Tag Archives: root cause analysis

Small fire leads to thousands of canceled flights

By Kim Smiley

Starting August 8, 2016, thousands of travelers were stranded worldwide after widespread cancelations and delays of Delta Air Lines flights. The disruptions continued over several days and the impacts lingered even longer.  The flight issues made headlines around the globe and the financial impact to the company was significant.

So what happened? What caused this massive headache to so many travelers? The short answer is a small fire in an airline data center, but a much longer answer is needed to understand what caused this incident. A Cause Map, a visual format for performing a root cause analysis, can be used to analyze this issue. All of the causes that contributed to an issue are visually laid out to intuitively show cause-and-effect relationships in a Cause Map.  The Cause Map is built by asking “why” questions and adding the answers.  For an effect with more than one cause, all of the causes that contributed to the effect are listed vertically and separated by an “and”.  (Click on “Download PDF” to see an intermediate level Cause Map of this incident.)

So why were so many flights canceled and delayed? There was a system-wide computer outage and the airline depends on computer systems for everything from processing check-ins to assigning crews and gates.  Bottom line, no flights leave on time without working computer systems.  The issues originated at a single data center, but the design of the system led to cascading computer issues that impacted systems worldwide.  The airline has not released any specific details about why exactly the issue spread, but this is certainly an area investigators would want to understand in order to create a solution to prevent a similar cascading failure in the future.

In a statement, the company indicated that an electrical component failed, causing a small fire at the data center. (Again, the specifics about what type of component and what caused the failure haven’t been released.) The fire caused a transformer to shut down which resulted in a loss of primary power to the data center.  A secondary power system did kick on, but not all servers were connected to backup power.  No details have been released about why some servers were not powered by the secondary power supply.

Compounding the frustration for the impacted travelers is the fact that they were unable to get updated flight information. Flight status systems, including airport monitors, continued to show that all flights were on time during the period of the cancelations and delays.

Once a large number of flights are disrupted, it is difficult to return to a normal flight schedule.  The rotation schedule for airlines and pilots has to be redone, which can be time-consuming.  Many commercial flights operate near capacity so it can be difficult to find seats for all the passengers impacted by canceled and delayed flights.  Delta has tried to compensate travelers impacted by this incident by offering refunds and $200 in travel vouchers to people whose flights were canceled or delayed at least three hours, but an incident of this magnitude will naturally impact customer confidence in the company.

This incident is a good reminder of the importance of building robust systems with functional backups; otherwise a small problem can spread and quickly become a big problem.

The Solution to America’s Most Unexpectedly Dangerous Mammal

By Staci DeKunder 

It’s hard to imagine that the mammal responsible for over 200 human deaths in America each year is the cute, cuddly…. deer.  These beautiful and seemingly harmless animals are hardly malicious.  Instead, they are in the wrong place at the wrong time, resulting in more than one million deer / vehicle collisions each year.  While the drivers have partial responsibility in these collisions, it seems that changes in the food chain have also contributed to this situation.   

In the 1800s, cougars (also called pumas or mountain lions) could be found roaming across the United States and Canada.  However, beginning in the early 1900s, states began implementing bounty programs enticing hunters to kill cougars.  The goal was to protect livestock and humans from these seemingly dangerous animals.  By the 1950s, the cougar population was primarily limited to areas west of the Rocky Mountains.  As the food chain predicts, the absence of a predator resulted in the overpopulation of its prey.  As the deer population increased, the probability for deer / vehicle collisions also increased.  

Expensive solutions have been considered to help decrease the collision rate, including deer culling, contraception and highway crossings.  However, it seems that nature may now be working towards its own natural solution.  As the bounty programs were removed in the 1960s and 1970s, the cougars have slowly begun migrating back towards the east.  A recent study published in Conservation Letters suggests that repopulation of cougars in the Eastern portion of the US could prevent 708,600 deer / vehicle collisions and 155 deaths over the next 30 years.   (The original fear of cougars attacking humans seems unfounded.  According to The Cougar Network, “Cougars are a retreating animal and very wary of people. Within the United States and Canada since 1890, there have been less than 100 attacks on humans, with about 20 fatalities. Encountering a cougar, let alone being attacked, is incredibly rare.”) 

