All posts by ThinkReliability Staff

ThinkReliability are specialists in applying root cause analysis to solve all types of problems. We investigate errors, defects, failures, losses, outages and incidents in a wide variety of industries. Our Cause Mapping analysis method of root causes, captures the complete investigation with the best solutions all in an easy to understand format. ThinkReliability provides investigation services and root cause analysis training to clients around the world and is considered the trusted authority on the subject

Plane Dive Caused by Personal Camera Results in Court-Martial

By ThinkReliability Staff

On February 9, 2014, a Royal Air Force Voyager was transporting 189 passengers and a crew of 9 towards Afghanistan when the plane suddenly entered a steep dive. Many passengers were unrestrained and were injured by striking the ceiling or other objects. Other passengers were injured by flying objects or spills of hot liquid. More than 30 passengers and crew members reported injuries, all considered minor. The Military Aviation Authority’s final report contains details of the impacts from the dive, the causes of the dive, and recommendations that would reduce the possibility of a similar issue in the future.

These impacts, the cause-and-effect relationships that led to them, and the recommended solutions can be captured within a Cause Map. The Cause Map process begins with filling in a Problem Outline, which captures the what, when and where of an incident, followed by the impacts to the goals. The problem covered by the report is the aircraft dive and resulting injuries which occurred on February 9, 2014 at about 1549 (3:49 PM) on an Airbus A330-243 Voyager tanker air transport flight. Things that were different, unusual or unique at the time of the incident are also captured. In this case, the plane had experienced prior turbulence, and the co-pilot was not in his seat at the time of the dive.

The next step is to capture the impacts to the goals on the Outline. In this case, the safety goal is impacted because of a significant potential for fatalities, as well as the more than 30 actual injuries. Customer service is impacted due to the steep dive of the plane, and the regulatory goal is impacted due to the court-martial of the pilot, as well as 10 lawsuits against the Ministry of Defense. Production was impacted because the plane was grounded for 12 days, the property goal is impacted because of the potential for the loss of the whole plane, and the labor goal is impacted by the investigation.

Beginning with an impact to the goal, all the cause-and-effect relationships that led to that goal are captured on the Cause Map. In this case, the potential for fatalities resulted from the potential loss of the plane. According to Air Marshal Richard Garwood, previous director general of the UK’s Military Aviation Authority (MAA), “On this occasion, the A330 automatic self-protection systems likely prevented a disaster of significant scale. The loss of the aircraft was not an unrealistic possibility.” The potential for the loss of the plane resulted from the steep dive. The reason the plane was NOT lost (and this becomes a significant near miss) is the plane was recovered to level flight by the flight envelop protection system, which functioned as designed. (Although this is a positive, not a negative, it’s a cause all the same and should be included in the Cause Map.)

The steep dive resulted from the controller being forced forward without being counteracted. These are two separate causes that resulted in the effect, and are listed vertically and joined with an “AND” on the Cause Map. More detail should be provided about both causes. The command could not be counteracted because the co-pilot was not on the flight deck. He had been taking a break for several minutes before the incident. The investigation found that the controller was forced forward by a camera that was pushed against the controller. The camera had been placed between the seat and the controller, and then the seat was pushed towards (as is normal to occur during flight).

The investigation found that, despite concerns for about a year prior to this incident, loose personal articles were not prohibited on the flight deck. While there was a requirement to stow loose articles, it was not referenced in the operational manual and instead became one of thousands of paragraphs provided as background, resulting in a lack of awareness of controller interference from loose articles. The pilot was found to be using the camera while on the flight deck, likely due to boredom on the highly automated plane. (Analysis of the camera and flight recordings provided evidence.) The pilot was court-martialed for “negligently performing a duty, perjury and making a false record”, presumably at least partially due to the use of a personal camera while solo on the flight deck.

The report provided many recommendations as a result of the investigation, including increasing seat belt use by passengers and crew during rest periods, which would have reduced some of the injuries caused by unrestrained personnel striking the ceiling of the aircraft. Recommendations also included ensuring manufacturer’s safety advice is included in operational documents, promoting awareness of the danger of loose articles, and maximizing use of storage for loose articles, all of which aim to reduce the risk of loose articles contacting control equipment. An additional recommendation is to manage low in-flight pilot workload in an attempt to combat the boredom that can be experienced on long flights.

To view the Problem Outline, Cause Map, and recommendations, please click “Download PDF” above. Or click here to read the Military Aviation Authority’s report.

