Contents

Section 7 - Analyzing Data

List of Tables

List of Figures

List of Forms and Tools

 

7

Analyzing Data

Careful and complete analysis of the data collected following an accident is critical to the accurate determination of an accident's causal factors. The results of comprehensive analyses provide the basis for corrective and preventive measures.

The analysis portion of the accident investigation is not a single, distinct part of the investigation. Instead, it is the central part of the iterative process that includes collecting facts and determining causal factors. Well chosen and carefully performed analytical methods are important for providing results that can aid investigators in developing an investigation report that has sound judgments of need.

Caution must be taken in applying analytic methods. First, no single method will provide all the analyses required to completely determine the multiple causal factors of an accident. Several techniques that can complement and cross-validate one another should be used to yield optimal results. Second, analytic techniques cannot be used mechanically and without thought. The best analytic tools can become cumbersome and ineffective if they are not applied to an accident's specific circumstances and adapted accordingly.
TIP

Each board should determine which analytic techniques to use based on the accident’s complexity and severity. Alternative approaches and methods to those presented in this workbook are acceptable, provided that they meet the requirements of DOE Order 225.1A and are demonstrably equivalent.

7.1 Determining Facts

Immediately following any serious accident, much of the available information may be conflicting and erroneous. The volume of data expands rapidly as witness statements are taken, emergency response actions are completed, evidence is collected, and the accident scene is observed by more individuals.

The principal challenge of the investigation board is to distinguish between accurate and erroneous information in order to focus on areas that will lead to identifying the accident's causal factors. This can be accomplished by:
TIP

Prevention is at the heart of the entire investigation process; therefore, any accident investigation must focus on fact-finding, not fault-finding.

Fact-finding begins during the collection of evidence. All sources of evidence (e.g., accident site walkthroughs, witness interviews, physical evidence, policy or procedure documentation) contain facts that, when linked, create a chronological depiction of the events leading to an accident. Facts are not hypotheses, opinions, analysis, or conjecture. However, not all facts can be determined with complete certainty, and such facts are referred to as assumptions. Assumptions should be reflected as such in the investigation report and in any closeout briefings.

Board members should immediately begin developing a chronology of events as facts and evidence are collected. Facts should be reviewed on an ongoing basis to ensure relevance and accuracy. Facts and evidence later determined to be irrelevant should be removed from the accident chronology but retained in the official investigation file for future consideration.

Contradictory facts can be resolved in closed board meetings, recognizing that the determination of significant facts is an iterative process that evolves as gaps in information are closed and questions resolved. The board revisits the prescribed scope and depth of their investigation often during the fact-finding and analysis process. Doing so ensures that the investigation adheres to the parameters prescribed in the board's appointment memorandum.

Causal factors of an accident are identified by analyzing the facts. Judgments of need, and the subsequent corrective actions, are based on the identified causes of the accident. Therefore, the facts are the foundation of all other parts of the investigative process.

 

Table 7-1. Case study introduction.

Case Study

This section of the workbook begins with a case study of an electrical accident. It is selectively referenced throughout this and subsequent sections to illustrate the process of determining facts and the use of six analytic techniques: four core techniques commonly used in DOE accident investigations, and two tree-based techniques. In this workbook, particular emphasis is placed on these techniques because they can be used in most accident investigations. However, for extremely complex accidents, additional, more sophisticated techniques may be needed that require specialized training. Training for these techniques is beyond the scope of this workbook and can be obtained through government, private, and university sources.

Accident Description

The accident occurred at approximately 9:34 a.m. on January 17, 1996, in Building XX, during the excavation of a sump pit in the floor of the building. Workers were attempting to correct a waste stream outfall deficiency. Two workers arrived at the job site at approximately 8:40 a.m. and resumed the excavation work begun the previous day. The workers were employed by WS, the primary subcontractor for construction and maintenance. They used a jackhammer, pry bar, and shovel to loosen and remove the rubble from the sump pit. At about 9:34 a.m., at a depth of 39 inches, Worker A, who was operating the jackhammer, pierced the conduit containing an energized 13.2 kV electrical cable. He was transported to the local medical center, where cardiac medications were administered.

Accident Facts

Using the case study accident, the following three factual statements were derived during the investigation:

  • The injured worker had not completed safety training prior to the accident, as required by WS Environment, Safety, and Health Manual Procedure 12340.
  • Design drawings for the project on which the injured employee was working did not comply with the requirements of DOE Order 6430.1A, General Design Criteria, and did not show the location of the underground cable.
  • A standing work order system, without a safety review, was used for nonroutine, nonrepetitive tasks.

