Tag Archives: crash

Root Cause Analysis - Incident Investigation

For the first time, autonomous car is at fault for a crash

By Kim Smiley

On February 14, 2016, the self-driving Google car was involved in a fender bender with a bus in Mountain View, California.  Both vehicles were moving slowly at the time and the accident resulted in only minor damage and no injuries.  While this accident may not seem like a very big deal, the collision is making headlines because it is the first time one of Google’s self-driving cars has contributed to an accident.  Google’s self-driving cars have been involved in 17 other fender benders, but each of the previous accidents was attributed to the actions of a person, either the drivers of other vehicles or the Google test driver (while they were controlling the Google car).

The accident in question occurred after the Google car found itself in a tricky driving situation while attempting to merge.  The Google car had moved over to the right lane in anticipation of making a right turn.  Sandbags had been stacked around a storm drain, blocking part of the right lane.  The Google car stopped and waited for the lane next to it to clear so that it could drive around the obstacle.  As the Google car moved into the next lane it bumped a bus that was coming up from behind it.  Both the driver of the bus and the Google car assumed that the other vehicle would yield.  The test driver in the Google car did not take control of the vehicle and prevent the car from moving into the lane because he also assumed the bus would slow down and allow the car to merge into traffic. (Click on “Download PDF” to view a Cause Map that visually lays out the causes that contributed to this accident.)

Thankfully, this collision was a relatively minor accident. No one was hurt and there was only relatively minor damage to the vehicles involved. Lessons learned from this accident are already being incorporated to help prevent a similar incident in the future. Google has stated that the software that controls the self-driving cars has been tweaked so that the cars will recognize that buses and other large vehicles may be less likely to yield than other types of vehicles. (I wonder if there is a special taxi tweak in the code?)

It’s also worth noting that one of the driving factors behind the development of autonomous cars is the desire to improve traffic safety and reduce the 1.2 million traffic deaths that occur every year.  The Google car may have contributed to this accident, but Google cars have so far generally proved to be very safe.  Since 2009, Google cars have driven more than 2 million miles and have been involved in fewer than 20 accidents.

One of the more interesting facets of this accident is that it raises hard questions about liability.  Who is responsible when a self-driving car causes a crash? The National Highway Traffic Safety Administration (NHTSA) recently determined that for regulatory purposes, autonomous vehicle software is a “driver” which may mean that auto manufacturers will assume greater legal responsibility for crashes.  NHTSA is working to develop guidance for self-driving vehicles, which they plan to release by July, but nobody really knows yet the impact self-driving cars will have on liability laws and insurance policies.  In addition to the technology issues, there are many legal and policy questions that will need to be answered before self-driving cars can become mainstream technology.

Personally, I am just hoping this technology is commercially available before I reach the age where my kids take away my car keys.

Root Cause Analysis - Incident Investigation

The year Christmas almost wasn’t

By Kim Smiley

The movie Elf, starring Will Ferrell as Buddy the elf, tells the story of a Christmas that nearly disappointed children worldwide.  On Christmas Eve night, as Santa made his magical trip to deliver his bag of Christmas gifts, his sleigh crashed in Central Park in New York City.  Only quick thinking by Buddy and his friends got Santa airborne again and saved the holiday.

A Cause Map, a visual root cause analysis, can be built to analyze the crash of Santa’s sleigh.  A Cause Map is built by visually laying out all the cause-and-effect relationships that contributed to the issue.  The first step in the Cause Mapping process is to fill in an outline with the basic background information as well as impacts to the goal.  Nearly every problem impacts more than one goal and listing all the impacts helps fully understand the scope of the issue.

In this example, there is potential risk of damage to the sleigh and injury to the big guy himself which would be an impact to the equipment goal and safety goal respectively.  There was a delay in the present delivery schedule while Santa’s sleigh was on the ground, but the biggest concern was the impact to the customer service goal because millions of children had the potential to wake up to a Christmas morning without gifts, certainly something Santa and his elves desperately wanted to avoid.   Once the Outline is completed, the Cause Map itself is built by starting at one impacted goal and asking “why” questions.

