The Force Was NOT With Them!

By Jon Bernardi

A long time ago, in a galaxy far, far away, the Empire tried to use their fancy Death Star to keep the member systems in line. This plan did not work out very well, as Death Star One (DS-1) was not able to fulfill its mission of empowering galactic domination! DS-1 had travelled across the galaxy to quell the rebellion at the rebel base on Yavin 4, but did not count on the über-Force of the Rebel Alliance. The Empire did not realize the power of the good side of the Force as the rebels overcame all odds and were able to destroy DS-1. We can do an analysis of the incident to determine the system of causes for the destruction and show those causes visually in a Cause Map.

As much as the Emperor and his minions would not like to see this published, we begin by looking at how the Empire’s goals were impacted. We start by developing an outline of the incident. You might suspect that different factions within the Empire see this problem differently! Some don’t believe there is such a thing as “The Force” and place their faith in the power of the machine. Others use the Dark Side to exploit the mortal weaknesses of the players. The goals of the Empire are impacted in a number of ways: DS-1 is ultimately destroyed, with loss of life, and loss of a dominant-style weapon. The Rebel Alliance has gained a toe-hold against the Empire! We use the impact to the goals as the first effects of our cause-and-effect relationships and will use the disparate view of “the problem” to help us with the branches of the Cause Map.

We already know that DS-1 had planet-busting capabilities, as demonstrated convincingly at Alderaan, Princess Leia’s adopted planet. This may have led the Empire’s power structure to doubt the “Power of the Force” and put their trust in a technological titan, “The ultimate power in the universe!” Even after the plans for the station had been obtained by the Rebellion, the commander of DS-1 still disregarded any concern of vulnerability in his unsinkable marvel. In a remarkable display of hubris, the Empire allows the small band of rebels aboard the Millennium Falcon to escape with the stolen plans for DS-1. The Empire intends to follow them, find the rebel base, and wipe out the rebellion once and for all!

Another branch of the Cause Map follows the path of the stolen plans and the re-awakening of the Force on the planet Tatooine. As we analyze this section of the map, we can see the convergence of causes that led to the technical experts of the Rebel Alliance finally obtaining the plans for DS-1, analyzing them and discovering the dreaded “thermal exhaust port” – (guess even a DS has to have a tailpipe!).

Even a long time ago, we see causes in multiple areas coming together to form the overall picture of the incident. The plucky Rebellion, had THE FORCE with them!

Oil Leaked from shipwreck near Newfoundland

By Kim Smiley

On March 31, 2013, oil was reported in Notre Dame Bay, Newfoundland.  Officials traced the source of the oil back to a ship, the Manolis L, that sank in 1985 after running aground.  The Manolis L is estimated to have contained up to 462 tons of fuel and 60 tons of diesel when it sank and much of that oil is believed to still be contained within the vessel.  Officials are working to ensure the oil remains contained, but residents of nearby communities who rely on tourism and fishing are concerned about the potential for more oil to be released into the environment.

A Cause Map, a visual format for performing root cause analysis, can be built to better understand this issue.  There are three steps in the Cause Mapping process. The first step is to fill out an Outline with the basic background information along with listing how the problem impacts the goals.  There is also space on the Outline to note the frequency of the issue.  For this example, 2013 was the first time oil was reported to be leaking from this particular sunken ship, but there have been 700 at-risk sunken vessels identified in Canadian waters alone.  It’s worth noting this fact because the amount of resources a group is willing to use to address a problem may well depend on how often it is expected to occur.  One leaking sunken ship is a different problem than potentially having hundreds that may require action.

The second step is to perform the analysis by building the Cause Map.  A Cause Map is built by asking “why” questions and laying out the answers to visually show the cause-and-effect relationships.  Once the causes have been identified, the final step is to develop and implement solutions to reduce the risk of similar problems occurring in the future.  Click on “Download PDF” to view an Outline and intermediate level Cause Map for this problem.