7.2 Determining Causal Factors

TIP

The process of determining causal factors seeks to answer the questions—what happened and why did it happen?

Causal factors are the events and conditions that produced or contributed to the occurrence of the accident. There are three types of causal factors:

  • Direct cause

  • Contributing causes

  • Root causes.

7.2.1 Direct Cause

The direct cause of an accident is the immediate events or conditions that caused the accident. The direct cause should be stated in one sentence, as illustrated in the examples below.

EXAMPLES:
ACCIDENT DIRECT CAUSES

  • The direct cause of the accident was contact between the chisel bit of the air-powered jackhammer and the 13.2 kV energized electrical cable in the sump pit being excavated.

  • The direct cause of the accident was the inadvertent activation of electrical circuits that initiated the release of CO2 in an occupied space.

Identifying the direct cause of an accident is optional. While it may not be necessary to identify the direct cause in order to complete the causal factors analysis, the direct cause should be identified when it facilitates understanding why the accident occurred or when it is useful in developing lessons learned from the accident.

7.2.2 Contributing Causes

Contributing causes are events or conditions that collectively with other causes increased the likelihood of an accident but that individually did not cause the accident. Contributing causes may be longstanding conditions or a series of prior events that, alone, were not sufficient to cause the accident, but were necessary for it to occur. Contributing causes are the events and conditions that "set the stage" for the accident and, if allowed to persist or reoccur, increase the probability of future accidents.

EXAMPLES:
ACCIDENT CONTRIBUTING CAUSES

  • Failure to implement safety procedures in effect for the project contributed to the accident.

  • Failure to erect barriers or post warning signs contributed to the accident.

  • The standing work order process was used by facility personnel as a convenient method of performing work without a job ticket and work package, allowing most work to be field-directed.

  • Inadequate illumination in the area of the platform created visibility problems that contributed to the fall from the platform.

7.2.3 Root Causes

Root causes are the causal factors that, if corrected, would prevent recurrence of the same or similar accidents. Root causes may be derived from or encompass several contributing causes. They are higher-order, fundamental causal factors that address classes of deficiencies, rather than single problems or faults. Correcting root causes would not only prevent the same accident from recurring, but would also solve line management, oversight, and management system deficiencies that could cause or contribute to other accidents. They are identified using root cause analysis (see Section 7.3.5).

In many cases, root causes are failures to properly implement the principles and core functions of integrated safety management. Root causes can include failures in management systems to:

  • Define clear roles and responsibilities for safety

  • Ensure that staff are competent to perform their responsibilities

  • Ensure that resource use is balanced to meet critical mission and safety goals

  • Ensure that safety standards and requirements are known and applied to work activities

  • Ensure that hazard controls are tailored to the work being performed

  • Ensure that work is properly reviewed and authorized.

TIP

Even though the board should avoid placing individual blame for an accident, the board has an obligation to seek out and report all causal factors, including deficiencies in management, safety, or line management oversight systems.

Root cause statements, as shown in the examples below, should identify the DOE and contractor line organizations responsible for the safety management failures. Root cause statements should also identify the specific management system(s) that failed.

EXAMPLES:
ACCIDENT ROOT CAUSES

  • Contractor management and the DOE field office failed to clearly define responsibilities for safety reviews of planned work. The lack of clarity in roles and responsibilities for safety reviews was a root cause of the accident.

  • Contractor management allowed the standing work order process, intended for routine work, to be used to accomplish non-routine, complex modification and construction work. DOE field office oversight failed to detect and ensure correction of this practice. Misuse of the standing work order process was a root cause of the accident.

  • Contractor management systems were ineffective in translating lessons learned from past occurrences into safer day-to-day operations at the facility. The failure to implement lessons learned was a root cause of the accident.

  • Assessments performed by the DOE program office failed to identify that some safety standards were not addressed by contractor safety management systems. Implementation of these requirements would have prevented the accident.


7.2.4 The Importance of Causal Factors

The primary purpose of any accident investigation is to help line management prevent recurrence of accidents by identifying all of an accident's causal factors. The board is responsible for identifying the local causal factors that, if corrected, would prevent another accident from occuring when the same work activity is performed again. However, more is required than simply detecting and removing immediate hazards. The board is also responsible for identifying and describing any failures in management systems and oversight processes that allow hazards to exist that could lead to other accidents at other facilities and DOE sites. Modern accident investigation theory indicates that generally the root causes of accidents are found in management system failures, not in the most directly related causal factor(s) in terms of time, location, and place.