The Solution to America’s Most Unexpectedly Dangerous Mammal

By ThinkReliability Staff

It’s hard to imagine that the mammal responsible for over 200 human deaths in America each year is the cute, cuddly…. deer.  These beautiful and seemingly harmless animals are hardly malicious.  Instead, they are in the wrong place at the wrong time, resulting in more than one million deer / vehicle collisions each year.  While the drivers have partial responsibility in these collisions, it seems that changes in the food chain have also contributed to this situation.   

In the 1800s, cougars (also called pumas or mountain lions) could be found roaming across the United States and Canada.  However, beginning in the early 1900s, states began implementing bounty programs enticing hunters to kill cougars.  The goal was to protect livestock and humans from these seemingly dangerous animals.  By the 1950s, the cougar population was primarily limited to areas west of the Rocky Mountains.  As the food chain predicts, the absence of a predator resulted in the overpopulation of its prey.  As the deer population increased, the probability for deer / vehicle collisions also increased.  

Expensive solutions have been considered to help decrease the collision rate, including deer culling, contraception and highway crossings.  However, it seems that nature may now be working towards its own natural solution.  As the bounty programs were removed in the 1960s and 1970s, the cougars have slowly begun migrating back towards the east.  A recent study published in Conservation Letters suggests that repopulation of cougars in the Eastern portion of the US could prevent 708,600 deer / vehicle collisions and 155 deaths over the next 30 years.   (The original fear of cougars attacking humans seems unfounded.  According to The Cougar Network, “Cougars are a retreating animal and very wary of people. Within the United States and Canada since 1890, there have been less than 100 attacks on humans, with about 20 fatalities. Encountering a cougar, let alone being attacked, is incredibly rare.”) 

A Cause Map is a helpful tool to dissect the cause-and-effect relationships contributing to a problem or situation.   Starting with the goals that were impacted, the causes and effects can be linked to create a chain.   For this situation, we begin with the safety goal that is impacted by the many fatalities each year.  Asking ‘Why’ questions, we can dig deeper to understand what causes are behind the impacted goal.   

In this case, the fatalities are a result of car collisions with deer.  The collisions are due to two factors: the deer unexpectedly crossing the road and the fact that the driver didn’t see the deer in time to stop.  We can trace each of these causes one at a time, revealing more causes.  The deer unexpectedly crosses the road because deer are moving to new areas.  This is because deer are overcrowded and need to expand their habitat.  The overcrowding is due to the growing deer population, which is due to the decrease in natural deer predators.  This decrease is caused by the decline in the cougar population, which is a result of the bounty programs that were implemented in the early 1900s.  These bounty programs were motivated by fear that the cougars would endanger humans or livestock.   

Going back to the driver’s role in the situation, we see that the driver may not have seen the deer in time due to poor lighting because deer often travel at dawn or dusk, and the driver may not have been paying close enough attention perhaps because they were distracted.   A second goal, property, was also impacted in this situation because the vehicles are damaged or destroyed as a result of the collisions.   

The Cause Map is also helpful in that it allows us to document the evidence and potential solutions directly on the causes that they can impact.   For example, the statistics about the number of collisions each year, fatalities each year, and cougar population changes are included right below the causes that they support.   Similarly, possible solutions are added right above the causes that they can impact.  In this case, deer culling and contraception could help control the deer overcrowding, and special deer highway crossings could help mitigate the deer crossing the road unexpectedly.  However, nature’s solution seems to fit further back in the chain by impacting the cause that is the decrease in the cougar population.   Time will tell if this solution will, in fact, reduce the number of collisions and injuries as predicted. 

To view the initial Cause Map of this issue, click on “Download PDF” above.

Train Derails on Track Just Inspected

By ThinkReliability Staff

A train derailment in the Columbia River Gorge near Mosier, Oregon resulted in a fire that burned for 14 hours. The Federal Railroad Administration (FRA) preliminary investigation says the June 3rd derailment was caused by a broken lag bolt which allowed the track to spread, resulting in the 16-car derailment. Although there is only one other known instance of a broken lag bolt causing a train derailment, the FRA determined that the bolt had been damaged for some time, and had been inspected within days of the incident, raising questions about the effectiveness of these inspections.

Determining all the causes of a complex issue such as a train derailment can be difficult, but doing so will provide the widest selection of possible solutions. A Cause Map, or visual root cause analysis, addresses all aspects of the issue by developing cause-and-effect relationships for all the causes based on the impacts to an organization’s goals. We can create a Cause Map based on the preliminary investigation. Additional causes and evidence can be added to the map as more detail is known.