So why did Santa’s sleigh crash into Central Park?  Santa’s sleigh crashed because it was high above the ground and it lost propulsion.  Flying is the sleigh’s typical mode of operation because Santa needs a speedy, magical mode of transportation to do his job.  The sleigh lost propulsion because both the primary and secondary propulsion systems failed.

Originally, Santa’s sleigh was powered purely by Christmas cheer, but levels of Christmas cheer have been steadily declining in modern times and a secondary system, a Kringle 3000, 500 Reindeer-Power jet engine, had to be added in the 1960s to keep the sleigh flying.  On the Christmas in question, the level of Christmas cheer hit an all-time low and the strain on the jet engine mount was too great and it broke off.  Without the jet engine, Santa’s sleigh crashed. Luckily, Buddy had told his friends that “the best way to spread Christmas cheer is singing loud for all to hear” and they were able to inspire enough folks to sing along with carols that Santa’s sleigh flew back into action and the children got their presents.

One would hope that the design of the jet engine was improved after this accident, but just to be safe and ensure that there are no sleigh crashes this year, make sure you sing plenty of Christmas carols loudly for all your friends and families to hear!  And if you are concerned about Santa’s progress and want assurances that all is well, you can monitor his progress around the world at the NORAD Santa tracker.

Root Cause Analysis - Incident Investigation

A single human error resulted in the deadly SpaceShipTwo crash

By Kim Smiley

The National Transportation and Safety Board (NTSB) has issued a report on their investigation into the deadly SpaceShipTwo crash on October 31, 2014 during a test flight.  Investigators confirmed early suspicions that the space plane tore apart after the tail boom braking system was released too early, as discussed in a previous blog.  The tail boom is designed to feather to increase the drag and slow down the space plane, but when the drag was applied earlier than expected the additional aerodynamic forces ripped the space plane apart at both high altitude and velocity.  Amazingly, one of the two pilots survived the accident.

Information from the newly released report can be used to expand the Cause Map from the previous blog.  The investigation determined that the pilot pulled the lever that released the braking system too early.  Even though the pilots did not initiate a command to put the tail booms into the braking position, the forces on the tail booms forced them into the feathered position once they were unlocked.  The space plane could not withstand the additional aerodynamic forces created by the feathered tail booms while still accelerating and it tore apart around the pilots.

A Cause Map is built by asking “why” questions and documenting the answers in cause boxes to visually display the cause-and-effect relationships. So why did the pilot pull the lever too early?  A definitive answer to that may never be known since the pilot did not survive the crash, but it’s easy to understand how a mistake could be made in a high-stress environment while trying to recall multiple tasks from memory very quickly.  Additionally, the NTSB found that training did not emphasize the dangers of unlocking the tail booms too early so the pilot may not have been fully aware of the potential consequences of this particular error.

A more useful question to ask would be how a single mistake could result in a deadly crash.  The plane had to be designed so that it was possible for the pilot to pull a lever too early and create a dangerous situation.  Ideally, no single mistake could create a deadly accident and there would have been safeguards built into the design to prevent the tail booms from feathering prematurely.  The NTSB determined the probable cause of this accident to be “failure to consider and protect against the possibility that a single error could result in a catastrophic hazard to the SpaceShipTwo vehicle.”  The investigation found that the design of the space plane assumed that the pilots would perform the correct actions every time.  Test pilots are highly trained and the best at what they do, but assuming human perfection is generally a dangerous proposition.

The NSTB identified a few causes that contributed to the lack of safeguards in the SpaceShipTwo design.  Designing commercial space craft is a relatively new field; there is limited human factors guidance for commercial space operators and the flight database for commercial space mishaps is incomplete. Additionally, there was insufficient review during the design process because it was never identified that a single error could cause a catastrophic failure. To see the recommendations and more information on the investigation, view a synopsis from the NTSB’s report.

To see an updated Cause Map of this accident, click on “Download PDF” above.