Generally, the higher the level in the management and oversight chain at which a root cause is found, the broader the scope of the activities that the root cause can affect. Because these higher-level root causes, if not corrected, have the largest potential to cause other accidents, it is incumbent on a board to ensure that the investigation is not ended until the root causes are identified. If a board cannot identify root causes, this should be stated clearly in the investigation report, along with an explanation.

7.3 Using the Core Analytical Techniques

TIP

The purpose of any analytic technique in an accident investigation is to answer the question — "How did it happen?" It is the job of the board to apply whatever techniques can help them determine the causal factors of an accident.

DOE accident investigation boards commonly use four techniques to analyze the factual information they have collected, to identify conditions and events that occurred before and immediately following an accident, and to determine an accident's causal factors.

Following are descriptions of and instructions for using these four core analytic techniques:

  • Events and causal factors charting and analysis

  • Barrier analysis

  • Change analysis

  • Root cause analysis.

7.3.1 Events and Causal Factors Charting

Accidents rarely result from a single cause. Events and causal factors charting is useful in identifying the multiple causes and graphically depicting the triggering conditions and events necessary and sufficient for an accident to occur.

For purposes of this workbook, events and causal factors charting and events and causal factors analysis (see Section 7.3.4) are considered one technique. They are addressed separately because they are conducted at different stages of the investigation. Events and causal factors charting is a graphical display of the accident's chronology and is used primarily for compiling and organizing evidence to portray the sequence of the accident's events. It is a continuous process performed throughout the investigation. Events and causal factors analysis is the application of analysis to determine causal factors by identifying significant events and conditions that led to the accident. As the results of other analytical techniques (e.g., change analysis and barrier analysis) are completed, they are incorporated into the events and causal factors chart. After the chart is fully developed, the analysis is performed to identify causal factors.

Events and causal factors charting is possibly the most widely used analytic technique in DOE accident investigations, because the events and causal factors chart is easy to develop and provides a clear depiction of the data. By carefully tracing the events and conditions that allowed the accident to occur, board members can pinpoint specific events and conditions that, if addressed through corrective actions, would prevent a recurrence. The benefits of this technique are highlighted in Table 7-2.

Table 7-2. Benefits of events and causal factors charting.

The benefits of events and causal factors charting include:
  • Illustrating and validating the sequence of events leading to the accident and the conditions affecting these events
  • Showing the relationship of immediately relevant events and conditions to those that are associated but less apparent — portraying the relationships of organizations and individuals involved in the accident
  • Directing the progression of additional data collection and analysis by identifying information gaps
  • Linking facts and causal factors to organizational issues and management systems
  • Validating the results of other analytic techniques
  • Providing a structured method for collecting, organizing, and integrating collected evidence
  • Conveying the possibility of multiple causes
  • Providing an ongoing method of organizing and presenting data to facilitate communication among the investigators
  • Clearly presenting information regarding the accident that can be used to guide report writing
  • Providing an effective visual aid that summarizes key information regarding the accident and its causes in the investigation report.

 

TIP

To identify causal factors, board members must have a clear understanding of the relationships among the events and the conditions that allowed the accident to occur. Events and causal factors charting provides a graphical representation of these relationships.

Constructing the Chart. Constructing the events and causal factors chart should begin immediately. However, the initial chart will be only a skeleton of the final product. Many events and conditions will be discovered in a short amount of time, and therefore, the chart should be updated almost daily throughout the investigative data collection phase. Keeping the chart up to date helps ensure that the investigation proceeds smoothly, that gaps in information are identified, and that the investigators have a clear representation of accident chronology for use in evidence collection and witness interviewing.

Investigators and analysts can construct an events and causal factors chart using either a manual or computerized method. Accident investigation boards often use both techniques during the course of the investigation, developing the initial chart manually and then transferring the resulting data into computer programs.

The manual method employs removable adhesive notes to chronologically depict events and the conditions affecting these events. The chart is generally constructed on a large conference room wall or many sheets of poster paper. Accident events and conditions are recorded on removable adhesive notes and affixed sequentially to the wall in the board's conference room or "command center."  Because the exact chronology of the information is not yet known, using removable adhesive notes allows investigators to easily change the sequence of this information and to add information as it becomes available. Different colored notes or inks can be used to distinguish between events and conditions in this initial manual construction of the events and causal factors chart.

If the information becomes too unwieldy to manipulate manually, the data can be entered into a computerized analysis program. Using specialized analytical software, investigators can produce an events and causal factors graphic, as well as other analytical trees or accident models.