The first step in the Cause Mapping process is to determine the impacts to the organization’s goals. While there were no injuries in this case, the massive fire resulting from the derailment posed a significant risk to responders and nearby citizens, an impact to the safety goal. The release of 42,000 gallons of oil (although much of it was burned off in the fire) is an impact to the environmental goal. The customer service goal is impacted by the evacuation of at least 50 homes and the regulatory goal is impacted by the potential for penalties, although the National Transportation Safety Board (NTSB) has said it will not investigate the incident. The state of Oregon has requested a halt on oil traffic, which would be an impact to the schedule goal. The property goal is impacted by the damage to the train cars, and the labor/ time goal is impacted by the response and investigation.

The analysis, which is the second step in the Cause Mapping process, begins with one of the impacted goals and develops cause-and-effect relationships by asking ‘Why’ questions. In this case, the safety goal is impacted by the high potential for injuries. This is caused by the massive fire, which burned for 14 hours. There may be more than one cause resulting in an effect, such as a fire, which is caused by heat, fuel, and oxygen. The oxygen in this case is from the atmosphere. The heat source is unknown but could have been a spark caused by the train derailment. The fire was fueled by the 42,000 gallons of crude released due to damage to train cars, which were transporting crude from the Bakken oil fields, caused by the derailment.

The derailment of 16 cars of the train was caused by the broken lag bolt. Any mechanical failure, such as a break, results from the stress on that object exceeding the strength of the object. In this case, the stress was caused by the weight of the 94-car train. The length of a train carrying crude oil is not limited by federal regulations. The strength of the bolts was reduced due to previous damage, which was not identified prior to the failure. While the track strength is evaluated every 18 months by the Gauge Restraint Measurement System (GRMS), it did not identify the damage. It’s unclear the last time it was performed.

Additionally, although the track is visually inspected twice a week by the railroad, it is done by vehicle, which would have made the damage harder to spot. The FRA does not require walking inspections. Nor does the FRA inspect or review the railroad’s inspections very often – there are less than 100 inspectors for the 140,000 miles of track across the country. There are only 3 in Oregon.

As a result of the derailment, the railroad has committed to replacing the existing bolts with heavy-duty ones, performing GRMS four times a year, enhanced hyrail inspections and visual track inspections three times a week, and performing walking inspections on lag curves monthly.

The FRA is still evaluating actions against the railroad and is again calling for the installation of advanced electronic brakes, or positive train control (PTC). It has also recommended PTC after other incidents, such as the deaths of two railroad workers on April 3 (see our previous blog) and the derailment in Philadelphia last year that killed 8 (see our previous blog).

To view a one-page PDF of the Cause Mapping investigation, click on “Download PDF” above. Or, click here to read the FRA’s preliminary investigation.

Plant Pathogen Threatens California Oak Trees

By ThinkReliability Staff

We are often overwhelmed by headlines addressing the latest disease outbreak facing the human population. In recent years, we have read with great concern about Ebola, measles, Avian flu, etc. Unfortunately, there is a similar outbreak facing oak trees in California. Sudden Oak Death is responsible for the death of over one million California oak and tanoak trees. And as it turns out, a microscopic pathogen called Phytophthora ramorum (P. ramorum) is behind the disease.

Matteo Garbelotto was one of the first two scientists to discover P. ramorum in 1995. Over 20 years later, scientists understand much more about how this tree killer operates and how it came in contact with the oaks.   P. ramorum thrive in humid environments, and can spread from plant to plant via wind, rain or with help from humans. Some plants are susceptible to the pathogen (like the California oak and the tanoak), and others are merely host carriers (California bay laurel, rhododendron and camellia). When a susceptible plant is infected, the pathogen attacks the tree’s bark, finding pathways into the tree. From there, it blocks the plants ability to circulate water and nutrients. This results in a fast demise for the tree, with symptoms of brown leaves and sap leaking from the bark.   If the pathogen finds a ‘host ‘plant, the plant is not harmed, but the pathogen can easily be transmitted to a nearby susceptible plant.   This is an issue both in nurseries and in the forest.   A simple Process Map can be created to depict how the pathogen wreaks its havoc on the trees.

