause of another if 7e can say but for the Hrst the second 7ould not have occurredQ. 3eplat >++)? epresses this in a 'ore for'al 7ay by saying that in general, the follo7ing type of deHnion of cause is accepted$ Pto say that event is the cause of event 6 is to say that the accidentQ period instead of on the 'igaon of the conseGuence of the accident. Methods for accident invesgaon + occurrence of is a necessary condion to the producon of 6, in the circu'stances consideredQ. Such a deHnion i'plies that if any one of the causal path7ays idenHed are re'oved, the outco'e 7ould probably not have occurred. Using the ter' contribung factor 'ay be less for'al, if an event has not occurred, this 7ould necessarily not prevented the occurrence of the accident. =11? reco''ends avoiding the 7ord cause in accident invesgaons and rather tal5 about 7hat 'ight have prevented the accident. #ccident invesgators 'ay use di:erent fra'es for their analysis of accidents, but nevertheless the conclusions about 7hat happened, 7hy did it happen and 7hat 'ay be done in order to prevent future accidents 'ay be the sa'e. So'e deHnions are included in this chapter. These deHnions are 'eant as an introducon to the ter's. Several of the ter's are deHned in di:erent 7ays by di:erent authors. The deHnions are Guoted 7ithout any co''ents or discussions in
this report in order to sho7 so'e of the specter. Therefore, these deHnions represent the authorsE opinions. #ccident # seGuence of logically and chronologically related deviang events involving an incident that results in in9ury to personnel or da'age to the environ'ent or 'aterial assets. >DO", ++)? @arrier #nything used to control, prevent, or i'pede energy Fo7s. ;o''on types of barriers include eGuip'ent, ad'inistrave procedures and processes, supervisionC'anage'ent, 7arning devices, 5no7ledge and s5ills, and physical. @arriers 'ay be either control or safety. >DO", ++)? @arrier analysis #n analycal techniGue used to idenfy the energy sources and the failed or deHcient barriers and controls that contributed to an accident. >DO", ++)? Methods for accident invesgaon 1 ;ausal factor #n event or condion in the accident seGuence necessary and sucient to produce or contribute to the un7anted result. ;ausal factors fall into three categoriesK direct cause, contribung cause and root cause. >DO", ++)? ;ause of accident ;ontribung factor or root cause. >DO", ++)? ;ontribung factor More lasng ris5(increasing condion at the 7or5place related to design, organisaon or social syste'. >;;S, ++=? The causal factor>s? that, if corrected, 7ould prevent recurrence of the accident. >DO", ++)? Most basic cause of an accidentCincident, i.e. a lac5 of adeGuate 'anage'ent control resulng in deviaons and contribung factors. >bla'e? "valuate the Gueson of guilt in order to assess the liability for co'pensaon >pay? #s 7e see, there 'ay be di:erent purposes in 7hich iniate accident invesgaons. The di:erent purposes 7ill not be discussed any'ore in this report. =.* Responsibility for accident invesgaon ho should be responsible for perfor'ing accident invesgaons and ho7 thoroughly should the accident be invesgatedI The history of accident invesgaon in the past decades sho7s a trend to go further and further bac5 in the analysis, i.e., fro' being sasHed 7ith idenfying hu'an errors by front(personnel or technical failures to idenfy 7ea5nesses in the govern'ental policies as root causes. 2n order to 5no7 7hen 7e should stop our invesgaon, 7e need 7hat Ras'ussen >++1? called stop(rules. Reason >++)? suggests that 7e should stop 7hen the causes idenHed are no longer controllable. The stopping rule suggested by Reason >++)?, leads to di:erent stopping points for di:erent pares. ;o'panies should trace causes bac5 to failures in their o7n 'anage'ent syste's and develop ris5reducing 'easures that they have authority to i'ple'ent. Supervisory authories >e.g., The Nor7egian etroleu' Directorate?, appointed govern'ental co''issions of inGuiries >e.g., the Sleipnerco''ission, and the Vsta(co''ission? or per'anent invesgaon boards >e.g., The Nor7egian #ircra #ccident 2nvesgaon @oard? Methods for accident invesgaon A should in addion focus on regulatory syste's and as5 7hether 7ea5nesses in these syste's contributed to the accident. The police and the prosecung authority are responsible for evaluang the basis for potenal cri'inal prosecuon, 7hile the court of 9usce is responsible for passing sentence on a person or a co'pany. The liability for co'pensaon is 7ithin the insurance co'paniesE and the la7yerEs range of responsibility. =.- ;riteria for accident invesgaons hat is a PgoodQ accident invesgaonI This Gueson is dicult to ans7er in a si'ple 7ay, because the ans7er depends on the purpose of the invesgaon. Nevertheless, 2 have included ten funda'ental criteria for
accident invesgaons stated by 4endric5 @enner >+0)?. Three criteria are related to ob9ecves and purposes of the accident invesgaon, four to invesgave procedures, and three to the outputs fro' the invesgaon and its usefulness. ;riteria related to ob9ecves and purposes Realisc The invesgaon should result in a realisc descripon of the events that have actually occurred. Non( causal #n invesgaon should be conducted in a non(causal fra'e7or5 and result in an ob9ecve descripon of the accident process events. #Wribuon of cause or fault can only be considered separate fro', and aer the understanding of the accident process is co'pleted to sasfy this criterion. ;onsistent The invesgaon perfor'ance fro' accident to accident and a'ong invesgaons of a single accident to di:erent invesgators should be consistent. Only consistency bet7een results of di:erent invesgaons enables co'parison bet7een the'. Methods for accident invesgaon ) ;riteria related to invesgaon procedures Disciplining #n invesgaon process should provide an orderly, syste'ac fra'e7or5 and set of procedures to discipline the invesgatorsE tas5s in order to focus their e:orts on i'portant and necessary tas5s and avoid duplicave or irrelevant tas5s. &unconal #n invesgaon process should be funconal in order to 'a5e the 9ob ecient, e.g. by helping the invesgator to deter'ine 7hich events 7ere part of the accident process as 7ell as those events that 7ere unrelated. DeHnive #n invesgaon process should provide criteria to idenfy and deHne the data that is needed to describe 7hat happened. ;o'prehensive #n invesgaon process should be co'prehensive so there is no confusion about 7hat happened, no unsuspected gaps or holes in the eplanaon, and no conFict of understanding a'ong those 7ho read the report. ;riteria related to output and usefulness Direct The invesgaon process should provide results that do not reGuire collecon of 'ore data before the needed controls can be idenHed and changes 'ade. Understandable The output should be readily understandable. Sasfying The results should be sasfying for those 7ho inialised the invesgaon and other individuals that de'and results fro' the invesgaons. So'e of these criteria are debatable. &or instance 7ill the second criterion related to causality be disputable. 2nvesgators using the causal(seGuence accident 'odel 7ill in principle focus on causes during their invesgaon process. #lso the last criterion related to sasfacon 'ight be discussed. 2'agine an invesgaon inialised by the top 'anage'ent in a co'pany. 2f the top 'anage'ent is cricised Methods for accident invesgaon 0 in the accident report, they are not necessarily sasHed 7ith the results, but nevertheless it 'ay be a PgoodQ invesgaon. Methods for accident invesgaon + / The accident invesgaon process &igure - sho7s the detailed accident invesgaon process as described by DO" >+++?. #s sho7n in the Hgure, the process starts i''ediately 7hen an accident occurs, and the 7or5 is not Hnished before the Hnal report is accepted by the appoinng ocial. This report focuses on the process of analysing evidence to deter'ine and evaluate causal factors >see chapter *?, but Hrst a fe7 co''ents to the other 'ain phases. &igure -. DO"Es process for accident invesgaon >DO", +++?. @oard acvites #ccident occurs Develop conclusions and deter'ine 9udg'ents of need "valuate causal factors 2ntegrate, organise, and analyse evidence to deter'ine causal factors ;ollect, preserve, and verify evidence @oard chairperson ta5es responsibility for accident scene @oard arrives at accident scene #ppoinng ocial Selects @oard chairperson and 'e'bers Readiness tea' responds Secures scene Ta5es 7itness state'ents reserves evidence 2nial reporng and categorisaon ;onduct reGuire'ents veriHcaon analysis repare dra report @oard 'e'bers Hnalise dra report #ppoinng ocial accepts report Site organisaons conduct fractual accurace revie7 @oard chairperson conducts closeout brieHng Methods for accident invesgaon =1 /. ;ollecng evidence and facts ;ollecng data is a crical part of the invesgaon. Three 5ey types of evidence are collected during the invesgaon process$ 4u'an or testa'entary evidence 4u'an or testa'entary evidence includes 7itness state'ents and observaons.