A Cause Map is a helpful tool to dissect the cause-and-effect relationships contributing to a problem or situation.   Starting with the goals that were impacted, the causes and effects can be linked to create a chain.   For this situation, we begin with the safety goal that is impacted by the many fatalities each year.  Asking ‘Why’ questions, we can dig deeper to understand what causes are behind the impacted goal.   

In this case, the fatalities are a result of car collisions with deer.  The collisions are due to two factors: the deer unexpectedly crossing the road and the fact that the driver didn’t see the deer in time to stop.  We can trace each of these causes one at a time, revealing more causes.  The deer unexpectedly crosses the road because deer are moving to new areas.  This is because deer are overcrowded and need to expand their habitat.  The overcrowding is due to the growing deer population, which is due to the decrease in natural deer predators.  This decrease is caused by the decline in the cougar population, which is a result of the bounty programs that were implemented in the early 1900s.  These bounty programs were motivated by fear that the cougars would endanger humans or livestock.   

Going back to the driver’s role in the situation, we see that the driver may not have seen the deer in time due to poor lighting because deer often travel at dawn or dusk, and the driver may not have been paying close enough attention perhaps because they were distracted.   A second goal, property, was also impacted in this situation because the vehicles are damaged or destroyed as a result of the collisions.   

The Cause Map is also helpful in that it allows us to document the evidence and potential solutions directly on the causes that they can impact.   For example, the statistics about the number of collisions each year, fatalities each year, and cougar population changes are included right below the causes that they support.   Similarly, possible solutions are added right above the causes that they can impact.  In this case, deer culling and contraception could help control the deer overcrowding, and special deer highway crossings could help mitigate the deer crossing the road unexpectedly.  However, nature’s solution seems to fit further back in the chain by impacting the cause that is the decrease in the cougar population.   Time will tell if this solution will, in fact, reduce the number of collisions and injuries as predicted. 

To view the initial Cause Map of this issue, click on “Download PDF” above.

Train Derails on Track Just Inspected

By Angela Griffith

A train derailment in the Columbia River Gorge near Mosier, Oregon resulted in a fire that burned for 14 hours. The Federal Railroad Administration (FRA) preliminary investigation says the June 3rd derailment was caused by a broken lag bolt which allowed the track to spread, resulting in the 16-car derailment. Although there is only one other known instance of a broken lag bolt causing a train derailment, the FRA determined that the bolt had been damaged for some time, and had been inspected within days of the incident, raising questions about the effectiveness of these inspections.

Determining all the causes of a complex issue such as a train derailment can be difficult, but doing so will provide the widest selection of possible solutions. A Cause Map, or visual root cause analysis, addresses all aspects of the issue by developing cause-and-effect relationships for all the causes based on the impacts to an organization’s goals. We can create a Cause Map based on the preliminary investigation. Additional causes and evidence can be added to the map as more detail is known.

The first step in the Cause Mapping process is to determine the impacts to the organization’s goals. While there were no injuries in this case, the massive fire resulting from the derailment posed a significant risk to responders and nearby citizens, an impact to the safety goal. The release of 42,000 gallons of oil (although much of it was burned off in the fire) is an impact to the environmental goal. The customer service goal is impacted by the evacuation of at least 50 homes and the regulatory goal is impacted by the potential for penalties, although the National Transportation Safety Board (NTSB) has said it will not investigate the incident. The state of Oregon has requested a halt on oil traffic, which would be an impact to the schedule goal. The property goal is impacted by the damage to the train cars, and the labor/ time goal is impacted by the response and investigation.