As with most situations, understanding the problem is an important step to identifying solutions. Prior to discovering the pathogen P. ramorum, scientists were baffled by the bleeding trees. They initially suspected insects, but could find no visible wounds or damage typical of insects. Creating a Cause Map can help analysis the cause-and-effect relationships that are responsible for an impact to the goals. Asking ‘why’ questions beginning with the affected goal helps us to learn about the causes of an event. In this case, the environmental goal was impacted by the death of millions of trees. The hard work of Garbelotto and his fellow scientists showed that the trees were dying because they were exposed to the pathogen P. ramorum AND the fact that the trees were susceptible to its affects. The plants were exposed to the pathogen because the pathogen was carried from nearby plants. This was due to the fact that there were infected plants were located close by AND the presence of a mode of transportation. This mode of transportation could have been wind, rain and / or human transport. The human transport could be a result of people accidentally moving infected plants or soil.   There are infected plants close by because certain plants act as a ‘breeding ground’ for the pathogen AND because the pathogen was accidentally imported to the United States via host plants via the ornamental plant trade in the 1980’s. (Click on “Download PDF” above to see a Process Map and Cause Map of this issue.)

Fortunately, there are several identified solutions that can help minimize the impact of this pathogen. Using the Cause Mapping process, these solutions can be tagged to the specific causes that they impact. Then, a table of solutions can be created so that the owners (and due dates if applicable) can be tracked.   Five solutions are shown on Cause Map to help save the oak trees including: federally regulating the movement of host plants, using caution when moving plants and soil in infected areas, removing some host plants in infected areas, a phosphite spray which can be applied to infected trees and a smartphone application that can help educate and expand the current understanding of infected areas.

Marauding Monkeys Lead to Electrical Outage in Kenya

By ThinkReliability Staff

One monkey managed to cause an electrical outage for all of Kenya – 4.7 million households and businesses – for 15 minutes to more than 3 hours. In order to determine solutions to prevent this from happening again, a thorough analysis of the problem is necessary. We will look at this issue within a Cause Map, a visual form of root cause analysis.

The first step of any problem-solving method is to define the problem. In the Cause Mapping method, the problem is defined with respect to the organization’s goals. In this case, there were several goals that were impacted. If the organization has a goal of ensuring safety of animals, that goal is impacted due to the risk of a fatality or severe injury to the monkey. (In this case, the monkey was unharmed and was turned over to the wildlife service.) The loss of power to 4.7 million businesses and households is an impact to the customer service goal. The nationwide power outage, which lasted from 15 minutes to over 3 hours, is an impact to the production/ schedule goal. Damage to the transformer is an impact to the property goal, and the time required for response and repair is an impact to the labor/ time goal.

The second step of problem-solving is the analysis. Using the Cause Mapping method, cause-and-effect relationships are developed. One of the impacted goals is used as the first effect. Asking “Why” questions is one way to determine cause-and-effect relationships. However, there may be more than one cause required to produce an effect. In this example, the power outage resulted from a cascading effect on the country’s generators. This cascading effect was caused by the loss of a hydroelectric facility, which provides 20% of the country’s electricity, and the unreliability of the power grid, due to aging infrastructure. All of these causes were required for this scenario: had the country had a more reliable power grid or more facilities so that the country was not so dependent on one, the loss of the hydroelectric site would not have resulted in nationwide outage.

Continuing the analysis, the loss of the hydroelectric facility was caused by an overload when a key transformer at the site was tripped. According to the power company, the trip was caused by a monkey falling onto the transformer. (There is also photographic evidence showing a monkey in the area of the transformer.) In order for the monkey to fall onto the transformer, it had to be able to access the transformer. The monkey in this case is believed to have fallen off the roof. How this occurred is still unclear, because the facility is secured by an electric fence designed specifically for protection against “marauding wild animals”.

The last step of problem-solving is to determine solutions, based on the analysis of this problem. The utility says it is “looking at ways of further enhancing security” at all their power plants. Unfortunately, total protection against outages caused by animals is impossible. In the United States, animal-caused outages are believed to cause at least $18 billion in lost economy every year. Just this May, raccoons caused outages to 40,000 in Seattle and 5,600 in Colorado Springs. This year also saw outages caused by squirrels, snakes, starlings and geese. Other unusual outages include work on a transformer causing an outage with economic loss of $118 million in Arizona (see our blog on this subject) and a woman with a shovel who cut internet service to nearly all of Armenia (see our blog on this subject).