hysical evidence hysical evidence is 'aWer related to the accident >e.g. eGuip'ent, parts, debris, hard7are, and other physical ite's?. Docu'entary evidence Docu'entary evidence includes paper and electronic infor'aon, such as records, reports, procedures, and docu'entaon. The 'a9or steps in gathering evidence are collecng hu'an, physical and docu'entary evidence, ea'ining organisaonal concerns, 'anage'ent syste's, and line 'anage'ent oversight and at last preserving and controlling the collected evidence. ;ollecng evidence can be a lengthy, 'e(consu'ing, and piece'eal process. itnesses 'ay provide s5etchy or conFicng accounts of the accident. hysical evidence 'ay be badly da'aged or co'pletely destroyed, Docu'entary evidence 'ay be 'ini'al or dicult to access. Thorough invesgaon reGuires that board 'e'bers are diligent in pursuing evidence and adeGuately eplore leads, lines of inGuiry, and potenal causal factors unl they gain a suciently co'plete understanding of the accident. This topic 7ill not be discussed any'ore in this report, but for those interested in the topic are the follo7ing references usefulK DO" >+++?, ;;S >++=? and 2ngstad >+00?. Methods for accident invesgaon = /.= #nalysis of evidence and facts #nalysis of evidence and facts is the process of deter'ining causal factors, idenfy latent condions or contribung factors >or 7hatever you 7ant to call it? and see5s to ans7er the follo7ing t7o Guesons$ hat happened 7here and 7henI hy did it happenI DO" >+++? describes three types of causal factors$ . Direct cause =. ;ontribung causes /. Root causes # direct cause is an i''ediate event or condion that caused the accident >DO", ++)?. # contribung cause is an event or condion that together 7ith other causes increase the li5elihood of an accident but 7hich individually did not cause the accident >DO", ++)?. # root cause is the causal factor>s? that, if corrected, 7ould prevent recurrence of the accident >DO", ++)?. There are di:erent opinions of the concept of causality of accidents, see co''ents in secon .=., but this topic 7ill not be discussed any further here. ;;S >++=? lists three analycal approaches by 7hich conclusions can be reached about an accident$ Deducve approach 2nducve approach. Morphological approach 2n addion, there eists di:erent concepts for accident invesgaon not as co'prehensive as these syste'(oriented techniGues. These are categori8ed as non(syste'(oriented techniGues. The deducve approach involves reasoning fro' the general to the speciHc. 2n the deducve analysis, it is postulated that a syste' or process has failed in a certain 7ay. Net an aWe'pt is 'ade to deter'ine 7hat 'odes of syste', co'ponent, operator and organisaon behaviour contribute to the failure. The 7hole accident Methods for accident invesgaon == invesgaon process is a typical ea'ple of a deducve reasoning. &ault tree analysis is also an ea'ple of a deducve techniGue. The inducve approach involves reasoning fro' individual cases to a general conclusion. #n inducve analysis is perfor'ed by postulang that a parcular fault or iniang event has occurred. 2t is then deter'ined 7hat the e:ects of the fault or iniang event are on the syste' operaon. ;o'pared 7ith the deducve approach, the inducve approach is an Povervie7Q 'ethod. #s such it bring an overall structure to the invesgave process. To probe the details of the causal factors, control and barrier funcon, it is oen necessary to apply deducve analysis. "a'ples of inducve techniGues are failure 'ode and e:ects analysis >&M";#?, 4#XOEs and event tree analysis. The 'orphological approach to analycal incident invesgaon is based on the structure of the syste' being studied. The 'orphological approach focuses directly on potenally ha8ardous ele'ents >for ea'ple operaon, situaons?. The ai' is to concentrate on the factors having the 'ost signiHcant inFuence on safety. hen perfor'ing a 'orphological analysis, the analyst is pri'arily applying his or her past eperience of incident invesgaon. Rather than loo5ing at all possible deviaons 7ith and 7ithout a potenal safety i'pact, the invesgaon focuses on 5no7n ha8ard sources. Typically, the 'orphological approach is an adaptaon of deducve or inducve approaches, but 7ith its o7n guidelines. S2NT"& has developed a
useful Hve(step 'odel for invesgaon of causes of accidents. The 'odel is illustrated in &igure A. Step is idenHcaon of the event seGuences 9ust before the accident. Step = is idenHcaon of deviaons and failures inFuencing the event seGuence that led to the accident. This includes deviaons fro' eisng procedures, deviaons fro' co''on pracce, technical failures and hu'an failures. Step / is idenHcaon of 7ea5nesses and defects 7ith the 'anage'ent syste's. The ob9ecve is to detect possible causes of the deviaons or failures idenHed in Step =. Step * is idenHcaon of 7ea5nesses and defects related to the top 'anage'ent of the co'pany, because it is their responsibility to establish the necessary 'anage'ent syste's and ensure that the syste's are co'plied 7ith. Step - is idenHcaon of potenal Methods for accident invesgaon =/ deHciencies related to the public safety fra'e7or5, i.e. 'ar5ed condions, la7s and regulaons. &igure A. S2NT"&Es 'odel for analysis of accident causes >#rbeids'il9Ysenteret, =11?. Di:erent 'ethods for analysis of evidence and facts are further discussed in chapter *. DeHciencies related to the public safety fra'e7or5 Z "cono'y Z 3abour Z 3a7s and regulaons etc. "vent seGuence Z Decisions Z #cons Z O'issions Deviaons and failures inFuencing the event seGuence Z rocedures not follo7ed Z Technical failures Z 4u'an failures ea5nesses and defects 7ith the 'anage'ent syste's Z 3ac5 of or inadeGuate procedures Z 3ac5 of i'ple'entaon Z 2nsucient trainingCeducaon Z 2nsucient follo7(up ea5nesses and defects related to the top 'anage'ent Z olicy Z Organisaon and responsibilites Z 2nFuence on aJtudes Z &ollo7(up by 'anage'ent Undesirable event 3oss C in9uries on Z ersonnel Z roperes Z "nviron'ent #nalysis of causes #nalysis of conseGuences Step Step - Step * Step / Step = #nalysis of organisaon ST"analysis Methods for accident invesgaon =* /./ Reco''endaons and reporng One of the 'ain ob9ecves of perfor'ing accidents invesgaons is to idenfy reco''endaons that 'ay prevent the occurrence of future accidents. This topic 7ill not be discussed any further, but the reco''endaons should be based on the analysis of evidence and facts in order to prevent that the revealed direct and root causes 'ight lead to future accidents. #t the co'pany level the reco''ended ris5 reducing 'easures 'ight be focused on technical, hu'an, operaonal andCor organisaonal factors. Oen, it is even 'ore i'portant to focus aWenon to7ards changes in the higher levels in &igure *, e.g., by changing the regulaons or the authoritave supervisory pracce. # useful p is to be open('inded in the search for ris5 reducing 'easures and not to be narro7 in this part of the 7or5. 4endric5 and @enner >+0)? says that t7o thoughts should be 5ept in 'ind regarding accident reports$ 2nvesgaons are re'e'bered trough their reports The best invesgaon 7ill be 7asted by a poor report. Methods for accident invesgaon =- * Methods for accident invesgaons # nu'ber of 'ethods for accident invesgaon have been developed, 7ith their o7n strengths and 7ea5nesses. So'e 'ethods of great i'portance are selected for further ea'inaon in this chapter. The selecon of 'ethods for further descripon is not based on any scienHc selecon criteria. @ut the 'ethods are 7idely used in pracce, 7ell ac5no7ledged, 7ell described in the literature* and so'e 'ethods that are relavely recently developed. 2n order to sho7 the span in di:erent accident invesgaon 'ethods, Table sho7s an oversight over 'ethods described by DO" >+++? and Table = sho7s an oversight described by ;;S >++=?. So'e of the 'ethods in the tables are overlapping, 7hile so'e are di:erent. Table . #ccident invesgaon analycal techniGues presented in DO" >+++?. ;ore #nalycal TechniGues "vents and ;ausal &actors ;harng and #nalysis @arrier #nalysis ;hange #nalysis Root ;ause #nalysis ;o'ple #nalycal TechniGues &or co'ple accidents 7ith 'ulple syste' failures, there 'ay in addion be need of analycal techniGues li5e analyc tree analysis, e.g. &ault Tree #nalysis MORT >Manage'ent Oversight and Ris5 Tree? "T >ro9ect "valuaon Tree #nalysis? SpeciHc #nalycal TechniGues 4u'an &actors #nalysis 2ntegrated #ccident "vent Matri &ailure Modes and ":ects #nalysis So7are 4a8ards #nalysis ;o''on ;ause &ailure
#nalysis Snea5 ;ircuit #nalysis )=(4our roHle Materials and Structural #nalysis ScienHc Modelling >e.g., for incidents involving cricality and at'ospheric despersion? * So'e 'ethods are co''ercialised and therefore li'ited described in the public available literature. Methods for accident invesgaon =A Table =. #ccident invesgaons 'ethods described by ;;S >++=?. 2nvesgaon 'ethod #ccident #nato'y 'ethod >##M? #con "rror #nalysis >#"#? #ccident "voluon and @arrier #nalysis >#"@? ;hange "valuaonC#nalysis ;ause(":ect 3ogic Diagra' >;"3D? ;ausal Tree Method >;TM? &ault Tree #nalysis >&T#? 4a8ard and Operability Study >4#XO? 4u'an erfor'ance "nhance'ent Syste' >4"S? 4u'an Reliability #nalysis "vent Tree >4R#("T? Mulple(;ause, Syste's(oriented 2ncident 2nvesgaon >M;SO22? Mullinear "vents SeGuencing >M"S? Manage'ent Oversight Ris5 Tree >MORT? Syste'ac ;ause #nalysis TechniGue >S;#T? SeGuenally Ti'ed "vents loJng >ST"? TapRoot[ 2ncident 2nvesgaon Syste' TechniGue of Operaons Revie7 >TOR? or5 Safety #nalysis roprietary techniGues that reGuires a license agree'ent. These t7o tables list 'ore than =1 di:erent 'ethods, but do not include a co'plete list of 'ethods. Other 'ethods are described else7here in the literature. Since DO"Es or5boo5 ;onducng #ccident 2nvesgaon >DO", +++? is a co'prehensive and 7ell( 7riWen handboo5, the descripon of accident invesgaon 'ethods starts 7ith DO"Es core analycal techniGues in secon *.. Their core analycal techniGues are$ "vents and ;ausal &actors ;harng and #nalysis @arrier #nalysis ;hange #nalysis Root ;ause #nalysis &urther, so'e other 'ethods are described in secon *.