The analysis, which is the second step in the Cause Mapping process, begins with one of the impacted goals and develops cause-and-effect relationships by asking ‘Why’ questions. In this case, the safety goal is impacted by the high potential for injuries. This is caused by the massive fire, which burned for 14 hours. There may be more than one cause resulting in an effect, such as a fire, which is caused by heat, fuel, and oxygen. The oxygen in this case is from the atmosphere. The heat source is unknown but could have been a spark caused by the train derailment. The fire was fueled by the 42,000 gallons of crude released due to damage to train cars, which were transporting crude from the Bakken oil fields, caused by the derailment.

The derailment of 16 cars of the train was caused by the broken lag bolt. Any mechanical failure, such as a break, results from the stress on that object exceeding the strength of the object. In this case, the stress was caused by the weight of the 94-car train. The length of a train carrying crude oil is not limited by federal regulations. The strength of the bolts was reduced due to previous damage, which was not identified prior to the failure. While the track strength is evaluated every 18 months by the Gauge Restraint Measurement System (GRMS), it did not identify the damage. It’s unclear the last time it was performed.

Additionally, although the track is visually inspected twice a week by the railroad, it is done by vehicle, which would have made the damage harder to spot. The FRA does not require walking inspections. Nor does the FRA inspect or review the railroad’s inspections very often – there are less than 100 inspectors for the 140,000 miles of track across the country. There are only 3 in Oregon.

As a result of the derailment, the railroad has committed to replacing the existing bolts with heavy-duty ones, performing GRMS four times a year, enhanced hyrail inspections and visual track inspections three times a week, and performing walking inspections on lag curves monthly.

The FRA is still evaluating actions against the railroad and is again calling for the installation of advanced electronic brakes, or positive train control (PTC). It has also recommended PTC after other incidents, such as the deaths of two railroad workers on April 3 (see our previous blog) and the derailment in Philadelphia last year that killed 8 (see our previous blog).

To view a one-page PDF of the Cause Mapping investigation, click on “Download PDF” above. Or, click here to read the FRA’s preliminary investigation.

FAA Proposes Amazon Fine for Hazardous Shipment

By Kim Smiley

The Federal Aviation Administration (FAA) recently proposed fining Amazon $350,000 for shipping a product that allegedly violated hazardous materials regulations. The package in question was shipped by Amazon from Louisville, Kentucky, to Boulder, Colorado and contained a one-gallon container of corrosive drain cleaner with the colorful name Amazing! LIQUID FIRE. During transit, the package leaked and 9 UPS workers were exposed to the drain cleaner and reported a burning sensation. The workers were treated with a chemical wash and experienced no further issues, but this incident highlights issues with improper shipment of hazardous materials.

A Cause Map, a visual root cause analysis, can be built to analyze this issue by visually laying out the cause-and-effect relationships that contributed to the issue.  The first step in the Cause Mapping method is to fill in an Outline.  The top part of the Outline lists the basic background information for the issue, such as the date and time.  The bottom portion of the Outline has a section to list how the problem impacts the overall goals of the organization.  Most problems have more than one impact and this incident is no exception.  For example, the safety goal is impacted because workers were exposed to hazardous chemicals and the regulatory goal is impacted because of the FAA investigation and the proposed fine.

The frequency of the issue is listed on the last line of the Outline.  Identifying the frequency is important because an issue that has occurred a dozen times may likely warrant a more detailed investigation than an issue that has been reported only once.  For this example, Amazon has had at least 24 hazardous materials violations between February 2013 and September 2015 so the concerns about improperly handling hazardous materials goes beyond the issues with this one package.

Once the Outline is completed, the Cause Map is built by starting at one of the impacted goals and asking “why” questions. Starting at the safety goal for this example, the first question would be “why were workers exposed to hazardous chemicals?”. This happened because the workers were handling a package containing hazardous chemicals, a package containing hazardous chemicals leaked, and inadequate precautions were taken to prevent the workers being exposed to the chemicals. When there is more than one cause that contributes to an effect, the causes are listed vertically and separated by an “and”.