Because power outages due to animals and other issues can’t be completely eliminated, ensuring a robust power grid is important to minimize the impact from and duration of outages. Calls for improvements to the aging infrastructure in Kenya have resulted from this incident, but these kinds of solutions require not only the cooperation of the utilities, but the country as a whole.

To view the problem outline and Cause Map for this incident, please click on “Download PDF” above

How Did a Cold War Nuclear Bomb Go Missing?

By ThinkReliability Staff

Is there a nuclear bomb lost just a few miles off the coast of Savannah, Georgia? It seems that we will never know, but theories abound. While it is easy to get caught up in the narrative of these theories, it is interesting to look at the facts of what actually happened to piece together the causes leading up to the event. This analysis may not tell us if the bomb is still under the murky Wassaw Sound waters, but it can tell us something about how the event happened.

Around 2 am on February 5, 1958, a training exercise was conducted off the coast of Georgia. This was during the most frigid period of the Cold war, and training was underway to practice attacking specific targets in Russia. During this particular training mission, Major Howard Richardson was flying a B-47 bomber carrying a Mark 15, Mod 0 Hydrogen bomb containing 400 pounds of conventional explosives and some quantity of uranium.

The realistic training mission also included F-86 ‘enemy’ fighter jets. Unfortunately, one of those jets, piloted by Lt. Clarence Stewart, did not see the bomber on his radar and accidentally maneuvered directly into the B-47. The damage to both planes was extensive. The collision destroyed the fighter jet, and severely damaged the fuel tanks, engine, and control mechanisms of the bomber.   Fortunately, Stewart was able to safely eject from the fighter jet. Richardson had a very difficult quest ahead of him: to get himself and his co-pilot safely on the ground without detonating his payload in a heavily damaged aircraft. He flew to the closest airfield; however, the runway was under construction, making the landing even more precarious for the two crew members and for the local community that would have been affected had the bomb exploded upon landing. Faced with an impossible situation, Richardson returned to sea, dropped the bomb over the water, observed that no detonation took place, and returned to carefully land the damaged bomber.

The Navy searched for the bomb for over two months, but bad weather and poor visibility did not make the search easy. On April 16, 1958, the search was ended without finding the bomb. The hypothesis was that the bomb was buried beneath 10 – 15 feet of silt and mud. Since then, other searches by interested locals and the government have still not identified the location of the bomb.   In 2001, the Air Force released an assessment which suggests two interesting points. First, the bomb was never loaded with a ‘detonation capsule’, making the bomb incapable of a nuclear explosion. (Until this time, conventional wisdom suggested that the detonation capsule was included with the bomb.) Second, the report concluded that it would be more dangerous to try to move the bomb than to leave the bomb in its resting place.

While we may never learn the location of the bomb, we can learn from the incident itself. Using a Cause Map, we can document the causes and effects resulting in this incident, providing a visual root cause analysis. Beginning with several ‘why’ questions, we can create a cause-effect chain. In the simplest Cause Map, the safety goal was impacted as a result of the danger to the pilots and to the nearby communities as the result of a potential nuclear bomb explosion. This risk was caused by the bomb being jettisoned from the plane, which was a result of the collision between the fighter jet and the bomber. The planes collided due to the fact that they were performing a training mission to simulate a combat scenario.

More details are uncovered as this event is further broken down to include more information and to document the impact to other goals. The property goal is impacted through the loss of aircraft and the bomb. The bomb is missing because it was jettisoned from the bomber AND because it was never found during the search. The bomb was jettisoned because the pilot was worried that the bomb might break loose during landing. This was due to the fact that the planes collided. The planes collided due to the fact that the F-86 descended onto the top of the B-47 AND because they were in the midst of a training exercise. The fighter jet crashed into the bomber because the bomber was not on radar. The planes were performing an exercise because they were simulating bombing a Russian target, because it was the middle of the Cold War. The search was unsuccessful because the bomb is probably buried deep in the mud AND because the weather and visibility were bad during the search.

Finally, the ‘customer service’ goal is impacted by the fact that the residents in nearby communities are nervous about the potential danger of explosion/radiation exposure. This nervousness is caused by the fact that the bomb is still missing AND the fact that the bomb contained radioactive material, which was due to routine protocol at the time.

Evidence boxes are a helpful way to add information to the Cause Map that was discovered during the investigation. For example, an evidence box stating the evidence from the 2001 Air Force report that the bomb had no detonation capsule has been added to the Cause Map. A Cause Map is a useful tool to help separate the facts from the theories. Click on “Download PDF” above to see the full, detailed Cause Map.