=$ &ault tree analysis "vent tree analysis MORT >Manage'ent Oversight and Ris5 Tree? Methods for accident invesgaon =) S;#T >Syste'ac ;ause #nalysis TechniGue? ST" >SeGuenal Ti'ed "vents loJng? MTO(analysis #"@ Method TR2OD(Delta #cci(Map The four last 'ethods are neither listed in Table nor Table =, but are co''only used 'ethods in di:erent industries in several "uropean countries. The readers should be a7are of that this chapter is purely descripve. #ny co''ents or assess'ents of the 'ethods are 'ade in chapter -. *. DO"Es core analycal techniGues- *.. "vents and causal factors charng >";&;? "vents and causal factors charng is a graphical display of the accidentEs chronology and is used pri'arily for co'piling and organising evidence to portray the seGuence of the accidentEs events. The events and causal factor chart is easy to develop and provides a clear depicon of the data. DO", +++?A . A Si'ilar to M"S in Table =. ;ondion #ccident event ;ondion Secondary event "vent Secondary event = "vent = "vent / "vent * Secondary events seGuence ri'ary events seGuence ;ondion ;ondion ;ondion "vents #ccidents ;ondions ;onnector Transfer bet7een lines 3T# 3ess than adeGuate >9udg'ent? ( #re acve >e.g. ]crane stri5es building]? ( Should be stated using one noun and one acve verb ( Should be GuanHed as 'uch as possible and 7here applicable ( Should indicate the date and 'e, 7hen they are 5no7n ( Should be derived fro' the event or events and conditons i''ediately preceding it ( #re passive >e.g. ]fog in the area]? ( Describe states or circu'stances rather than occurrences or events ( #s praccal, should be GuanHed ( Should indicate date and 'e if praccalCapplicable ( #re associated 7ith the corresponding event "nco'passes the 'ain events of the accident and those that for' the 'ain events line of the chart "nco'passes the events that are secondary or contribung events and those that for' the secondary line of the chart Secondary event seGuence ri'ary event seGuence ;ondions Sy'bols "vents resu'pve events resu'pve condions or assu'pons Methods for accident invesgaon /1 *..= @arrier analysis @arrier analysis is used to idenfy ha8ards associated 7ith an accident and the barriers that should have been in place to prevent it. # barrier is any 'eans used to control, prevent, or i'pede the ha8ard fro' reaching the target. @arrier analysis addresses$ @arriers that 7ere in place and ho7 they perfor'ed @arriers that 7ere in place but not used @arriers that 7ere not in place but 7ere reGuired The barrier>s? that, if present or strengthened, 7ould prevent the sa'e or si'ilar accidents fro' occurring in the future. &igure + sho7s types of barriers that 'ay be in place to protect 7or5ers fro' ha8ards. &igure +. "a'ples on barriers to protect 7or5ers fro' ha8ards >DO", +++?) hysical barriers are usually easy to idenfy, but 'anage'ent syste' barriers 'ay be less obvious >e.g. eposure li'its?. The invesgator 'ust understand each barrierEs intended funcon and locaon, and ho7 it failed to prevent the accident. There eists di:erent 7ays in ) There eists di:erent barrier 'odels for prevenon of accidents based on the defence(in(depth principle in di:erent industries, see. e.g. =111? for prevenon of Hres and eplosions in hydrocarbon processing plants and 2NS#B(= for basic safety principles for nuclear po7er plants. Types of barriers Manage'ent barriers ( 4a8ard analysis ( hat 7as the barrierEs purposeI as the barrier in place or not in placeI Did the barrier failI as the barrier used if it 7as in placeI? Record in colu'n t7o. Step * 2denfy and consider probable causes of the barrier failure. Record in colu'n three. Step - "valuate the conseGuences of the failure in this accident. Record in colu'n four. Methods for accident invesgaon /= Table /. @arrier analysis 7or5sheet. 4a8ard$ /.= 5% electrical cable Target$ #cng pipeHWer hat 7ere the barriersI 4o7 did each barrier perfor'I hy did the barrier failI 4o7 did the barrier a:ect the accidentI "ngineering dra7ings Dra7ings 7ere inco'plete and did not idenfy electrical cable at su'p locaon "ngineering dra7ings and construcon speciHcaons 7ere not procured Dra7ings used 7ere preli'inary No as(built dra7ings 7ere used to idenfy locaon of ulity lines "istence of electrical cable un5no7n 2ndoor ecavaon per'it 2ndoor ecavaon per'it 7as not obtained ipeHWers and ulity specialist 7ere una7are of indoor ecavaon per'it reGuire'ents Opportunity to idenfy eistence of cable 'issed *../ ;hange analysis ;hange is anything that disturbs the PbalanceQ of a syste' operang as planned. ;hange is oen the source of deviaons in syste' operaons. ;hange analysis ea'ines planned or unplanned changes that caused undesired outco'es. 2n an accident invesgaon, this techniGue is used to ea'ine an accident by analysing the di:erence bet7een 7hat has occurred before or 7as epected and the actual seGuence of events. The invesgator perfor'ing the change analysis idenHes speciHc di:erences bet7een the accident\free situaon and the accident scenario. These di:erences are evaluated to deter'ine 7hether the di:erences caused or contributed to the accident. The change analysis process is described in &igure . hen conducng a change analysis, invesgators idenfy changes as 7ell as the results of those changes. The disncon is i'portant, because idenfying only the results of change 'ay not pro'pt invesgators to Methods for accident invesgaon // idenfy all causal factors of an accident. hen conducng a change analysis, it is i'portant to have a baseline situaon that the accident seGuence 'ay be co'pared to. &igure . The change analysis process. >DO", +++? Table * sho7s a si'ple change analysis 7or5sheet. The invesgators should Hrst categorise the changes according to the Guesons sho7n in the le colu'n of the 7or5sheet, i.e., deter'ine if the change pertained to, for ea'ple, a di:erence in$ hat events, condions, acvies, or eGuip'ent 7ere present in the accident situaon that 7ere not present in the baseline >accident(free, prior, or ideal? situaon >or vice versa? hen an event or condion occurred or 7as detected in the accident situaon versus the baseline situaon here an event or condion occurred in the accident situaon versus 7here an event or condion occurred in the baseline situaon ho 7as involved in planning, revie7ing, authorising, perfor'ing, and supervising the 7or5 acvity in the accident versus the accident(free situaon. 4o7 the 7or5 7as 'anaged and controlled in the accident versus the accident(free situaon. To co'plete the re'ainder of the 7or5sheet, Hrst describe each event or condion of interest in the second colu'n. Then describe the related event or condion that occurred >or should have occurred? in the baseline situaon in the third colu'n. The di:erence bet7een the event and condions in the accident and the baseline situaons should Describe accident situaon Describe co'parable accident(free situaon 2nput results into events and causal factors chart #nalyse di:erences for e:ect on accident 2denfy di:erences ;o'pare Methods for accident invesgaon /* be brieFy described in the fourth colu'n. 2n the last colu'n, discuss the e:ect that each
change had on the accident. The di:erences or changes idenHed can generally be described as causal factors and should be noted on the events and causal factors chart and used in the root cause analysis. # potenal 7ea5ness of change analysis is that it does not consider the co'pounding e:ects of incre'ental change >for ea'ple, a change that 7as instuted several years earlier coupled 7ith a 'ore recent change?. To overco'e this 7ea5ness, invesgators 'ay choose 'ore than one baseline situaon against 7hich to co'pare the accident scenario. Table *. # si'ple change analysis 7or5sheet. >DO", +++? &actors #ccident situaon rior, ideal, or acciden^ree situaon Di:erence "valuaon of e:ect hat ;ondions Occurrences #cvies "Guip'ent hen Occurred 2denHed &acility status Schedule here hysical locaon "nviron'ental condions ho Sta: involved Training !ualiHcaon Supervision 4o7 ;ontrol chain 4a8ard analysis Monitoring Other Methods for accident invesgaon /- *..* "vents and causal factors analysis The events and causal factors chart 'ay also be used to deter'ine the causal factors of an accident, as illustrated in &igure =. This process is an i'portant Hrst step in later deter'ining the root causes of an accident. "vents and causal factors analysis reGuires deducve reasoning to deter'ine 7hich events andCor condions that contributed to the accident. &igure =. "vents and causal factors analysis. >DO", +++? @efore starng to analyse the events and condions noted on the chart, an invesgator 'ust Hrst ensure that the chart contains adeGuate detail. "a'ine the Hrst event that i''ediately precedes the accident. "valuate its signiHcance in the accident seGuence by as5ing$ P2f this event had not occurred, 7ould the accident have occurredIQ 2f the ans7er is yes, then the event is not signiHcant. roceed to the net event in the chart, 7or5ing bac57ards fro' the accident. 2f the ans7er is no, then deter'ine 7hether the event represented nor'al acvies 7ith the epected conseGuences. 2f the event 7as intended and had the epected outco'es, then it is not signiHcant. 4o7ever, if the event deviated fro' 7hat 7as intended or had un7anted conseGuences, then it is a signiHcant event. ;ondion ;ausal factor ;ausal factor ;ondion ;ondion "vent "vent "vent "vent 4o7 did the condions originateI hy did the syste' allo7 the condions to eistI hy did this event happenI #s5 Guesons to deter'ine causal factors >7hy, ho7, 7hat, and 7ho? "vent chain Methods for accident invesgaon /A ;arefully ea'ine the events and condions associated 7ith each signiHcant event by as5ing a series of Guesons about this event chain, such as$ hy did this event happenI hat events and condions led to the occurrence of the eventI hat 7ent 7rong that allo7ed the event to occurI hy did these condions eistI 4o7 did these condions originateI ho had the responsibility for the condionsI #re there any relaonships bet7een 7hat 7ent 7rong in this event chain and other events or condions in the accident seGuenceI 2s the signiHcant event lin5ed to other events or condions that 'ay indicate a 'ore general or larger deHciencyI The signiHcant events, and the events and condions that allo7ed the signiHcant events to occur, are the accidentEs causal factors. *..- Root cause analysis Root cause analysis is any analysis that idenHes underlying deHciencies in a safety 'anage'ent syste' that, if corrected, 7ould prevent the sa'e and si'ilar accidents fro' occurring. Root cause analysis is a syste'ac process that uses the facts and results fro' the core analyc techniGues to deter'ine the 'ost i'portant reasons for the accident. hile the core analyc techniGues should provide ans7ers to Guesons regarding 7hat, 7hen, 7here, 7ho, and ho7, root cause analysis should resolve the Gueson 7hy. Root cause analysis reGuires a certain a'ount of 9udg'ent. # rather ehausve list of causal factors 'ust be developed prior to the applicaon of root cause analysis to ensure that Hnal root causes are accurate and co'prehensive. One 'ethod for root cause analysis described by DO" is T2"R diagra''ing. T2"R(diagra''ing is used to idenfy both the root causes of an accident and the level of line 'anage'ent that has the responsibility and authority to correct the accidentEs causal factors. The invesgators use T2"R(diagra's to hierarchically categorise the causal