To continue building the Cause Map, ask “why” questions for each of the causes already listed. The workers were handling the package because it shipped by air via UPS. Inadequate precautions were taken to prevent exposure to the chemical because workers were unaware that package contained hazardous chemicals. Chemicals leaked because they were not properly packaged.  Why questions should continue to be asked until no more information is known or no useful detail can be added to the Cause Map. To view an intermediate level Cause Map of this issue with more information, click on “Download PDF” above.

The final step in the Cause Mapping process is to use the Cause Map to develop and implement solutions to reduce the risk of the problem reoccurring. More information about what exactly led to improperly packaged and labeled hazardous materials being shipped would be needed to develop useful solutions in this example, but hopefully a fine of this size and the negative publicity it generated will help spark efforts to make improvements.

Marauding Monkeys Lead to Electrical Outage in Kenya

By Angela Griffith

One monkey managed to cause an electrical outage for all of Kenya – 4.7 million households and businesses – for 15 minutes to more than 3 hours. In order to determine solutions to prevent this from happening again, a thorough analysis of the problem is necessary. We will look at this issue within a Cause Map, a visual form of root cause analysis.

The first step of any problem-solving method is to define the problem. In the Cause Mapping method, the problem is defined with respect to the organization’s goals. In this case, there were several goals that were impacted. If the organization has a goal of ensuring safety of animals, that goal is impacted due to the risk of a fatality or severe injury to the monkey. (In this case, the monkey was unharmed and was turned over to the wildlife service.) The loss of power to 4.7 million businesses and households is an impact to the customer service goal. The nationwide power outage, which lasted from 15 minutes to over 3 hours, is an impact to the production/ schedule goal. Damage to the transformer is an impact to the property goal, and the time required for response and repair is an impact to the labor/ time goal.

The second step of problem-solving is the analysis. Using the Cause Mapping method, cause-and-effect relationships are developed. One of the impacted goals is used as the first effect. Asking “Why” questions is one way to determine cause-and-effect relationships. However, there may be more than one cause required to produce an effect. In this example, the power outage resulted from a cascading effect on the country’s generators. This cascading effect was caused by the loss of a hydroelectric facility, which provides 20% of the country’s electricity, and the unreliability of the power grid, due to aging infrastructure. All of these causes were required for this scenario: had the country had a more reliable power grid or more facilities so that the country was not so dependent on one, the loss of the hydroelectric site would not have resulted in nationwide outage.

Continuing the analysis, the loss of the hydroelectric facility was caused by an overload when a key transformer at the site was tripped. According to the power company, the trip was caused by a monkey falling onto the transformer. (There is also photographic evidence showing a monkey in the area of the transformer.) In order for the monkey to fall onto the transformer, it had to be able to access the transformer. The monkey in this case is believed to have fallen off the roof. How this occurred is still unclear, because the facility is secured by an electric fence designed specifically for protection against “marauding wild animals”.

The last step of problem-solving is to determine solutions, based on the analysis of this problem. The utility says it is “looking at ways of further enhancing security” at all their power plants. Unfortunately, total protection against outages caused by animals is impossible. In the United States, animal-caused outages are believed to cause at least $18 billion in lost economy every year. Just this May, raccoons caused outages to 40,000 in Seattle and 5,600 in Colorado Springs. This year also saw outages caused by squirrels, snakes, starlings and geese. Other unusual outages include work on a transformer causing an outage with economic loss of $118 million in Arizona (see our blog on this subject) and a woman with a shovel who cut internet service to nearly all of Armenia (see our blog on this subject).

Because power outages due to animals and other issues can’t be completely eliminated, ensuring a robust power grid is important to minimize the impact from and duration of outages. Calls for improvements to the aging infrastructure in Kenya have resulted from this incident, but these kinds of solutions require not only the cooperation of the utilities, but the country as a whole.

To view the problem outline and Cause Map for this incident, please click on “Download PDF” above

How Did a Cold War Nuclear Bomb Go Missing?