Kansas City Interstate Overpass Closed Due to 20′ Crack

By ThinkReliability Staff

A bridge engineer watching a crack (previously described as “tight”) under the Grand Boulevard bridge noticed it had extended to 20′ on May 6, 2016. He immediately ordered the bridge closed, requiring the rerouting of the more than 9,000 vehicles that use the bridge every day. Replacing the bridge is estimated to cost $5 million.

Luckily, due to the quick action of the engineer, there were no injuries or fatalities as could have occurred due to either the bridge catastrophically collapsing while in use, or for motorists on the Interstate below being struck by large chunks of concrete falling from the overpass.

The overpass failure can be addressed in a Cause Map, or visual root cause analysis. The process begins by capturing the what, when and where of the incident (a bridge failure May 6 in Kansas City) and the impacts to the goals. Because there was the potential for injuries, the safety goal is impacted. The re-routing of over 9,000 vehicles a day is an impact to the customer service goal. The closing of the bridge’s overpass/ sidewalks is an impact to the production goal, and the cost of replacing the bridge is an impact to the property/ labor goal.

By beginning with an impacted goal and asking ‘Why’ questions, cause-and-effect relationships that lay out the causes of an incident can be developed. In this case, the impacted goals are caused by the significant damage to the bridge, due to a rapidly spreading crack.

The failure of any material or object, including all or part of a bridge, results from the stress on that object from all sources overcoming the strength of the object. In this case the stress on the bridge was greater than the strength of the bridge. Stress on the bridge results from each pass of a vehicle over the life of the bridge. In this case, 9,300 vehicles a day transit the bridge, which has been in service since 1963.

Stress also results from large trucks traveling over the bridge. The engineers suspect this is what happened, possibly due to an apartment construction project near the bridge. Says Brian Kidwell, an assistant engineer for the Missouri Department of Transportation, “My hunch is a very heavy load went over it. It could have been a totally legal load.” A “hunch” by an experienced professional is included in the Cause Map as a potential cause. This is indicated with a “?” and requires more evidence.

Legal loads on bridges are based on the allowable stress for a bridge’s strength. However, the strength of the bridge can change over the years. It is likely that happened in this case. Previous damage has been noted on the bridge, which also required bracing last month to fix a sagging section. However, the bridge was deemed “adequate” in an inspection eight months ago. Any needed repairs may not have occurred – there’s never enough money for needed infrastructure improvements. It’s also possible that water entered the empty cylinders that make up the part of the span of the bridge (this is called a “sonovoid” design) and they could have filled with water and later frozen, causing damage that can’t be easily seen externally.

For now, more information will be required to determine what led to the bridge failure. At that point, bridges of similar design may face additional inspections, or be replaced on the long waiting list for repairs. For Kansas City, some are taking a broader – and bolder – view and are recommending the older section of the Interstate “loop” be removed altogether.

To view the Cause Map of the bridge failure, click on “Download PDF” above. Or, click here to learn.

Airplane Emergency Instructions: How do you make a work process clear?

By ThinkReliability Staff

What’s wrong with the process above?

This process provides instructions on how to remove the over-wing exit door on an airplane during an emergency.  However, imagine performing this process in an actual emergency.  During the time you spend opening the door, there will probably be people crowded behind you, frantic to get off the plane.  Step 4 indicates that after the door is detached from the plane wall, you should turn around and set the door (which is about 4’ by 2’ and can weigh more than 50 pounds) on the seats behind you.  In most cases, this will be impossible.  This is why emergency exit doors open towards the outside; in an emergency, a crush against the door will make opening the door IN impossible.

Even if it would be possible to place the door on the seat in the emergency exit row, it would likely reduce the safety of passengers attempting to exit.  As discussed, the exit door is fairly large and heavy.  It is likely to be displaced while passengers are exiting the airplane and may end up falling on a passenger, or blocking the exit path.

However, when this process was tested in training, it probably worked fine.  Why? Because it wasn’t an actual emergency, and there probably weren’t a plane full of passengers that really wanted to get out.  This is just another reason that procedures need to be tested in as close to actual situations as possible.  At the very least, any scenario under which the process is to be performed should be replicated as nearly as possible.