factors derived fro' the events and causal factors analysis. Methods for accident invesgaon /) 3in5ages a'ong causal factors are then idenHed and possible root causes are developed. # di:erent diagra' is developed for each organisaon responsible for the 7or5 acvies associated 7ith the accident. The causal factors idenHed in the events and causal factors chart are input to the T2"R( diagra's. #ssess 7here each causal factor belong in the T2"R(diagra'. #er arranging all the causal factors, ea'ine the causal factors to deter'ine 7hether there is lin5age bet7een t7o or 'ore of the'. "valuate each of the causal factors state'ents if they are root causes of the accident. There 'ay be 'ore than one root cause of a parcular accident. &igure / sho7s an ea'ple on a T2"R(diagra'. &igure /. 2denfying the lin5ages to the root causes fro' a T2"R(diagra'. *.= Other accident invesgaon 'ethods *.=. &ault tree analysis0 &ault tree analysis is a 'ethod for deter'ining the causes of an accident >or top event?. The fault tree is a graphic 'odel that displays the various co'binaons of nor'al events, eGuip'ent failures, hu'an errors, and environ'ental factors that can result in an accident. #n ea'ple of a fault tree is sho7n in &igure *. 0 The descripon is based on 4Yyland Rausand, ++*. Tier ;ausal &actors Tier -$ Senior 'anage'ent Tier $ or5er acons Tier =$ Supervision Tier /$ 3o7er 'anage'ent Tier *$ Middle 'anage'ent Tier 1$ Direct cause Root causes >oponal colu'n? Root cause _ Root cause _ / Root cause _ = Methods for accident invesgaon /0 &igure *. 2llustraon of a fault tree >ea'ple fro' the Vsta(accident?. # fault tree analysis 'ay be Gualitave, Guantave, or both. ossible results fro' the analysis 'ay be a lisng of the possible co'binaons of environ'ental factors, hu'an errors, nor'al events and co'ponent failures that 'ay result in a crical event in the syste' and the probability that the crical event 7ill occur during a speciHed 'e interval. The strengths of the fault tree, as a Gualitave tool is its ability to brea5 do7n an accident into root causes. The undesired event appears as the top event. This event is lin5ed to the basic failure events by logic gats and event state'ents. # gate sy'bol can have one or 'ore inputs, but only one output. # su''ary of co''on fault tree sy'bols is given in &igure -. 4Yyland and Rausand >++*? give a 'ore detailed descripon of fault tree analysis. Malfuncon of the signalling syste' 4u'an error >engine driver? 3ine secon already ]occupied] by another train SabotageC act of terros "ngine failure >runa7ay train? Or Or No signal Breen signal >green Fash? Methods for accident invesgaon /+ &igure -. &ault tree sy'bols. *.=.= "vent tree analysis+ #n event tree is used to analyse event seGuences follo7ing aer an iniang event. The event seGuence is inFuenced by either success or failure of nu'erous barriers or safety funconsCsyste's. The event seGuence leads to a set of possible conseGuences. The conseGuences 'ay be considered as acceptable or unacceptable. The event seGuence + The descripon is based on %ille'eur, ++. # #nd " " "= / # Or " " "= / The OR(gate indicates that the output event # occurs if any of the input events "i occur. The #ND(gate indicates that the output event # occurs 7hen all the input events "i occur si'ultaneously. @asic event Undeveloped event ;o''ent rectangle The basic event represents a basic eGuip'ent failure that reGuires no further develop'ent of failure causes The undeveloped event represents an event that is not ea'ined further because infor'aon is unavailable or because its conseGuences is insigniHcant The co''ent rectangle is for supple'entary infor'aon The transfer(out sy'bol indicates that the fault tree is developed further at the occurrence of the corresponding Transfer(in sy'bol Transfer(out Transfer(in 3ogic gates 2nput events Descripon of state Transfer sy'bols #ND(gate OR(gate Sy'bol Descripon Methods for accident invesgaon *1 is illustrated graphically 7here each safety syste' is 'odelled for t7o states, operaon and failure. &igure A illustrates an event tree of the situaon on RYrosbanen 9ust before the Vsta(accident. This event tree reveals the lac5 of reliable safety barriers in order to prevent train collision at RYrosbanen at that 'e. #n event tree analysis is pri'arily a proacve ris5 analysis 'ethod used to idenfy possible event
seGuences. The event tree 'ay be used to idenfy and illustrate event seGuences and also to obtain a Gualitave and Guantave representaon and assess'ent. 2n an accident invesgaon 7e 'ay illustrate the accident path as one of the possible event seGuences. This is illustrated 7ith the thic5 line in &igure A. &igure A. Si'pliHed event tree analysis of the ris5 at RYrosbanen 9ust before the Vsta( accident. *.=./ MORT1 MORT provides a syste'ac 'ethod >analyc tree? for planning, organising, and conducon a co'prehensive accident invesgaon. Through MORT analysis, invesgators idenfy deHciencies in speciHc 1 The descripon is based on ohnson .B., +01. T7o trains at the sa'e secon of the line #T; >#uto'ac Train ;ontrol? The rail trac controller detects the ha8ardous situaon Train drivers stop the train The rail trac controller alerts about the ha8ard 6es 6es 6es 6es No No No No ;ollision ;ollison avoided ;ollision ;ollision ;ollison avoided Methods for accident invesgaon * control factors and in 'anage'ent syste' factors. These factors are evaluated and analysed to idenfy the causal factors of the accident. @asically, MORT is a graphical chec5list in 7hich contains generic Guesons that invesgators aWe'pt to ans7er using available factual data. This enables invesgators to focus on potenal 5ey causal factors. The upper levels of the MORT diagra' are sho7n in &igure ). MORT reGuires etensive training to e:ecvely perfor' an in(depth analysis of co'ple accidents involving 'ulple syste's. The Hrst step of the process is to select the MORT chart for the safety progra' area of interest. The invesgators 7or5 their 7ay do7n through the tree, level by level. "vents should be coded in a speciHc colour relave to the signiHcance of the accident. #n event that is deHcient, or 3ess Than #deGuate >3T#? in MORT ter'inology is 'ar5ed red. The sy'bol is circled if suspect or coded in red if conHr'ed. #n event that is sasfactory is 'ar5ed green in the sa'e 'anner. Un5no7ns are 'ar5ed in blue, being circled inially and coloured if sucient data do not beco'e available, and an assu'pon 'ust be 'ade to connue or conclude the analysis. hen the appropriate seg'ents of the tree have been co'pleted, the path of cause and e:ect >fro' lac5 of control by 'anage'ent, to basic causes, contributory causes, and root causes? can easily be traced bac5 through the tree. The tree highlights Guite clearly 7here controls and correcve acons are needed and can be e:ecve in prevenng recurrence of the accident. Methods for accident invesgaon *= &igure ). The upper levels of the MORT(tree. "T >ro9ect "valuaon Tree? and SMORT >Safety Manage'ent and Organisaons Revie7 TechniGue? are both 'ethods based on MORT but si'pliHed and easier to use. "T and SMORT 7ill not be described further. "T is described by DO" >+++? and SMORT by +0)?. *.=.* Syste'ac ;ause #nalysis TechniGue >S;#T? The 2nternaonal 3oss ;ontrol 2nstute >23;2? developed S;#T for the support of occupaonal incident invesgaon. The 23;2 3oss ;ausaon Model is the fra'e7or5 for the S;#T syste' >see &igure 0?. The descripon of S;#T is based on ;;S >++=? and the descripon of the 23;2('odel is based on @ird Ber'ain >+0-?. 2n9uries, da'age, other costs, perfor'ance lost or degraded &uture undesired events Or 2'ple'entaon 3T# #ccident #'elioraon 3T# Manage'ent syste' factos 3T# SpeciHc controls factors 3T# Oversights and o'issions #ssu'ed ris5s Ris5 assess'ent syste' 3T# Ris5 Ris5 = Ris5 / Ris5 n #nd Or Or olicy 3T# T SCM S M S# S#= M# M#/ M#= Or hat happenedI hyI # @ ; D R # Dra7ing brea5. Transfer to secon of tree indicated by sy'bol idenHcaon leWer(nu'ber Methods for accident invesgaon */ &igure 0. The 23;2 3oss ;ausaon Model >@ird and Ber'ain, +0-?. The result of an accident is loss, e.g. har' to people, properes, products or the environ'ent. The incident >the contact bet7een the source of energy and the Pvic'Q? is the event that precedes the loss. The i''ediate causes of an accident are the circu'stances that i''ediately precede the contact. They usually can be seen or sensed. &reGuently they are called unsafe acts or unsafe condions, but in the 23;2('odel the ter's substandard acts >or pracces? and substandard condions are used. Substandard acts and condions are listed in &igure +.