Root Cause Analysis - Incident Investigation

TransAsia Plane Crashes into River in Taiwan

By Kim Smiley

On February 4, 2015, there were 53 passengers onboard TransAsia Airways Flight 235 when the plane crashed into the Keelung River shortly after taking off from the Taipei Shonshan Airport.  There were 15 survivors from this dramatic crash where the plane hit a bridge and taxi cab prior to turning upside down before hitting the river. (The crash was caught on video by dash cameras from a vehicle on the bridge and can be seen here.)

Investigators are still working to determine exactly what happened, but some early findings have been released.  The plane involved in this crash was a turboprop with two engines.  This model of plane can fly safely with only one engine, but both engines had issues immediately prior to the crash so the pilots were unable to control the plane.

Data from the flight recorder shows that the right engine idled 37 seconds after takeoff.  No details about what caused the problem with the right engine have been made available.  The initial investigation findings are that the left engine was likely manually shut down by the pilots.  It’s not clear why the functioning engine would have been intentionally shut down. Early speculation is that it was a mistake and that the pilots were attempting to restart the idled right engine when they hit the switch for the operating left engine.

The investigation into the crash is ongoing and the final report isn’t expected to be released for about a year, but based on the initial findings, a few solutions to help reduce the likelihood of future crashes have already been implemented.  TransAsia has grounded most of its turboprop aircraft pending additional pilot instruction and requalification because it is believed that pilot action may well have contributed to the deadly accident.  More than 100 domestic flights have been canceled as a result.  Additionally, Taiwan’s Civil Aeronautic Administration has announced that the carrier will be banned from adding new international routes for 12 months.  A previous crash in July 2014 had already tarnished TransAsia’s reputation and this latest disaster will certainly be scrutinized by the authorities.

An initial Cause Map, a visual root cause analysis, can be built to analyze the information that is available on this crash and to document where there are still open questions.  To view a Cause Map and Outline of this incident, click on “Download PDF” above.

Root Cause Analysis - Incident Investigation

Investigation Into the Fatal Crash of Commercial Space Vehicle is Underway

By Kim Smiley

On October 31, 2014, Virgin Galactic’s commercial space vehicle, SpaceShipTwo, tore apart over the Mojave Desert in California during its fourth rocket-powered test flight. One pilot was killed and the other seriously injured. An investigation is underway to determine exactly what caused the crash, but initial data indicates that the tail booms used to slow down the vehicle moved into the feathered position prematurely, increasing the aerodynamic force. This disaster has the potential to impact the emerging commercial space industry as regulators and potential passengers are reminded of the inherent dangers of space travel.

This issue can be analyzed by building a Cause Map, a visual method for performing a root cause analysis. An initial Cause Map can be built using the information that is currently available and then easily expanded as more data is known. The first step is to fill in an Outline with the basic background information of the incident. Additionally, the impacts to the overall goals are listed on the Outline to determine the scope of the issue. The Cause Map is then built by asking “why” questions.

Starting with the safety goal in this example: one pilot was killed and another was injured because a space vehicle was destroyed and they were onboard. (When two causes both contribute to an effect, they are both listed on the Cause Map and joined with an “and”.) SpaceShipTwo is designed to hold passengers, but this was a test flight to assess a new fuel so the pilots were the only people onboard. The space vehicle tore apart because the stress on the vehicle was greater than the strength of the vehicle. The final report on the accident will not be available for many months, but the initial findings indicate that the space vehicle experienced greater aerodynamic forces than expected.

The space vehicle used tail booms that were shifted into a feathered position to increase drag and reduce speed prior to landing. Video shows the co-pilot releasing the lever that unlocked the tail booms earlier than expected while the vehicle was still accelerating. It’s unclear at this time why he released the lever. The tail booms were not designed to move when unlocked and a second lever controls movement, but investigators speculate that the aerodynamic forces on the space vehicle while it was still accelerating caused them to lift up into the feathered position once they were unlocked. The vehicle disintegrated seconds after the tail booms shifted position, likely because of the aerodynamic forces in play.

After the final report is released, the Cause Map can be expanded to include the additional information. To view a high level Cause Map of this accident, click on “Download PDF” above.