By Staci Dekunder

Is there a nuclear bomb lost just a few miles off the coast of Savannah, Georgia? It seems that we will never know, but theories abound. While it is easy to get caught up in the narrative of these theories, it is interesting to look at the facts of what actually happened to piece together the causes leading up to the event. This analysis may not tell us if the bomb is still under the murky Wassaw Sound waters, but it can tell us something about how the event happened.

Around 2 am on February 5, 1958, a training exercise was conducted off the coast of Georgia. This was during the most frigid period of the Cold war, and training was underway to practice attacking specific targets in Russia. During this particular training mission, Major Howard Richardson was flying a B-47 bomber carrying a Mark 15, Mod 0 Hydrogen bomb containing 400 pounds of conventional explosives and some quantity of uranium.

The realistic training mission also included F-86 ‘enemy’ fighter jets. Unfortunately, one of those jets, piloted by Lt. Clarence Stewart, did not see the bomber on his radar and accidentally maneuvered directly into the B-47. The damage to both planes was extensive. The collision destroyed the fighter jet, and severely damaged the fuel tanks, engine, and control mechanisms of the bomber.   Fortunately, Stewart was able to safely eject from the fighter jet. Richardson had a very difficult quest ahead of him: to get himself and his co-pilot safely on the ground without detonating his payload in a heavily damaged aircraft. He flew to the closest airfield; however, the runway was under construction, making the landing even more precarious for the two crew members and for the local community that would have been affected had the bomb exploded upon landing. Faced with an impossible situation, Richardson returned to sea, dropped the bomb over the water, observed that no detonation took place, and returned to carefully land the damaged bomber.

The Navy searched for the bomb for over two months, but bad weather and poor visibility did not make the search easy. On April 16, 1958, the search was ended without finding the bomb. The hypothesis was that the bomb was buried beneath 10 – 15 feet of silt and mud. Since then, other searches by interested locals and the government have still not identified the location of the bomb.   In 2001, the Air Force released an assessment which suggests two interesting points. First, the bomb was never loaded with a ‘detonation capsule’, making the bomb incapable of a nuclear explosion. (Until this time, conventional wisdom suggested that the detonation capsule was included with the bomb.) Second, the report concluded that it would be more dangerous to try to move the bomb than to leave the bomb in its resting place.

While we may never learn the location of the bomb, we can learn from the incident itself. Using a Cause Map, we can document the causes and effects resulting in this incident, providing a visual root cause analysis. Beginning with several ‘why’ questions, we can create a cause-effect chain. In the simplest Cause Map, the safety goal was impacted as a result of the danger to the pilots and to the nearby communities as the result of a potential nuclear bomb explosion. This risk was caused by the bomb being jettisoned from the plane, which was a result of the collision between the fighter jet and the bomber. The planes collided due to the fact that they were performing a training mission to simulate a combat scenario.

More details are uncovered as this event is further broken down to include more information and to document the impact to other goals. The property goal is impacted through the loss of aircraft and the bomb. The bomb is missing because it was jettisoned from the bomber AND because it was never found during the search. The bomb was jettisoned because the pilot was worried that the bomb might break loose during landing. This was due to the fact that the planes collided. The planes collided due to the fact that the F-86 descended onto the top of the B-47 AND because they were in the midst of a training exercise. The fighter jet crashed into the bomber because the bomber was not on radar. The planes were performing an exercise because they were simulating bombing a Russian target, because it was the middle of the Cold War. The search was unsuccessful because the bomb is probably buried deep in the mud AND because the weather and visibility were bad during the search.

Finally, the ‘customer service’ goal is impacted by the fact that the residents in nearby communities are nervous about the potential danger of explosion/radiation exposure. This nervousness is caused by the fact that the bomb is still missing AND the fact that the bomb contained radioactive material, which was due to routine protocol at the time.

Evidence boxes are a helpful way to add information to the Cause Map that was discovered during the investigation. For example, an evidence box stating the evidence from the 2001 Air Force report that the bomb had no detonation capsule has been added to the Cause Map. A Cause Map is a useful tool to help separate the facts from the theories. Click on “Download PDF” above to see the full, detailed Cause Map.