&igure +. Substandard acts and condions in the 23;2('odel. @asic causes are the diseases or real causes behind the sy'pto's, the reasons 7hy the substandard acts and condions occurred. @asic causes help eplain 7hy people perfor' substandard pracces and 3ac5 of control 2ncident 3oss 2''ediate causes @asic causes 2nadeGuate$ rogra' rogra' standards ;o'pliance to standards ersonal factors ob factors eople roperty roduct "nviron'ent Service ;ontact 7ith energy, substance or people Substandard acts Substandard condions Substandard praccesCacts Substandard condions . Operang eGuip'ent 7ithout authority =. &ailure to 7arn /. &ailure to secure *. Operang at i'proper speed -. Ma5ing safety devices inoperable A. Re'oving safety devices ). Using defecve eGuip'ent 0. Using eGuip'ent i'properly +. &ailing to use personal protecve eGuip'ent 1. 2'proper loading . 2'proper place'ent =. 2'proper liing /. 2'proper posion for tas5 *. Servicing eGuip'net in operaon -. 4orseplay A. Under inFuence of alcoholCdrugs . 2nadeGuate guards or barriers =. 2nadeGuate or i'proper protecve eGuip'ent /. Defecve tools, eGuip'ent or 'aterials *. ;ongeson or restricted acon -. 2nadeGuate 7arning syste' A. &ire and eplosion ha8ards ). oor house5eeping, disorderly 7or5place 0. 4a8ardous environ'ental condions +. Noise eposures 1. Radiaon eposures . 4igh or lo7 te'perature eposures =. 2nadeGuate or ecessive illu'inaon /. 2nadeGuate venlaon Methods for accident invesgaon ** 7hy substandard condions eists. #n overvie7 of personal and 9ob factors are given in &igure =1. &igure =1. ersonal and 9ob factors in the 23;2('odel. There are three reasons for lac5 of control$ . 2nadeGuate progra' =. 2nadeGuate progra' standards and /. 2nadeGuate co'pliance 7ith standards &igure = sho7s the ele'ents that should be in place in a safety progra'. The ele'ents are based on research and eperience fro' successful safety progra's in di:erent co'panies. &igure =. "le'ents in a safety progra' in the 23;2('odel. The Syste'ac ;ause #nalysis TechniGue is a tool to aid an invesgaon and evaluaon of incidents through the applicaon of a S;#T chart. The chart acts as a chec5list or reference to ensure that an invesgaon has loo5ed at all facets of an incident. There are Hve ersonal factors ob factors . 2nadeGuate capability ( hysicalCphysiological ( MentalCpsychological =. 3ac5 of 5no7ledge /. 3ac5 of s5ill *. Stress ( hysicalCphysiological ( MentalCpsychologica -. 2'proper 'ovaon . 2nadeGuate leadership andCor supervision =. 2nadeGuate engineering /. 2nadeGuate purchasing *. 2nadeGuate 'aintenance -. 2nadeGuate tools, eGuip'ent, 'aterials A. 2nadeGuate 7or5 standards ). ear and tear 0. #buse or 'isuse "le'ents in a safety progra' . 3eadership and ad'inistraon =. Manage'ent training /. lanned inspecon *. Tas5 analysis and procedures -. #ccidentCincident invesgaon A. Tas5 observaons ). "'ergency preparedness 0. Organisaonal rules +. #ccidentCincident analysis 1. "'ployee training . ersonal protecve eGuip'ent =. 4ealth control /. rogra' evaluaon syste' *. "ngineering controls -. ersonal co''unicaons A. Broup 'eengs ). Beneral pro'oon 0. 4iring and place'ent +. urchasing controls =1. O:(the(9ob safety Methods for accident invesgaon *- bloc5s on a S;#T chart. "ach bloc5 corresponds to a bloc5 of the loss causaon 'odel. 4ence, the Hrst bloc5 contains space to 7rite a descripon of the incident. The second bloc5 lists the 'ost co''on categories of contact that could have led to the incident under invesgaon. The third bloc5 lists the 'ost co''on i''ediate causes, 7hile the fourth bloc5 lists co''on basic causes. &inally, the boWo' bloc5 lists acvies generally accepted as i'portant for a successful loss control progra'. The techniGue is easy to apply and is supported by a training 'anual. The S;#T see's to correspond to the S6N"RB2 tool for accident registraon used in Nor7ay. #t least, the accident causaon 'odels used in S;#T and S6N"RB2 are eGuivalent. *.=.- ST" >SeGuenal 'ed events ploJng?= The ST"('ethod 7as developed by 4endric5 and @enner >+0)?. They propose a syste'ac process for accident invesgaon based on 'ul(linear events seGuences and a process vie7 of the accident pheno'ena. ST" builds on
four concepts$ . Neither the accident nor its invesgaon is a single linear chain or seGuence of events. Rather, several acvies ta5e place at the sa'e 'e. =. The event @uilding @loc5 for'at for data is used to develop the accident descripon in a 7or5sheet. # building bloc5 describes one event, i.e. one actor perfor'ing one acon. /. "vents Fo7 logically during a process. #rro7s in the ST" 7or5sheet illustrate the Fo7. *. @oth producve and accident processes are si'ilar and can be understood using si'ilar invesgaon procedures. They both involve actors and acons, and both are capable of being repeated once they are understood. ith the process concept, a speciHc accident begins 7ith the acon that started the transfor'aon fro' the described process to an = The descripon is based on 4endric5 @enner, +0). Methods for accident invesgaon *A accident process, and ends 7ith the last connected har'ful event of that accident process. The ST"(7or5sheet provides a syste'ac 7ay to organise the building bloc5s into a co'prehensive, 'ul(linear descripon of the accident process. The ST"( 7or5sheet is si'ply a 'atri, 7ith ro7s and colu'ns. There is one ro7 in the 7or5sheet for each actor. The colu'ns are labelled di:erently, 7ith 'ar5s or nu'bers along a 'e line across the top of the 7or5sheet, as sho7n in &igure ==. The 'e scale does not need to be dra7n on a linear scale, the 'ain point of the 'e line is to 5eep events in order, i.e., ho7 they relate to each other in ter's of 'e. &igure ==. ST"(7or5sheet. #n event is one actor perfor'ing one acon. #n actor is a person or an ite' that directly inFuences the Fo7 or events constung the accident process. #ctors can be involved in t7o types of changes, adapve changes or iniang changes. They can either change reacvely to sustain dyna'ic balance or they can introduce changes to 7hich other actors 'ust adapt. #n acon is so'ething done by the actor. 2t 'ay be physical and observable, or it 'ay be 'ental if the actor is a person. #n acon is so'ething that the actor does and 'ust be stated in the acve voice. The ST" 7or5sheet provides a syste'ac 7ay to organise the building bloc5s >or events? into a co'prehensive, 'ul(linear descripon of the accident process. &igure =/ sho7s an ea'ple on a #ctor # #ctor D #ctor ; #ctor @ T1 Ti'e "tc. Methods for accident invesgaon *) ST"(diagra' of an accident 7here a stone bloc5 falls o: a truc5 and hits a car/. &igure =/. #n ea'ple on a si'ple ST"(diagra' for a car accident. The ST"(diagra' in &igure =/ also sho7s the use of arro7s to lin5 tested relaonships a'ong events in the accident chain. #n arro7 convenon is used to sho7 precedeCfollo7 and logical relaons bet7een t7o or 'ore events. hen an earlier acon is necessary for a laWer to occur, an arro7 should be dra7n fro' the preceding event to the resultant event. The thought process for idenfying the lin5s bet7een events is related to the change of state concepts underlying ST" 'ethods. &or each event in the 7or5sheet, the invesgator as5s, P#re the preceding acons sucient to iniate this acons >or event? or 7ere other acons necessaryIQ Try to visuali8e the actors and acons in a P'ental 'ovieQ in order to develop the lin5s. So'e'es it is i'portant to deter'ine 7hat happened during a gap or 'e interval for 7hich 7e cannot gather any speciHc evidence. "ach re'aining gap in the 7or5sheet represents a gap in the understanding of the accident. @ac5ST" is a techniGue by 7hich you reason your 7ay bac57ards fro' the event on the right side of the 7or5sheet gap / The ST"(diagra' is based on a descripon of the accident in a ne7spaper arcle. T1 Ti'e ;ar ;ar driver Drap Stone bloc5 Truc5 Truc5 driver loads stone on truc5 Truc5 driver drives truc5 fro' # to @ Truc5 drives fro' # to @ ;ar driver dies Truc5 driver fastens the stone bloc5 ;ar drive fro' @ to # ;ar driver tries to avoid to hit the stone The car hits the stone bloc5 Stone falls o: the truc5 Drap fails The car ]collapses] >collision da'aged? ;ar driver starts the car 3egend Truc5 driver Drap fails #ctor "vent lin5 #ctor Truc5 driver ;ar driver observes the stone ;ar driver stri5es Methods for accident invesgaon *0 to7ard the event on the le side of the gap. The @ac5ST" procedure consists of as5ing a series of Phat could have led to thatIQ Guesons and 7or5ing bac57ard through the pyra'id 7ith the ans7ers. Ma5e tentave event building bloc5s for each