Whether using a manual or a computerized approach, the process begins by chronologically constructing, from left to right, the primary chain of events that led to an accident. Secondary and miscellaneous events are then added to the events and causal factors chart, inserted where appropriate in a line above the primary sequence line. Conditions that affect either the primary or secondary events are then placed above or below these events. Figure 7-1 illustrates the basic format of the events and causal factors chart. Guidelines for constructing the chart are shown in Table 7-3.

A sample summary events and causal factors chart (Figure 7-2) uses data from the case study accident. It illustrates how data may become available during an accident investigation, and how a chart would first be constructed and subsequently updated and expanded.

 

Figure 7-1. Simplified events and causal factors chart.

Fig7-1.jpg (22248 bytes)

 

Table 7-3. Guidelines and symbols for preparing an events and causal factors chart.

Table 7.jpg (112177 bytes)

 

Figure 7-2. Sample of an events and causal factors chart (in progress).

Fig7-2.jpg (229791 bytes)

 

Figure7-2. (Continued)

Fig7-2b.jpg (238533 bytes)

 

Figure7-2. (Continued)

Fig72c.jpg (183086 bytes)

 

 

Depending on the complexity of the accident, the chart may result in a very large complex sequence of events covering several walls in the "command center." For the purpose of inclusion in the investigation report and closeout briefings, the chart is generally summarized.  Note that "assumed conditions" appear in the final chart. These are conditions the board presumed impacted the accident sequence, but the effect could not be substantiated with evidence.

7.3.2 Barrier Analysis

Barrier analysis is based on the premise that hazards are associated with all accidents. Barriers are developed and integrated into a system or work process to protect personnel and equipment from hazards (see Figure 7-3 below). For an accident to occur, there must be:

  • A hazard, which comes into contact with

  • A target, because

  • Barriers or controls were not in place, unused or failed

Figure 7-3.  Barriers are intended to protect personnel and property against hazards.

wpe1B.jpg (16518 bytes)

A hazard is the potential for an energy flow to result in an accident or other adverse consequence. Energy flow is the transfer of energy from its source to another destination. This transfer of energy can be either wanted or unwanted. For example, the flow of electricity through an electrical cable to a piece of equipment is a desired energy flow. A worker coming into contact with that electricity is an undesired energy transfer. As used here, energy is defined broadly as the capacity to do work. Energy could be, for example, kinetic, biological, acoustical, chemical, electrical, mechanical, potential, electromagnetic, thermal, or radiation.

A target is a person or object that a hazard may damage, injure, or fatally harm.

A barrier is any means used to control, prevent, or impede the hazard from reaching the target.

Investigators use barrier analysis to identify hazards associated with an accident and the barriers that should have been in place to prevent it. This analysis addresses:

  • Barriers that were in place and how they performed

  • Barriers that were in place but not used

  • Barriers that were not in place but were required

  • The barrier(s) that, if present or strengthened, would prevent the same or a similar accident from occurring in the future.

Figure 7-4 shows types of barriers that may be in place to protect workers from hazards.

Figure 7-4.  Barriers to protect workers from hazards.

Figure 7-42.jpg (42733 bytes)

When analyzing barriers, investigators should first consider how the hazard and target could come together and what was in place or was required to keep them apart. Obvious physical barriers are those placed directly on the hazard (e.g., a guard on a grinding wheel); those placed between a hazard and target (e.g., a railing on a second-story platform); or those located on the target (e.g., a welding helmet). Management system barriers may be less obvious, such as the exposure limits required to minimize harm to personnel or the role of supervision in ensuring that work is performed safely. The investigator must understand each barrier's intended function and location, and how it failed to prevent the accident.

To analyze the performance of physical barriers, investigators may need several different types of data, including:

  • Plans and specifications for the equipment or system

  • Procurement and vendor technical documentation

  • Installation and testing records

  • Photographs or drawings

  • Maintenance histories.

To analyze management barriers, investigators may need to obtain information about barriers at three organizational levels responsible for the work: the activity, facility, and institutional levels. For example, at the activity level, the investigator will need information about the work planning and control processes that governed the work activity, as well as the relevant safety management systems. This information could include:

  • Organizational charts defining supervisory and contractor management roles and responsibilities for safety

  • Training and qualification records for those involved in the accident

  • Hazard analysis documentation

  • Hazard control plans

  • Work permits

  • The work package and procedures that were used during the activity.

The investigator may also need information about safety management systems at the facility level. This kind of information might include:

  • The standards and requirements that applied to the work activity, such as occupational exposure limits or relevant Occupational Safety and Health Administration regulations

  • The facility technical safety requirements and safety analysis report

  • Safety management documentation that defines how work is to be planned and performed safely at the facility

  • The status of integrated safety management implementation.