Now take a look at this procedure:

It’s slightly better, not telling us to put the removed door on the seat behind us, but instead it doesn’t tell us what to do with the door. Keep in mind that the person performing this procedure’s “training” likely consisted of a 30-second conversation with a flight attendant and that in all probability, the first time he or she will perform the task is during an emergency situation. When testing a procedure, it’s also helpful to have someone perform the procedure who is not familiar with it, with instructions to do only what the procedure says. In this case, that person would end up removing the door . . . and then potentially attempting to climb out of the exit with the door in their hands. This is also not a safe or efficient method of emergency escape.
This procedure provides a much better description of what should be done with the door. The picture clearly indicates that the door should be thrown out of the plane, where it is far less likely to block the exit or cause passenger injury.

The first two procedures were presumably clear to the person who created them.  But had they been tested by people with a variety of experience levels (particularly important in this case, because people of various experience levels may be required to open the doors in an emergency), the steps that really weren’t so clear may have been brought to light.

Reviewing procedures with a fresh eye (or asking someone to perform the procedure under safe conditions based only upon the written procedure) may help to identify steps that aren’t clear to everyone, even if they were to the writer.  This can improve both the safety, and the effectiveness, of any procedure used in your organization.

8 Injured by Arresting Cable Failure on Aircraft Carrier

By ThinkReliability Staff

An aircraft carrier is a pretty amazing thing. Essentially, it can launch planes from anywhere. But even though aircraft carriers are huge, they aren’t big enough for planes to take off or land in a normal method. The USS Dwight D. Eisenhower (CVN 69) has about 500′ for landing planes. In order for planes to be able to successfully land in that distance, it is equipped with an arresting wire system, which can stop a 54,000 lb. aircraft travelling 150 miles per hour in only two seconds and a 315′ landing area. This system consists of 4 arresting cables, which are made of wire rope coiled around hemp. These ropes are very thick and heavy and cause a significant risk to personnel safety if they are parted or detached.

This is what happened on March 18, 2016 while attempting to land an E-2C Hawkeye. An arresting cable came unhooked from the port side of the ship and struck a group of sailors on deck. At least 8 were injured, several of whom had to be airlifted off the ship for treatment. We will examine the details of this incident within a Cause Map, a visual form of root cause analysis.

The first step in any problem investigation is to define the problem. We capture the what, when, and where within a problem outline. Additionally, we capture the impacts to the goals. The injuries as well as the potential for death or even more serious injuries are impacts to the safety goal. Flight operations were shut down for two days, impacting both the mission and production/ schedule goal. The potential of the loss of or (serious damage to) the plane is an impact to the property goal. (In a testament to the skill of Navy pilots, the plane returned to Naval Station Norfolk without any crew injuries to the flight crew or significant damage to the plane.) The response and investigation are an impact to the labor goal. It’s also useful to capture the frequency of these types of incidents.   The Virginian-Pilot reports that there have been three arresting-gear related deaths and 12 major injuries since 1980.

The next step in the problem-solving process is to determine the cause-and-effect relationships that led to the impacted goals. Beginning with the safety goal, the injuries to the sailors resulted from being struck by an arresting cable. When a workplace injury results, it’s also important to capture the personal protective equipment (PPE) that may have impacted the magnitude of the injuries. In this case, all affected sailors were wearing appropriate PPE, including heavy-duty helmets, eye and ear protection. This is a cause of the injuries because had they NOT been wearing PPE, the injuries would have certainly been much more severe, or resulted in death.

The arresting cable struck the sailors because it came unhooked from the port side of the ship. The causes for the detachment of the cable have not been conclusively determined; however, a material failure results from a force on the material that is greater than the strength of the material. In this case the force on the arresting cable is from the landing plane. In this case, the pilot reported the plane “hit the cable all at once”, which could have provided more force than is typical. The strength of the cable and connection may have been impacted by age or use. However, arresting cables are designed to “catch” and slow planes at full power and are only used for a specific number of landings before being replaced.

Other impacted goals can be added to the Cause Map where appropriate (additional relationships may result). In this case, the potential damage to the plane resulted from the landing failure, which was caused by the detachment of the arresting cable AND because the arresting cable is needed to safely land a plane on an aircraft carrier.

The last step of the Cause Mapping process is to determine solutions to reduce the risk of the incident recurring. More investigation is needed to ensure that the cable and connection were correctly installed and maintained. If it is determined that there were issues with the connection and cable, the processes that lead to the errors will be improved. However, it is determined that the cable and connection met design criteria and the detachment resulted from the plane landing at an unusual angle, there may be no changes as a result of this investigation.