Root Cause Analysis - Incident Investigation

The Deadliest Airship Crash in History Wasn’t the Hindenburg

By Kim Smiley

Many people have heard of the Hindenburg, but have you heard of the USS Akron?  The Hindenburg crashed in 1937, killing 35 people. The USS Akron crash four years earlier killed 73, making it the deadliest airship crash in history.

The crash of the USS Akron can be investigated by building a Cause Map, a visual format for performing a root cause analysis.  A Cause Map is built by asking “why” questions to determine what causes contributed to an issue.  The causes are organized on the Cause Map to illustrate the cause-and-effect relationships between them.  Why were 73 people killed?  This occurred because they were onboard the USS Akron, the airship struck the ocean surface, the crew had little time to brace for impact and there were insufficient flotation devices onboard.

The crew was onboard the USS Akron because the airship was operated by the US Navy and was performing a routine mission at the time of the crash.  The airship hit the ocean because it was operating over the ocean and lost altitude in a severe storm.  Why was the airship operating in a storm?  There was no severe weather predicted at the time and a low pressure system unexpectedly developed.  The crew had little time to brace for the impact because they weren’t aware that an impact was imminent.  There was low visibility at the time because it was a stormy, dark night. The barometric altimeter was also showing that the airship was higher than it actually was.  Barometric altimeters are affected by pressure and the low pressure in the storm impacted more than the crew realized.   The lack of life jackets and other floatation devices also contributed to the high number of deaths.  There were no life jackets onboard the airship at the time of the crash and only one rubber raft.  The safety equipment had been given to another airship and had never been replaced.

While few of us plan to operate or build an airship anytime in the near future, the important of keeping sufficient safety gear onboard any vehicle of any kind is an important lesson.  Lack of safety gear is a reoccurring theme in many historical disasters.  For example, the sinking of the Titanic would be a very different story if there had been sufficient lifeboats onboard.  This example might be very different if the crew had been wearing life jackets.  The airship would still have been lost, but there would likely have been fewer casualties.

To view a high level Cause Map of this example, click on “Download PDF” above.

Root Cause Analysis - Incident Investigation

Commuter Ferry Crash in NYC Injures 85

By ThinkReliability Staff

A commuter ferry struck a pier in Lower Manhattan, NY during the morning commute on January 9, 2013, injuring at least 85 people – some critically .  According  to US Coast Guard Captain Gordon Loebl, “We know that they hit the pier at a relatively high rate of speed.”

We can examine this issue in a Cause Map, a form of root cause analysis which provides a visual “map” of cause-and-effect relationships.  We begin by determining the impacts to the goals resulting from this incident.  The safety goal was impacted due to the large number of people who were injured.  (No fatalities have been reported as a result of the crash.)   The customer service goal was impacted because the ferry slammed into a pier (nobody expects that on their morning commute!).  The ferry was damaged, impacting the property goal.  Presumably the ferry will be out of service for some time, impacting the production goal, and will require repairs, impacting the labor goal.  Any time required for the response can also be considered an impact to the labor goal.

A Cause Map can begin as simply as beginning with an impacted goal and asking a couple of why questions.  In this case, the safety goal is impacted by the injuries, which were caused by the ferry striking the pier.  More detail can be added to the Cause Map by asking more “Why” questions.

In this case, it’s not clear what caused the crash, though drug or alcohol use by the captain has been ruled out.  There have been some recent complaints about maneuverability due to a recent overhaul replacing the engine and propulsion system but it’s not clear if this played a role in the crash.  It’s also unclear why the ship was traveling at 14 knots when it was about to dock.  Because the ship was about to dock, people had gotten up from their seats and were standing in hallways and on or near stairways, increasing the rate of injury.  It does not appear that there are any regulations requiring commuters to remain seated until the ferry has stopped moving.

The ferry company, as well as the appropriate transportation authorities, will continue their investigations to determine the causes of the ferry incident.  Once they do, they will provide recommendations or requirements to ensure a safer morning commute.

To view the Outline and Cause Map, please click “Download PDF” above.  Or click here to read more.