In this case, the environmental goal is clearly impacted because oil was released into the environment.  Why? Oil leaked out of a sunken ship because a ship had sunk that contained a large quantity of oil and there were cracks in the hull.  The hull of this particular ship is thin by modern standards (only a half-inch) and it has been sitting in sea water for the last 30 years.  A large storm hit the region right before oil was first reported and it is believed that the hull (already potentially weakened by corrosion) was damaged during the storm.  The Coast Guard identified two large cracks in the ship that were leaking oil during their investigation.

Once the causes of the issue have been identified, the final step is to implement solutions to reduce the risk of future problem.  This is where a lot of investigations get tricky.  It is often easier to identify the problem than to actually solve it. It can be difficult to determine what level of risk is acceptable and how many resources should be allotted to an issue.  The cracks in the hull of the Manolis L have been patched using weighted neoprene sealants and a cofferdam has been installed to catch any oil that leaks out.  The vessel is being monitored by the Canadian Coast Guard via regular site visits and aerial surveillance flights. But the oil remains in the vessel so there is the potential that it could be released into the environment.

Many local residents are fighting for the oil to be removed from the sunken ship, rather than just contained, to further reduce the risk of oil being released into the environment. But removing oil from a sunken ship is very expensive.  In 2013, it cost the Canadian Coast Guard about $50 million to remove oil from a sunken ship off the coast of British Columbia. So far, officials feel that the measures in place are adequate and that the risk doesn’t justify the cost of removing the oil from the vessel. If they are right, the oil will stay safely contained at a fraction of the cost of removing it, but if they are wrong there could be lasting damage to local communities and wildlife.

In situations like this, there are no easy answers.  Anybody who works to reduce risk faces similar tradeoffs and generally the best you can do is to understand a problem as thoroughly as possible to make an informed decision about the best use of resources.

Worker dies while manually measuring tank

By Kim Smiley

The potential danger of confined spaces is well documented, but nine fatalities have shown that people working near open hydrocarbon storage hatches can also be exposed to dangerous levels of hydrocarbon gases and oxygen-deficient atmospheres.  NPR recently highlighted this issue in an article entitled “Mysterious Death Reveals Risk In Federal Oil Field Rules” that discussed the death of Dustin Bergsing.  His job duties included opening the hatch on a crude oil storage tank to measure the level of the oil and was found dead next to an open hatch.  He was healthy and only 21 years old.

A Cause Map, a visual format for performing a root cause analysis, can be used to help explain what happened to cause his death.  A Cause Map intuitively lays out the cause-and-effect relationships that contributed to an issue and is built by asking “why” questions.  Click on “Download PDF” to view a high level Cause Map of this accident.

So why did his death occur?  An autopsy showed that his death occurred because he had hydrocarbons in his blood.  This occurred because he was exposed to hydrocarbon vapor and he remained in the dangerous environment. (When two causes both contribute to an effect, they are listed vertically on the Cause Map and separated by an “and”.)

When a person is exposed to hydrocarbon vapor, they get disoriented before passing out so it is very difficult for them to get to safety on their own.  Bergsing was working alone at the time of his death and no one was aware that he was in trouble before it was too late.

He was exposed to hydrocarbon gases because he opened a hatch on a crude oil storage tank and the gas had collected at the top of the tank.  He opened the hatch because he planned to manually measure the tank level by dropping a rope inside. Manual tank measurement is a common method to determine level in crude oil storage tanks. Crude oil contains volatile hydrocarbons that can bubble out of the crude oil and collect at the top; the gas will rush out of the tank if a hatch is opened.

Additionally, he wasn’t wearing adequate PPE equipment because it wasn’t required by any regulations and there was limited awareness of this danger.

After his and the other deaths, the industry is starting to become more aware of this issue.  The National Institute for Occupational Safety and Health (NIOSH) and the Occupational Safety and Health Administration (OSHA) issued a hazard alert bulletin that identified health and safety risks to workers who manually gauge or sample fluids on production and flowback tanks from exposure to hydrocarbon gases and vapors and exposure to oxygen-deficient atmospheres. In addition to working to raise awareness of the issue, OSHA and NIOSH made recommendations to improve working safety that include the following:

– Implementing alternate procedures that allow workers to monitor tank levels and sample without opening hatches

– Installing hatch pressure indicators

– Conducting worker exposure assessments

– Providing training on the hazard and posting hazard signage

– Not permitting employees to work alone

Please read the OSHA and NIOSH hazard alert bulletin for more information and a full list of the recommendations. Many of the recommendations would be expensive and time-consuming to implement, but some may be relatively simple ways to reduce risk. Continuing to provide information to workers about the potential hazards might be a good first step to improve their safety.