It seems unusual that an investigation that resulted in 8 injuries would result in no action items. However, solutions are based on achieving an appropriate level of risk. The acceptable level of risk in the military is necessarily higher than it is in most civilian workplaces in order to achieve desired missions. Returning to the frequency from the outline, these types of incidents are extremely rare. The US Navy currently has ten operational aircraft carrier (and an eleventh is on the way). These carriers launch thousands of planes each year yet over the last 36 years, there have been only 3 deaths and twelve major injuries associated with landing gear failures, performing a dangerous task in a dangerous environment. Additionally, in this case, PPE was successful in ensuring that all sailors survived and limiting injury to them.

To view the outline and Cause Map of this event, click on “Download PDF” above.

 

Track Workers Killed by Train

By ThinkReliability Staff

A derailment and the fatalities of two railroad workers on April 3, 2016 has led to an investigation by the National Transportation Safety Board (NTSB). In this investigation, the NTSB will address the impacts of the accident, determine what caused the accident and will provide recommendations to prevent similar accidents from recurring. While the investigation is still underway, a wealth of information related to the accident is already available to begin the analysis. We will look at what is currently known regarding the accident in a Cause Map, a visual form of root cause analysis.

The first step of the analysis is to define the problem. This includes the what, when, and where of the incident, as well as the impacts to the organizational goals. Capturing the impacts to the goals is particularly important because the recommendations that will result from the analysis aim to reduce these impacts. If we define the problem as simply a “derailment”, recommendations may be limited to those that prevent future derailments. Not only are we looking for recommendations to prevent future derailments, we are looking for recommendations to prevent all the impacted goals. In this case, that includes worker safety: 2 workers died, public safety: 37 passengers were injured, customer service: the train derailed, property: the train and some construction equipment was damaged, and labor: response and investigation are required.

The analysis is performed by beginning with the impacted goals and developing the cause-and-effect relationships that led to those impacts. Asking “why” questions can help to identify some of the cause-and-effect relationships, but there may be more than one cause that results in an effect. In this case, the worker fatalities occurred because the train struck heavy equipment and the workers were in/on/near the equipment. Both of these causes had to occur for the effect to result. The workers were on the equipment performing routine maintenance. In addition, their watch was ineffective. When capturing causes, it’s important to also include evidence, which validates the cause.

We know the watch was ineffective, because federal regulation requires a watch for incoming trains that gives at least a fifteen second warning. Fifteen seconds should have been sufficient time for the workers to exit the equipment. Because this did not happen, it follows that the watch was ineffective.

The train struck the heavy equipment because the equipment was on track 3, the train was on track 3, and the train was unable to brake in time. It’s unclear why the heavy equipment was on the track; rail safety experts say heavy equipment should never be directly on the track. The train was on track 3 because it was allowed on the track. Work crews are permitted to shut off the current to preclude passage of trains into the work zone, but they did not in this case, for reasons that are still being investigated. Additionally, the dispatcher allowed the train onto the track. Per federal regulations, when workers are on the track, train dispatchers may not allow trains on track until roadway worker gives permission. It appears that in this case the workers either failed to secure permission to work on the track (thus notifying the dispatcher of their presence) or the work notification was improperly cancelled, allowing trains to return to the track, possibly due to a miscommunication between the night and day crews. This is also still under investigation.

While inspection of the cars and maintenance records found no anomalies, the braking system is under investigation to determine whether or not it affected the train’s ability to brake. Also under investigation is the Positive Train Control (PTC), which should have emitted warnings and slowed the train automatically. However, the supplemental shunting device, which alerts the signaling system that the track is occupied, and is required by Amtrak rules, was not in place. Whether this was sufficient to prevent the PTC from stopping the train in time is also under investigation. The conductor placed the train in emergency mode 5 seconds before the collision. As the train was traveling at 106 mph (the speed limit was 110 mph in the area), this did not give adequate time to brake. There should have been a flagman to notify the train that a crew was on the track, but was not. The flagman also carries an air horn, which provides another notification to the track crew that a train is coming.

Says Ashley Halsey III, reporting in The Washington Post, “Basic rules of railroading and federal regulations should have prevented the Amtrak derailment near Philadelphia on Sunday that killed two maintenance workers.” It appears that multiple procedural requirements were not followed, but more thorough investigation is required to determine why and what can be done in the future to improve safety by preventing derailments and worker fatalities.

To view the available information in a Cause Map, please click “Download PDF” above.