event that ans7ers the Gueson. hen doing a @ac5ST", it is not unco''on to idenfy 'ore than one possible path7ay bet7een the le and right events at the gap. This tells that there 'ay be 'ore than one 7ay the accident process could progress and 'ay led to develop'ent of hypothesis in 7hich should be further ea'ined. The ST"(procedure also includes so'e rigorous technical truthtesng procedures, the ro7 test, the colu'n test, and the necessaryand(sucient test. The ro7 >or hori8ontal? test tells you if you need 'ore building bloc5s for any individual actor listed along the le side of the 7or5sheet. 2t also tells you if you have bro5en each actor do7n suciently. The colu'n >or vercal? test chec5s the seGuence of events by pairing the ne7 event 7ith the acons of other actors. To pass the colu'n test, the event building bloc5 being tested 'ust have occurred #er all the event in all the colu'ns to the le of that event, @efore all the events in all colu'ns to the right of that event, and #t the sa'e 'e as all the events in the sa'e colu'n. The ro7 test and the colu'n test are illustrated in &igure =*. &igure =*. or5sheet ro7 test and colu'n test. #ctor # #ctor D #ctor ; #ctor @ T1 Ti'e "tc. ;olu'ns Ro7s Ro7 tests 2s ro7 co'pleteI ;olu'n tests 2s event seGuenced Ocollision da'aged? ;ar driver starts the car Truc5 driver ;ar driver observes the stone ;ar driver bra5es @u'by road due to lac5 of 'aintenance 2naWenve car driver A ) 0 Narro7 road oor bra5es + 1 3ac5 of airbag Methods for accident invesgaon - invesgaon. The 'ethod is based on 4"S >4u'an erfor'ance "nhance'ent Syste'? 7hich is 'enoned in Table =, but not described further in this report. The MTO( analysis is based on three 'ethods$ . Structured analysis by use of an event( and cause(diagra'). =. ;hange analysis by describing ho7 events have deviated fro' earlier events or co''on pracce0. /. @arrier analysis by idenfying technological and ad'inistrave barriers in 7hich have failed or are 'issing+. &igure =A illustrates the MTO(analysis 7or5sheet. The Hrst step in an MTO(analysis is to develop the event seGuence longitudinally and illustrate the event seGuence in a bloc5 diagra'. 2denfy possible technical and hu'an causes of each event and dra7 these vercally to each event in the diagra'. &urther, analyse 7hich technical, hu'an or organisaonal barriers that have failed or 7as 'issing during the accident progress. 2llustrate all 'issing or failed barriers belo7 the events in the diagra'. #ssess 7hich deviaons or changes in 7hich di:er the accident progress fro' the nor'al situaon. These changes are also illustrated in the diagra' >see &igure =A?. The basic Guesons in the analysis are$ hat 'ay have prevented the connuaon of the accident seGuenceI hat 'ay the organisaon have done in the past in order to prevent the accidentI The last i'portant step in the MTO( analysis is to idenfy and present reco''endaons. The reco''endaons should be as realisc and speciHc as possible, and 'ight be technical, hu'an or organisaonal. ) See subsecon *... 0 See subsecon *../. + See subsecon *..=. Methods for accident invesgaon -= &igure =A. MTO(analysis 7or5sheet. # chec5list for idenHcaon of failure causes >Pfelorsa5erQ? is also part of the MTO( 'ethodology >@ento, +++?. The chec5list contains the follo7ing factors$ . Organisaon =. or5 organisaon /. or5 pracce *. Manage'ent of 7or5 -. ;hange procedures A. "rgono'ic C deHciencies in the technology ). ;o''unicaon 0. 2nstruconsCprocedures +. "ducaonCco'petence 1. or5 environ'ent ;hange analysis "vents and causes chart @arrier analysis Nor'al Deviaon = >;hain of events? >;auses? Methods for accident invesgaon -/ &or each of these failure causes, there is a detailed chec5list for basic or funda'ental causes >Pgrundorsa5erQ?. "a'ples on basic causes for the failure cause 7or5 pracce are$ Deviaon fro' 7or5 instrucon oor preparaon or planning 3ac5 of self inspecon Use of 7rong eGuip'ent rong use of eGuip'ent *.=.) #ccident #nalysis and @arrier &uncon >#"@? Method=1 The #ccident "voluon and @arrier &uncon >#"@? 'odel provides a 'ethod for analysis of incidents and accidents that 'odels the evoluon to7ards an incidentCaccident as a series of interacons bet7een hu'an and technical syste's. The interacon consists of failures, 'alfuncons or errors that could lead to or have resulted in an accident. The 'ethod forces analysts to integrate hu'an and technical syste's si'ultaneously 7hen perfor'ing an accident analysis starng 7ith the si'ple Fo7 chart techniGue of the 'ethod. The Fo7 chart inially consists of e'pty boes in t7o parallel colu'ns, one for the hu'an syste's and one for the technical syste's. &igure =) provides
an illustraon of this diagra'. During the analysis these error boes are idenHed as the failures, 'alfuncons or errors that constute the accident evoluon. 2n general, the seGuence of error boes in the diagra' follo7s the 'e order of events. @et7een each pair of successive error boes there is a possibility to arrest the evoluon to7ards an incidentCaccident. @arrier funcon syste's >e.g. co'puter progra's? that are acvated can arrest the evoluon through e:ecve barrier funcons >e.g. the co'puter 'a5ing an incorrect hu'an intervenon 'odelled in the net error bo i'possible through bloc5ing a control?. &actors that have an inFuence on hu'an perfor'ance have been called perfor'ance shaping factors >by S7ain and BuW'an, +0/?. "a'ples of such factors are alcohol, lac5 of sleep and stress. 2n applicaon of the #"@ 'odel those factors are included in the Fo7 =1 The descripon is based on Svensson, =111. Methods for accident invesgaon -* diagra' only as S&s and they are analysed aer the diagra' has been co'pleted. S&s are included in the Fo7 diagra' in cases 7here it is possible that the factor could have contributed to one or 'ore hu'an error events. &actors such as alcohol and age are 'odelled as S&s, but never as hu'an error events or failing barrier funcons. Organisaonal factors 'ay be integrated as a barrier funcon 7ith failing or inadeGuate barrier funcons. Organisaonal factors should al7ays be treated in a special 7ay in an #"@ analysis because they include both hu'an and technical syste's. &igure =). 2llustraon of an #"@ analysis. #n #"@ analysis consists of t7o 'ain phases. The Hrst phase is to 'odel the accident evoluon in a Fo7 diagra'. 2t is i'portant to re'e'ber that #"@ only 'odels errors and that it is not an event seGuence 'ethod. #rro7s lin5 the error event boes together in order to sho7 the evoluon. The course of events is described in an approi'ate chronological order. 2t is not allo7ed to let 'ore than one arro7 lead to an error bo or to have 'ore than one arro7 going fro' a bo. The second phase consists of the barrier funcon analysis. 2n this phase, the barrier funcons are idenHed >ine:ecve andCor non eistent?. # barrier funcon represents a funcon that can arrest the accident evoluon so that the net event in the chain 7ill not be realised. # barrier funcon is al7ays idenHed in relaon to the syste's it protects, protected or could have protected. @arrier funcon syste's are the syste's perfor'ing the barrier funcons. @arrier funcon syste's can be an operator, an instrucon, a physical 4u'an error event Technical error event 4u'an error event / 4u'an error event = #ccident C incident Technical error event = 4u'an factors syste' Technical syste' ;o''ents S& erfor'ance shaping factors &ailing orCand possible barrier funcon 3egend "rror event bo #ccidentCincident #rro7s describing the accident evoluon ossible barrier funcons ":ecve barrier funcon S& erfor'ing shaping factors Methods for accident invesgaon -- separaon, an e'ergency control syste', other safety(related syste's, etc. The sa'e barrier funcon can be perfor'ed by di:erent barrier funcon syste's. ;orrespondingly, a barrier funcon syste' 'ay perfor' di:erent barrier funcons. #n i'portant purpose of the #"@(analysis is to idenfy bro5en barrier funcons, the reasons for 7hy there 7ere no barrier funcons or 7hy the eisng ones failed, and to suggest i'prove'ents. @arrier funcons belong to one of the three 'ain categories$ 2ne:ecve barrier funcons \ barrier funcons that 7ere ine:ecve in the sense that they did not prevent the develop'ent to7ard an accident Non(eisng barrier funcons \ barrier funcons that, if present, 7ould have stopped the accident evoluon. ":ecve barrier funcons \ barrier funcons that actually prevented the progress to7ard an accident. 2f a parcular accident should happen, it is necessary that all barrier funcons in the seGuence are bro5en and ine:ecve. The ob9ecve of an #"@( analysis is to understand 7hy a nu'ber of barrier funcons failed, and ho7 they could be reinforced or supported by other barrier funcons. &ro' this perspecve, idenHcaon of a root(cause of an accident is 'eaningless. The starng point of the analysis cannot be regarded as the root cause because the re'oval of any of all the other errors in the accident evoluon 7ould also eli'inate the accident. 2t is