Kansas City Interstate Overpass Closed Due to 20′ Crack

By Angela Griffith

A bridge engineer watching a crack (previously described as “tight”) under the Grand Boulevard bridge noticed it had extended to 20′ on May 6, 2016. He immediately ordered the bridge closed, requiring the rerouting of the more than 9,000 vehicles that use the bridge every day. Replacing the bridge is estimated to cost $5 million.

Luckily, due to the quick action of the engineer, there were no injuries or fatalities as could have occurred due to either the bridge catastrophically collapsing while in use, or for motorists on the Interstate below being struck by large chunks of concrete falling from the overpass.

The overpass failure can be addressed in a Cause Map, or visual root cause analysis. The process begins by capturing the what, when and where of the incident (a bridge failure May 6 in Kansas City) and the impacts to the goals. Because there was the potential for injuries, the safety goal is impacted. The re-routing of over 9,000 vehicles a day is an impact to the customer service goal. The closing of the bridge’s overpass/ sidewalks is an impact to the production goal, and the cost of replacing the bridge is an impact to the property/ labor goal.

By beginning with an impacted goal and asking ‘Why’ questions, cause-and-effect relationships that lay out the causes of an incident can be developed. In this case, the impacted goals are caused by the significant damage to the bridge, due to a rapidly spreading crack.

The failure of any material or object, including all or part of a bridge, results from the stress on that object from all sources overcoming the strength of the object. In this case the stress on the bridge was greater than the strength of the bridge. Stress on the bridge results from each pass of a vehicle over the life of the bridge. In this case, 9,300 vehicles a day transit the bridge, which has been in service since 1963.

Stress also results from large trucks traveling over the bridge. The engineers suspect this is what happened, possibly due to an apartment construction project near the bridge. Says Brian Kidwell, an assistant engineer for the Missouri Department of Transportation, “My hunch is a very heavy load went over it. It could have been a totally legal load.” A “hunch” by an experienced professional is included in the Cause Map as a potential cause. This is indicated with a “?” and requires more evidence.

Legal loads on bridges are based on the allowable stress for a bridge’s strength. However, the strength of the bridge can change over the years. It is likely that happened in this case. Previous damage has been noted on the bridge, which also required bracing last month to fix a sagging section. However, the bridge was deemed “adequate” in an inspection eight months ago. Any needed repairs may not have occurred – there’s never enough money for needed infrastructure improvements. It’s also possible that water entered the empty cylinders that make up the part of the span of the bridge (this is called a “sonovoid” design) and they could have filled with water and later frozen, causing damage that can’t be easily seen externally.

For now, more information will be required to determine what led to the bridge failure. At that point, bridges of similar design may face additional inspections, or be replaced on the long waiting list for repairs. For Kansas City, some are taking a broader – and bolder – view and are recommending the older section of the Interstate “loop” be removed altogether.

To view the Cause Map of the bridge failure, click on “Download PDF” above. Or, click here to learn.

Experts warn that vehicles are vulnerable to cyberattacks

By Kim Smiley 

By now, you have probably heard of the “internet of things” and the growing concern about the number of things potentially vulnerable to cyberattacks as more and more everyday objects are designed to connect to the internet.  According to a new report by the Government Accountability Office (GAO), cyberattacks on vehicles should be added to the list of potential cybersecurity concerns.  It’s easy to see how bad a situation could quickly become if a hacker was able to gain control of a vehicle, especially while it was being driven.

A Cause Map, a visual root cause analysis, can be built to analyze the issue of the potential for cyberattacks on vehicles.  The first step in the Cause Mapping process is to define the problem by filling out an Outline with basic background information as well as how the problem impacts the overall goals.  The Cause Map is then built by starting at one of the goals and asking “why” questions to visually lay out the cause-and-effect relationships. 

