4.1.1 A hierarchy of causes
Consider the difference between the relative safety of car and air travel in relation to the following points.
A car travels on the ground and not at 10 000 m in the air. Compare the effects of power failure.
A car travels at perhaps one-tenth of the speed of an aircraft, reducing the risk of injury.
The external environment of a car can usually support life, while an aircraft is a pressure vessel designed to protect its occupants from the external environment. The integrity of this vessel may fail.
A car carries a smaller number of passengers, and so the maximum consequences of an accident are lower compared with those of an accident to an aircraft which carries several hundred people.
The inventory of fuel in an aircraft is far greater than in a car.
A car would appear to be inherently safer, yet statistics suggest otherwise. Rationalise this, drawing on any hard or system features to support your view.
Taking the first point in the list, the loss of power in a car will simply make it coast to a halt, whereas an aircraft will fall from the sky. So why is travel in an aircraft safer than driving a car? This is a paraphrase of the question. In practice there are several engineering and procedural features which allow the commercial aircraft system to overcome its inherent safety disadvantages. You may have identified the following examples to illustrate this.
There is a high level of redundancy in the critical components of an aircraft – usually two or more engines, redundant control devices, pilot and co-pilot, and so on.
Critical components are designed and maintained to a high level of integrity. Regulations and company procedures include a high level of preventive maintenance and of inspection and testing of key components. Extensive checking of system components is done before each flight. Compare a pilot’s pre-flight checklist with what most of us do when we get into a car and drive away.
Facilities are designed to minimise the risk of collision. Compare the building restrictions around an airport with the obstacles regularly seen along roads.
Sophisticated management systems maintain separation between aircraft both on the ground and in the air. There is no comparable traffic control on the roads.
Like car drivers, pilots are licensed, but undergo a higher level of training, and have to undergo regular retraining. Other people involved in air transport also have to undergo extensive training.
The extensive resources and expertise to implement the systems associated with aircraft are judged worthwhile in view of the advantages of speed that travel by air permits.
Therefore, despite the inherent disadvantages of air transport in terms of safety, it is in fact a safer means of travel.
In our response to SAQ 3 it should be clear that one major difference between the two modes of travel is management systems. When the system does break down, and there is an aircraft crash, the inherent disadvantages are revealed, but extensive investigations take place to determine the cause of the incident.
Examples such as the Concorde crash, the capsize of the Herald of Free Enterprise, the fire on the Piper Alpha oil installation, the fire at King's Cross underground station and various rail crashes demonstrate beyond doubt the costs of mismanaging environment, health and safety matters, as all had considerable costs both in lives and in monetary terms. All of these incidents were followed by major inquiries which revealed failures in management systems as their root cause. Table 4 gives some more simple examples.
Table 4: Incidents that can be traced back to management
|Immediate cause||Example||Possible root cause||Possible management failure|
|Poor housekeeping||Employee trips over article on floor/Material falls from shelf||Hazard not recognised||Training, planning, layout|
|Improper use of equipment||Using side of grinding wheel rather than face, and wheel breaks/Use of compressed air to remove dust from surface causes eye injury||Inadequate facilities/Lack of skill, knowledge, proper procedures||Training of operators and supervisors, operating procedures, enforcement of procedures|
|Defective equipment||Electric drill without earth wire/Hammer with loose head/Vehicle with defective brakes||Lack of recognition/Poor design or selection/Poor maintenance||Training of operators and supervisors, maintenance|
|Procedures absent||No check for flammable mixture – explosion/No instruction to lock out power before maintenance||Omission/Error by design and by supervision||Operating procedures, training, supervision|
|Lack of safety device||Machine has exposed gear – severe cut/No warning horn – person hit by vehicle/No guard rail on scaffold 3 m high||Need not recognised/Inadequate availability/Deliberate act||Planning, layout, design, safety rules, equipment, awareness, motivation, training|
|Lack of personal protective equipment||Dermatitis because gloves or protective lotion not used/Foot injury because materials handler not wearing safety shoes||Need not recognised/Inadequate availability||Planning, design, safety rules, awareness, training|
|Inattention, neglect of safe practice||Welder picks up hot metal with bare hands/Person walks under suspended load/Broken glass and spillages not cleaned up from floor||Lack of motivation/Poor appreciation of risks||Enforcement of rules, procedures/Training, awareness, motivation|
Often, preventive measures could be taken at the design and at the supervisory stage as shown in Table 5.