so'e'es dicult to 5no7 if an error should be 'odelled as an error or as a failing barrier funcon. #s a rule of thu'b, 7hen uncertain the analysts should choose a bo and not a barrier funcon representaon in the inial #"@(analysis. The barrier funcon analysis phase 'ay be used for 'odelling of subsyste's interacons that cannot be represented seGuenally in #"@. #ll barriers funcon failures, incidents and accidents ta5e place in 'an \ technology \ organisaons contets. Therefore, an #"@( analysis also includes issues about the contet in 7hich the accident too5 place. Therefore, the follo7ing Guesons have to be ans7ered$ Methods for accident invesgaon -A . To increase safety, ho7 is it possible to change the organisaon, in 7hich the failure or accident too5 placeI =. To increase safety, ho7 is it possible to change the technical syste's contet, in 7hich the failure or accident too5 placeI 2t is i'portant to bear in 'ind that 7hen changes are 'ade in the organisaonal and technical syste's at the contet level far reaching e:ects 'ay be aWained. *.=.0 TR2OD= The 7hole research into the TR2OD concept started in +00 7hen a study that 7as contained in the report PTR2OD, # principled basis for accident prevenonQ >Reason et al, +00? 7as presented to Shell 2nternaonale etroleu' Maatschappi9, "ploraon and roducon. The idea behind TR2OD is that organisaonal failures are the 'ain factors in accident causaon. These factors are 'ore PlatentQ and, 7hen contribung to an accident, are al7ays follo7ed by a nu'ber of technical and hu'an errors. The co'plete TR2OD( 'odel== is illustrated in &igure =0. &igure =0. The co'plete TR2OD 'odel. Substandard acts and situaons do not 9ust occur. They are generated by 'echanis's acng in organisaons, regardless 7hether there has been an accident or not. Oen these 'echanis's result fro' decisions = This descripon is based on Broene7eg, ++0. == The TR2OD('odel described here 'ight be di:erent fro' previously published 'odels based on the TR2OD theory, but this 'odel is fully co'pable 7ith the 'ost resent version of the accident invesgaon tool TR2OD @eta described later in this chapter. Decision 'a5ers Substandard acts sychological precursors Operaonal disturbance ;onseGuences #ccident @reached barriers @reached barriers 3atent failures 1 @R&s 3atent failures @R& Defences Methods for accident invesgaon -) ta5en at high level in the organisaon. These underlying 'echanis's are called @asic Ris5 &actors=/ >@S&s?. These @S&s 'ay generate various psychological precursors in 7hich 'ay lead to substandard acts and situaons. "a'ples on psychological precursors of slips, lapses and violaons are 'e pressure, being poorly 'ovated or depressed. #ccording to this 'odel, eli'inang the latent failures categori8ed in @R&s or reducing their i'pact 7ill prevent psychological precursors, substandard acts and the operaonal disturbances. &urther'ore, this 7ill result in prevenon of accidents. The idenHed @R&s cover hu'an, organisaonal and technical proble's. The di:erent @asic Ris5 &actors are deHned in Table -. Ten of these @R&s leading to the Poperaonal disturbanceQ >the PprevenveQ @R&s?, and one @R& is ai'ed at controlling the conseGuences once the operaonal disturbance has occurred >the P'igaonQ @R&?. There are Hve generic prevenon @R&s >A \ 1 in Table -? and Hve speciHc @R&s > \ - in Table -?. The speciHc @R&s relate to latent failures that are speciHc for the operaons to be invesgated >e.g. the reGuire'ents for Tools and "Guip'ent are Guite di:erent in a oil drilling environ'ent co'pared to an intensive care 7ard in a hospital?. These @R&s have been idenHed as a result of brainstor'ing, a study of audit reports, accident scenarios, a theorecal study, and a study on o:shore pla^or's. The division is deHnive and has sho7n to be valid for all industrial applicaons. =/ These 'echanis's 7ere inially called Beneral &ailure Types >B&Ts?. Methods for accident invesgaon -0 Table -. The deHnions of the basic ris5 factors >@R&s? in TR2OD. No @asic Ris5 &actor #bbr. DeHnion Design D" "rgono'ically poor design of tools or eGuip'ent >user( unfriendly? = Tools and eGuip'ent T" oor Guality, condion, suitability or availability of 'aterials, tools, eGuip'ent and co'ponents / Maintenance 'anage'ent MM No or inadeGuate perfor'ance of
'aintenance tas5s and repairs * 4ouse5eeping 4< No or insucient aWenon given to 5eeping the 7or5 Foor clean or died up - "rror enforcing condions "; Unsuitable physical perfor'ance of 'aintenance tas5s and repairs A rocedures R 2nsucient Guality or availability of procedures, guidelines, instrucons and 'anuals >speciHcaons, Ppaper7or5Q, use in pracce? ) Training TR No or insucient co'petence or eperience a'ong e'ployees >not suciently suitedCinadeGuately trained? 0 ;o''unicaon ;O No or ine:ecve co''unicaon bet7een the various sites, depart'ents or e'ployees of a co'pany or 7ith the ocial bodies + 2nco'pable goals 2B The situaon in 7hich e'ployees 'ust choose bet7een op'al 7or5ing 'ethods according to the established rules on one hand, and the pursuit of producon, Hnancial, polical, social or individual goals on the other 1 Organisaon OR Shortco'ings in the organisaonEs structure, organisaonEs philosophy, organisaonal processes or 'anage'ent strategies, resulng in inadeGuate or ine:ecve 'anage'ent of the co'pany Defences D& No or insucient protecon of people, 'aterial and environ'ent against the conseGuences of the operaonal disturbances TR2OD @eta The TR2OD @eta(tool is a co'puter(based instru'ent that provides the user 7ith a tree(li5e overvie7 of the accident that 7as invesgated. 2t is a 'enu driven tool that 7ill guide the invesgator through the process of 'a5ing an electronic representaon of the accident. Methods for accident invesgaon -+ The @"T#(tool 'erges t7o di:erent 'odels, the 4"M >The 4a8ard and ":ects Manage'ent rocess? 'odel and the TR2OD 'odel. The 'erge has resulted in an incident causaon 'odel that di:ers conceptually fro' the original TR2OD 'odel. The 4"M 'odel is presented in &igure =+. &igure =+. P#ccident 'echanis'Q according to 4"M. The TR2OD @eta accident causaon 'odel is presented in &igure /1. This string is used to idenfy the causes that lead to the breaching of the controls and defences presented in the 4"M 'odel. &igure /1. TR2OD @eta #ccident ;ausaon Model. #lthough the 'odel presented in &igure /1 loo5s li5e the original TR2OD 'odel, its co'ponents and assu'pons are di:erent. 2n the @eta('odel the defences and controls are directly lin5ed to unsafe acts, precondions and latent failures. Unsafe acts describe ho7 the barriers 7ere breached and the latent failures 7hy the barriers 7ere breached. #n ea'ple of a TR2OD @eta accident analysis is sho7n in &igure /. 4a8ard #ccidentC event %ic' or target &ailed control &ailed defence #ccident &ailed controls or defences 3atent failure>s? recondion>s? #cve failure>s? Methods for accident invesgaon A1 &igure /. "a'ple on a TR2OD @eta analysis. The ne7 7ay of invesgang accidents >see &igure /=? is Guite di:erent fro' the convenonal ones. No research is done to idenfy all the contribung substandard acts or clusters of substandard acts, the target for invesgaon is to Hnd out 7hether any of the @asic Ris5 &actors are acng. hen the @R&s have been idenHed, their i'pact can be decreased or even be eli'inated. The real source of proble's is tac5led instead of the sy'pto's. 4a8ard$ ointed table corner "'ployee hits table. 2n9ured 5nee %ic' oor ha8ard register oor ha8ard register Missing control Rounded or rubber corners Missing control #udit for obstacles Missing defence the targets of control?, and the up7ard Fo7 of state infor'aon >the 'easure'ents of control?. Decision recondion Order &uncon lan Decision Order 2ndirect conseGuence Tas5 or #con Tas5 or acon Direct conseGuence ;onseGuence recondion evaluated no further riories Syste' level . Bovern'ent. olicy budgeng =. Regulatory bodies and #ssociaons /. 