In this example, the safety goal would be impacted because of the potential for injuries and fatalities. Why is there this potential? There is the possibility of car crashes caused by cyberattack on cars. Continuing down this path, cyberattacks on cars could happen because most modern car designs include advanced electronics that connect to outside networks and these electronics could be hacked.  Additionally, most of the computer systems in a car are somehow connected so gaining access to one electronic system can give hackers a doorway to access other systems in the car.

Hackers can gain access to systems in the car via direct access to the vehicle (by plugging into the on-board diagnostic port or the CD player) or, a scenario that may be even more frightening, they may be able to gain access remotely through a wireless network.  Researchers have shown that it is possible to gain remote access to cars because many modern car designs connect to outside networks and cars in general have limited cybersecurity built into them. Why cars don’t have better cybersecurity built into them is a more difficult question to answer, but it appears that the potential need for better security hadn’t been identified.

As of right now, the concern over potential cyberattacks on cars is mostly a theoretical one.  There have been no reports about injuries caused by a car being attacked.  There have been cases of cars being hacked, such as at Texas Auto Center in 2010 when a disgruntled ex-employee caused cars to honk their horns at odd hours and disabled starters, but there are few (if any) reports of cyberattacks on moving vehicles.  However, the threat is concerning enough that government agencies are determining the best way to respond to it. The National Highway Traffic Safety Administration established a new division in 2012 to focus on vehicle electronics, which includes cybersecurity. Ideally, possible cyberattacks should be considered and appropriate cybersecurity should be included into designs as more and more complexity is added to the electronics in vehicles, and objects ranging from pace-makers to refrigerators are designed to connect to wireless networks.

Airplane Emergency Instructions: How do you make a work process clear?

By Angela Griffith

What’s wrong with the process above?

This process provides instructions on how to remove the over-wing exit door on an airplane during an emergency.  However, imagine performing this process in an actual emergency.  During the time you spend opening the door, there will probably be people crowded behind you, frantic to get off the plane.  Step 4 indicates that after the door is detached from the plane wall, you should turn around and set the door (which is about 4’ by 2’ and can weigh more than 50 pounds) on the seats behind you.  In most cases, this will be impossible.  This is why emergency exit doors open towards the outside; in an emergency, a crush against the door will make opening the door IN impossible.

Even if it would be possible to place the door on the seat in the emergency exit row, it would likely reduce the safety of passengers attempting to exit.  As discussed, the exit door is fairly large and heavy.  It is likely to be displaced while passengers are exiting the airplane and may end up falling on a passenger, or blocking the exit path.

However, when this process was tested in training, it probably worked fine.  Why? Because it wasn’t an actual emergency, and there probably weren’t a plane full of passengers that really wanted to get out.  This is just another reason that procedures need to be tested in as close to actual situations as possible.  At the very least, any scenario under which the process is to be performed should be replicated as nearly as possible.

Now take a look at this procedure:

It’s slightly better, not telling us to put the removed door on the seat behind us, but instead it doesn’t tell us what to do with the door. Keep in mind that the person performing this procedure’s “training” likely consisted of a 30-second conversation with a flight attendant and that in all probability, the first time he or she will perform the task is during an emergency situation. When testing a procedure, it’s also helpful to have someone perform the procedure who is not familiar with it, with instructions to do only what the procedure says. In this case, that person would end up removing the door . . . and then potentially attempting to climb out of the exit with the door in their hands. This is also not a safe or efficient method of emergency escape.
This procedure provides a much better description of what should be done with the door. The picture clearly indicates that the door should be thrown out of the plane, where it is far less likely to block the exit or cause passenger injury.

The first two procedures were presumably clear to the person who created them.  But had they been tested by people with a variety of experience levels (particularly important in this case, because people of various experience levels may be required to open the doors in an emergency), the steps that really weren’t so clear may have been brought to light.

Reviewing procedures with a fresh eye (or asking someone to perform the procedure under safe conditions based only upon the written procedure) may help to identify steps that aren’t clear to everyone, even if they were to the writer.  This can improve both the safety, and the effectiveness, of any procedure used in your organization.