Track Workers Killed by Train

By ThinkReliability Staff

A derailment and the fatalities of two railroad workers on April 3, 2016 has led to an investigation by the National Transportation Safety Board (NTSB). In this investigation, the NTSB will address the impacts of the accident, determine what caused the accident and will provide recommendations to prevent similar accidents from recurring. While the investigation is still underway, a wealth of information related to the accident is already available to begin the analysis. We will look at what is currently known regarding the accident in a Cause Map, a visual form of root cause analysis.

The first step of the analysis is to define the problem. This includes the what, when, and where of the incident, as well as the impacts to the organizational goals. Capturing the impacts to the goals is particularly important because the recommendations that will result from the analysis aim to reduce these impacts. If we define the problem as simply a “derailment”, recommendations may be limited to those that prevent future derailments. Not only are we looking for recommendations to prevent future derailments, we are looking for recommendations to prevent all the impacted goals. In this case, that includes worker safety: 2 workers died, public safety: 37 passengers were injured, customer service: the train derailed, property: the train and some construction equipment was damaged, and labor: response and investigation are required.

The analysis is performed by beginning with the impacted goals and developing the cause-and-effect relationships that led to those impacts. Asking “why” questions can help to identify some of the cause-and-effect relationships, but there may be more than one cause that results in an effect. In this case, the worker fatalities occurred because the train struck heavy equipment and the workers were in/on/near the equipment. Both of these causes had to occur for the effect to result. The workers were on the equipment performing routine maintenance. In addition, their watch was ineffective. When capturing causes, it’s important to also include evidence, which validates the cause.

We know the watch was ineffective, because federal regulation requires a watch for incoming trains that gives at least a fifteen second warning. Fifteen seconds should have been sufficient time for the workers to exit the equipment. Because this did not happen, it follows that the watch was ineffective.

The train struck the heavy equipment because the equipment was on track 3, the train was on track 3, and the train was unable to brake in time. It’s unclear why the heavy equipment was on the track; rail safety experts say heavy equipment should never be directly on the track. The train was on track 3 because it was allowed on the track. Work crews are permitted to shut off the current to preclude passage of trains into the work zone, but they did not in this case, for reasons that are still being investigated. Additionally, the dispatcher allowed the train onto the track. Per federal regulations, when workers are on the track, train dispatchers may not allow trains on track until roadway worker gives permission. It appears that in this case the workers either failed to secure permission to work on the track (thus notifying the dispatcher of their presence) or the work notification was improperly cancelled, allowing trains to return to the track, possibly due to a miscommunication between the night and day crews. This is also still under investigation.

While inspection of the cars and maintenance records found no anomalies, the braking system is under investigation to determine whether or not it affected the train’s ability to brake. Also under investigation is the Positive Train Control (PTC), which should have emitted warnings and slowed the train automatically. However, the supplemental shunting device, which alerts the signaling system that the track is occupied, and is required by Amtrak rules, was not in place. Whether this was sufficient to prevent the PTC from stopping the train in time is also under investigation. The conductor placed the train in emergency mode 5 seconds before the collision. As the train was traveling at 106 mph (the speed limit was 110 mph in the area), this did not give adequate time to brake. There should have been a flagman to notify the train that a crew was on the track, but was not. The flagman also carries an air horn, which provides another notification to the track crew that a train is coming.

Says Ashley Halsey III, reporting in The Washington Post, “Basic rules of railroading and federal regulations should have prevented the Amtrak derailment near Philadelphia on Sunday that killed two maintenance workers.” It appears that multiple procedural requirements were not followed, but more thorough investigation is required to determine why and what can be done in the future to improve safety by preventing derailments and worker fatalities.

To view the available information in a Cause Map, please click “Download PDF” above.