3ocal area govern'ent ;o'pany 'anage'ent lanning budgeng ;rical event 3oss of control or loss of contain'ent Direct conseGuence *. Technical operaonal 'anage'ent -. hysical processes #ctor acvites A. "Guip'ent surroundings 0 - Reference to annotaons 2nFuence Methods for accident invesgaon A- &igure /-. rincipal illustraon of an #ctorMap. #ctor Syste' level . Bovern'ent =. Regulatory bodies /. Regional 3ocal govern'ent ;o'pany 'anage'ent *. Technical operaonal 'anage'ent #ssociaons -. Operators #ctor #ctor #ctor #ctor #ctor #ctors #ctor #ctor #ctor #ctor #ctor #ctor #ctor #ctor #ctor #ctor Methods for accident invesgaon A) - Discussion and conclusion -. Discussion ithin the Held of accident invesgaon, there are no co''on agree'ent of deHnions of concepts, it tend to be a liWle confusion of ideas. "specially the noon of cause has been discussed. hile so'e invesgators focus on causal factors >e.g. DO", ++)?, others focus on deter'ining factors >e.g. e.g. 4op5ins, =111?, acve failures and latent condions >e.g. Reason, ++)? or safety proble's >4endric5 @enner, +0)?. @R&? >Pevent triosQ?. The third colu'n covers the level of scope of the di:erent analysis 'ethods. The levels correspond to the di:erent levels of the sociotechnical syste' involved in ris5 'anage'ent illustrated in &igure *. The di:erent levels are$ . The 7or5 and technological syste' =. The sta: level /. The 'anage'ent level *. The co'pany level -. The regulators and associaons level A. The Bovern'ent level #s sho7n in Table A, the scope of 'ost of the 'ethods is li'ited to level \ *. #lthough ST" 7as originally developed to cover level \ *, eperience fro' S2NT"&Es accident invesgaons sho7s that the Methods for accident invesgaon A+ 'ethod also 'ay be used to analyse events inFuenced by the regulators and the Bovern'ent. 2n addion to ST", only #cci(Map put focus on level - and A. This 'eans that invesgators focusing on the Bovern'ent and the regulators in their accident invesgaon to a great etend need to base their analysis on eperience and praccal 9udge'ent 'ore than on results fro' for'al analysis 'ethods. The fourth colu'n states 7hether the 'ethods are a pri'ary 'ethod or a secondary 'ethod. ri'ary 'ethods are stand(alone techniGues 7hile secondary 'ethods provide special input as supple'ent to other 'ethods. "vents and causal factors charng, ST", MTO( analysis, TR2OD and #cci('ap are all pri'ary 'ethods. The fault tree analysis and event tree analysis 'ight be both pri'ary and secondary 'ethods. The other 'ethods are secondary 'ethods. 2n the Hh colu'n the di:erent 'ethods are categori8ed as deducve, inducve, 'orphological or non(syste' oriented. &ault tree analysis and MORT are deducve 'ethods 7hile event three analysis is an inducve 'ethod. #cci('ap 'ight be both inducve and deducve. The #"@('ethod is characteri8ed as 'orphological, 7hile the other 'ethods are non(syste' oriented. 2n the sith colu'n the 'ethods are lin5ed to di:erent types of accident 'odels in 7hich have inFuenced the 'ethods. The follo7ing accident 'odels are used$ # ;ausal(seGuence 'odel @ rocess 'odel ; "nergy 'odel D 3ogical tree 'odel " S4"('anage'ent 'odels Root cause analysis, S;#T and TR2OD are based on causal(seGuence 'odels. "vents and causal charng, change analysis, events and causal factors analysis, ST", MTO( analysis and #"@('ethod are based on process 'odels. The barrier analysis is based on the energy 'odel. &ault tree analysis, event tree analysis and MORT are based on logical tree 'odels. MORT and S;#T are also based on S4"('anage'ent 'odels. The #cci('ap is based on a co'binaon of a causal( seGuence 'odel, a process 'odel and a logical tree 'odel. Methods for accident invesgaon )1 2n the last colu'n, there is 'ade an assess'ent of the need of educaon and training in order to use the 'ethods. The ter's P"pertQ, PSpecialistQ and PNoviceQ are used in the table. "pert indicates that there is need of for'al educaon and training before people are able to use the 'ethods in a proper 7ay. So'e eperience is also beneHcial. &ault tree analysis, MORT and #cci('ap enter into this category.
Novice indicates that people are able to use the 'ethods aer and orientaon of the 'ethods 7ithout hands(on training or eperience. "vents and causal factors charng, barrier analysis, change analysis and ST" enter into this category. Specialist is so'e7here bet7een epert and novice and events and causal factors analysis, root cause analysis, event tree analysis, S;#T, MTO(analysis, #"@'ethod and TR2OD enter into this category. Methods for accident invesgaon ) Table A. ;haracteriscs of di:erent accident invesgaon 'ethods. Method #ccident seGuence 3evels of analysis ri'ary C secondary #nalycal approach #ccident 'odel Training need "vents and causal factors charng 6es (* ri'ary Non(syste' oriented @ Novice @arrier analysis No (= Secondary Non(syste' oriented ; Novice ;hange analysis No (* Secondary Non(syste' oriented @ Novice "vents and causal factors analysis (* Secondary Non(syste' oriented @ Specialist Root cause analysis No (* Secondary Non(syste' oriented # Specialist &ault tree analysis No (= ri'aryC Secondary Deducve D "pert "vent Tree analysis No (/ ri'aryC Secondary 2nducve D Specialist MORT No =(* Secondary Deducve D C " "pert S;#T No (* Secondary Non(syste' oriented # C " Specialist ST" 6es (A ri'ary Non(syste' oriented @ Novice MTOanalysis 6es (* ri'ary Non(syste' oriented @ SpecialistC epert #"@'ethod No (/ Secondary Morphological @ Specialist TR2OD 6es (* ri'ary Non(syste' oriented # Specialist #cci(Map No (A ri'ary Deducve inducve # C @ C D "pert -.= ;onclusion Ma9or accidents al'ost never result fro' one single cause, 'ost accidents involve 'ulple, interrelated causal factors. #ll actors or decision( 'a5ers inFuencing the nor'al 7or5 process 'ight also Methods for accident invesgaon )= inFuence accident scenarios, either directly or indirectly. This co'pleity should also reFect the accident invesgaon process. The ai' of accident invesgaons should be to idenfy the event seGuences and all >causal? factors inFuencing the accident scenario in order to be able to suggest ris5 reducing 'easures in 7hich 'ay prevent future accidents. This 'eans that all 5ind of actors, fro' technical syste's and front(line operators to regulators and the Bovern'ent need to be analysed. Oen, accident invesgaons involve using of a set of accident invesgaon 'ethods. "ach 'ethod 'ight have di:erent purposes and 'ay be a liWle part of the total invesgaon process. Re'e'ber, every piece of a pu88le is as i'portant as the others. Braphical illustraons of the event seGuence are useful during the invesgaon process because it provides an e:ecve visual aid that su''aries 5ey infor'aon and provide a structured 'ethod for collecng, organising and integrang collected evidence to facilitate co''unicaon a'ong the invesgators. Braphical illustraons also help idenfying infor'aon gaps. During the invesgaon process di:erent 'ethods should be used in order to analyse arising proble' areas. #'ong the 'ul(disciplinary invesgaon tea', there should be at least one 'e'ber having good 5no7ledge about the di:erent accident invesgaon 'ethods, being able to choose the proper 'ethods for analysing the di:erent proble's. ust li5e the 'echanicians have to choose the right tool on order to repair a technical syste', an accident invesgator has to choose proper 'ethods analysing di:erent proble' areas. Methods for accident invesgaon )/ A References #ndersson R. Menc5el "., ++-. On the prevenon of accidents and in9uries. # co'parave analysis of conceptual fra'e7or5s. #ccident #nalysis and revenon, %ol. =), No. A, )-) \ )A0. #rbeids'il9Ysenteret, =11. %eiledning i uly55esgrans5ing, #rbeids'il9Yforlaget, =11 @ento, (., +++. MTO(analys av hndelsesrapporter, OD( 11(= @ird, &.". r Ber'ain, B.3., +0-. raccal 3oss ;ontrol 3eadership. 2S@N 1(001A(1-*(+, 2nternaonal 3oss ;ontrol 2nstute, Beorgia, US#. ;;S, ++=. Buidelines for 2nvesgang ;he'ical rocess 2ncidents. 2S@N 1(0A+(1---(, ;enter for ;he'ical rocess Safety of the #'erican 2nstute of ;he'ical "ngineers, ++=. DO", ++). 2'ple'entaon Buide &or Use ith DO" Order ==-.#, #ccident 2nvesgaons, DO" B ==-.#( Nove'ber =A, ++)CRev. , U.S. Depart'ent of "nergy, ashington D.;, US#. DO", +++. ;onducng #ccident 2nvesgaons DO" or5boo5, Revision =, May , +++, U.S.
Depart'ent of "nergy, ashington D.;, US#. &erry T.S., +00. Modern accident invesgaon and analysis >=nd ed.?. 2S@N 1.*)(A=*0(1, iley 2nterscience publicaon, United States. Bil9e, N. og Bri'en, 4., ++/. Sa'funnsvitens5apenes forutsetninger 2nnfYring i sa'funnsvitens5apenes vitens5apsHlosoH, Universitetsforlaget, Oslo. Broene7eg, ., ++0. ;ontrolling the controllable The 'anage'ent of safety. &ourth edion. DSO ress, 3eiden University, The Netherlands, ++0. 4ale #, ilpert @, &reitag M, ++). #er the event ( fro' accident to organisaonal learning. 2S@N 1 10 1*/1)*1, erga'on, ++). 4endric5
View more...
Comments