8 Injured by Arresting Cable Failure on Aircraft Carrier

By Angela Griffith

An aircraft carrier is a pretty amazing thing. Essentially, it can launch planes from anywhere. But even though aircraft carriers are huge, they aren’t big enough for planes to take off or land in a normal method. The USS Dwight D. Eisenhower (CVN 69) has about 500′ for landing planes. In order for planes to be able to successfully land in that distance, it is equipped with an arresting wire system, which can stop a 54,000 lb. aircraft travelling 150 miles per hour in only two seconds and a 315′ landing area. This system consists of 4 arresting cables, which are made of wire rope coiled around hemp. These ropes are very thick and heavy and cause a significant risk to personnel safety if they are parted or detached.

This is what happened on March 18, 2016 while attempting to land an E-2C Hawkeye. An arresting cable came unhooked from the port side of the ship and struck a group of sailors on deck. At least 8 were injured, several of whom had to be airlifted off the ship for treatment. We will examine the details of this incident within a Cause Map, a visual form of root cause analysis.

The first step in any problem investigation is to define the problem. We capture the what, when, and where within a problem outline. Additionally, we capture the impacts to the goals. The injuries as well as the potential for death or even more serious injuries are impacts to the safety goal. Flight operations were shut down for two days, impacting both the mission and production/ schedule goal. The potential of the loss of or (serious damage to) the plane is an impact to the property goal. (In a testament to the skill of Navy pilots, the plane returned to Naval Station Norfolk without any crew injuries to the flight crew or significant damage to the plane.) The response and investigation are an impact to the labor goal. It’s also useful to capture the frequency of these types of incidents.   The Virginian-Pilot reports that there have been three arresting-gear related deaths and 12 major injuries since 1980.

The next step in the problem-solving process is to determine the cause-and-effect relationships that led to the impacted goals. Beginning with the safety goal, the injuries to the sailors resulted from being struck by an arresting cable. When a workplace injury results, it’s also important to capture the personal protective equipment (PPE) that may have impacted the magnitude of the injuries. In this case, all affected sailors were wearing appropriate PPE, including heavy-duty helmets, eye and ear protection. This is a cause of the injuries because had they NOT been wearing PPE, the injuries would have certainly been much more severe, or resulted in death.

The arresting cable struck the sailors because it came unhooked from the port side of the ship. The causes for the detachment of the cable have not been conclusively determined; however, a material failure results from a force on the material that is greater than the strength of the material. In this case the force on the arresting cable is from the landing plane. In this case, the pilot reported the plane “hit the cable all at once”, which could have provided more force than is typical. The strength of the cable and connection may have been impacted by age or use. However, arresting cables are designed to “catch” and slow planes at full power and are only used for a specific number of landings before being replaced.

Other impacted goals can be added to the Cause Map where appropriate (additional relationships may result). In this case, the potential damage to the plane resulted from the landing failure, which was caused by the detachment of the arresting cable AND because the arresting cable is needed to safely land a plane on an aircraft carrier.

The last step of the Cause Mapping process is to determine solutions to reduce the risk of the incident recurring. More investigation is needed to ensure that the cable and connection were correctly installed and maintained. If it is determined that there were issues with the connection and cable, the processes that lead to the errors will be improved. However, it is determined that the cable and connection met design criteria and the detachment resulted from the plane landing at an unusual angle, there may be no changes as a result of this investigation.

It seems unusual that an investigation that resulted in 8 injuries would result in no action items. However, solutions are based on achieving an appropriate level of risk. The acceptable level of risk in the military is necessarily higher than it is in most civilian workplaces in order to achieve desired missions. Returning to the frequency from the outline, these types of incidents are extremely rare. The US Navy currently has ten operational aircraft carrier (and an eleventh is on the way). These carriers launch thousands of planes each year yet over the last 36 years, there have been only 3 deaths and twelve major injuries associated with landing gear failures, performing a dangerous task in a dangerous environment. Additionally, in this case, PPE was successful in ensuring that all sailors survived and limiting injury to them.

To view the outline and Cause Map of this event, click on “Download PDF” above.