Table 5: Preventive measures by design and supervision
|Cause of primary error||Preventive measures by designer||Preventive measures by supervisor|
|Improvisation||Provide adequate instruction||Ensure procedures supplied to person|
|Failure to follow correct procedure||Ensure procedure not too lengthy or cumbersome||Review procedures to ensure appropriate and not difficult|
|Procedures not understood||Ensure instructions easy to understand||Ensure person understands|
|Lack of awareness of hazards||Provide warnings, cautions and explanations in instructions||Point out precautions that must be observed|
|Errors of judgement, especially under stress||Minimise need for making hurried judgements, programme contingency measures||Provide instruction on action under abnormal conditions|
|Critical components installed incorrectly||Design components so that only correct installation possible, e.g. asymmetric configurations on mechanical and electrical connections, male and female threads on critical flow systems||Provide instruction on maintenance and repair. Ensure no change from design and do not modify a part to make it fit|
|Lack of suitable tools and equipment||Ensure need for special equipment minimised; provide those that are unavoidable and emphasise use in instructions||Ensure correct equipment is available and is used|
|Error or delay in use of controls||Avoid proximity, interference, difficult location or similarity of critical controls. Locate indicator above control so that hand making adjustment does not obscure view of indicator. Label prominently||Check equipment during selection and ensure critical controls are easily accessible, easy to select and easy to operate|
|Vibration and noise cause irritation and loss of effectiveness||Provide vibration isolation or eliminate noise||Where noise levels cannot be suppressed, provide ear defenders|
|Slipping and falling||Incorporate friction surfaces, guard rails or protective harnesses etc.||Determine where safeguards are needed to deal with hazardous locations and ensure their provision and application|
You can probably add to these lists to cover other scenarios, such as irritation and loss of effectiveness through excessive heat or humidity. No matter what the organisation, management failures can be linked to risks to the organisation or to individuals.
One analysis of over 6000 incidents from 95 countries, recorded in the MHIDAS (Major Hazard Incident Data Service), identified that a release to the environment occurred in more than 50% of cases, while fire occurred in 44% and explosion in 36%. (As more than one type of incident could occur in a single accident, the total is greater than 100%.) Using a different characteristic for analysis, flammability occurred in almost 70% of cases, toxic substances in about 30%, corrosive substances in 10% and explosive substances in nearly 7% (Vilchez et al., 1995). These proportions justify the emphasis we have given in this unit to the dispersion of releases and to fire. As a result, we shall return to the all too common problem of fires to illustrate the principles in developing a hierarchy of causes of incidents.
There will always be a great temptation to view many of the incidents presented in this unit with the haughty disdain of someone with the 20/20 vision of hindsight. In some cases, it is true, the inevitability of some form of incident or breakdown was clear – the Stalybridge incident, for example, seemed to be a disaster waiting to happen. However, in other cases, the outcome of the initiating act would be far from clear at the time, especially to the people most directly involved.
Many of the incidents are consequences of some quite complex chains of events – perhaps the multiple cause or domino effect introduced in Section 3. A different analogy is that of a Swiss cheese in which the holes may align allowing passage through a series of barriers. This approach is described in the File Paper ‘Human error: models and management’ by James Reason, which you should now study.
Human error: models and management (PDF, 3 pages, 0.1MB)
Notice that here Reason attributes active failures to the actions or inactions of operators, which are believed to cause the accident – as in the case of pilot error. Often these operators perform the last ‘unsafe acts’ that lead to unfortunate consequences. Examples include a pilot failing to lower the landing gear before touchdown, or a surgical procedure to remove a foreign body carried out on the wrong finger rather than the finger that had the problem. In contrast, latent failures are errors committed elsewhere in the management chain. For example, overwork or stress may lead to active errors, and the resulting unsafe acts of individuals are the end result of a long chain of causes with roots elsewhere in an organisation. The problem is that these latent failures may remain dormant or undetected for long periods.
Many investigations and reports concentrate on the technical aspects of the incidents or breakdown which led to the fire or explosion. This is probably because they serve as warnings to other practitioners involved with similar materials, processes or installations, a feeling that some good must come from the disaster. There is also an unwillingness to address the more contentious issues of blame or organisational weakness, especially if death has been a consequence of the incident.
However, it is clear that in many, if not all, of the cases discussed there are underlying causes which are related less to the physical properties of materials than to the organisation of the operation, be it material, process or plant. Put more directly, the underlying cause in all cases is the failure to manage the risk.
A hierarchy of causes is shown in Figure 7. At the top is the loss itself, that is life, property, business or the environment. The loss was caused by the incident, accident or breakdown, which in the context of this discussion is the fire or explosion. The cause of the fire is the ignition of some flammable material and the consequent development of a fire. These are the so-called immediate causes, in other words unsafe conditions and unsafe acts. Arson is, of course, an extreme example of an unsafe act.
Now we ask the question, ‘What in turn led to those unsafe conditions, or what promoted those unsafe acts?’ These are the so-called root or basic causes. The following is a fairly exhaustive list of these basic causes.
Inadequate standard of equipment.
Unsafe working practices – often called systems of work.
Poor standards of maintenance – of either equipment or systems of work.
Inappropriate or inadequate information.
Inappropriate or inadequate training.
Inappropriate or inadequate supervision.
Inappropriate or inadequate personal action.
Most of these basic causes are self-explanatory; you can probably relate many of them to the comparison in SAQ 3. An example of inappropriate or inadequate personal action might be ignoring a smoking ban in a sensitive area. You might also say that smoking in a non-smoking area is an example of inadequate training or supervision, and you would probably be right. We would simply make the point that the basic causes listed above are not independent of each other – there are very strong interactions on that list.