The third type of information the investigator may need would be information about the institutional-level safety management direction and oversight provided by senior line management organizations. This kind of information might include:

  • Policy, orders, and directives

  • Budgeting priorities

  • Resource commitments.

The investigator should use barrier analysis to ensure that all failed, unused, or uninstalled barriers are identified and that their impact on the accident is understood. However, the investigator must cross-validate the results with the results of other core analytic techniques to identify which barrier failures were contributory or root causes of the accident.

Constructing a Worksheet. A barrier analysis worksheet is a useful tool in conducting a barrier analysis. A blank worksheet is provided at the end of this section. Table 7-4 illustrates a worksheet that was partially completed using data from the case study. Steps used for completing this worksheet are provided below.

Table 7-4. Sample barrier analysis worksheet.

Hazard: 13.2 kV electrical cable

Target: Acting pipefitter

What were the barriers?

How did each barrier perform?

Why did the barrier fail?

How did the barrier affect the accident?

Engineering drawings

Drawings were incomplete and did not identify electrical cable at sump location

Engineering drawings and construction specifications were not procured

Drawings used were preliminary

No as-built drawings were used to identify location of utility lines

Existence of electrical cable unknown

Indoor excavation permit

Indoor excavation permit was not obtained

Pipefitters and utility specialist were unaware of indoor excavation permit requirements

Opportunity to identify existence of cable missed

Personal protective equipment

Personal protective equipment was not used

No hazard controls were required for jackhammering

Pipefitter not protected from electric shock

 

Basic Barrier Analysis Steps

Step 1:  Identify the hazard and the target.  Record them at the top of the worksheet.  "1.3.2 kV electrical cable.  Acting piptfitter."

Step 2:  Identify each barrier.  Record in column one.  "Engineering drawings.  Indoor excavation permit. Personal protective equipment."

Step 3:  Identify how the barrier performed (What was the barrier's purpose?  Was the barrier in place or not in place?  Did the barrier fail?  Was the barrier used if it was in place?)  Record in column two.   "Drawings were incomplete and did not identify electrical cable at sump location.  Indoor excavation permit was not obtained.  Personal protective equipment was not used."

Step 4:  Identify and consider probable causes of the barrier failure.  Record in column three.  "Engineering drawings and construction specifications wer enot procured.  Drawings used were preliminary, etc."

Step 5:  Evaluate the consequences of the failure in this accident.  Record evaluation in column four.  "Existence of electrical cable unknown."

 

TIP

Although a barrier analysis will identify the failure in an accident scenario, the failures may not all be causal factors.  The barrier analysis results directly feed into the events and causal factors chart and subsequent causal factors determination.

Analyzing the Results. The results of barrier analysis are first derived and portrayed in tabular form, then summarized graphically to illustrate, in a linear manner, the barriers that were unused or that failed to prevent an accident. Results from this method can also reveal what barriers should have or could have prevented an accident.

In the tabular format, individual barriers and their purposes are defined. Each is considered for its effectiveness in isolating, shielding, and controlling an undesired path of energy.

Figure 7-5 provides an example of a barrier analysis summary. This format is particularly useful for illustrating the results of the analysis in a clear and concise form. Figure 7-6 provides an example of a barrier analysis summary that highlights the five core functions of integrated safety management. These summary charts are an effective graphic in closeout briefings and in the final report.

 

Figure 7-5. Summary results from a barrier analysis reveal the types of barriers involved.

Figure 7-5.jpg (49950 bytes)

 

 

Figure 7-6.  Summary results from a barrier analysis can highlight the role
of the core functions in an accident.

Figure 7-6.jpg (58753 bytes)

7.3.3 Change Analysis

Change is anything that disturbs the "balance" of a system operating as planned. Change is often the source of deviations in system operations. Change can be planned, anticipated, and desired, or it can be unintentional and unwanted. Workplace change can cause accidents, although change is an integral and necessary part of daily business. For example, changes to standards or directives may require facility policies and procedures to change, or turnover/retirement of an aging workforce will change the workers who perform certain tasks. Change can be desirable, for example, to improve equipment reliability or to enhance the efficiency and safety of operations. Uncontrolled or inadequately analyzed change can have unintended consequences, however, and result in errors or accidents.

TIP

Change analysis is particularly useful in identifying obscure contributing causes of accidents that result from changes in a system.

Change analysis examines planned or unplanned changes that caused undesired outcomes. In an accident investigation, this technique is used to examine an accident by analyzing the difference between what has occurred before or was expected and the actual sequence of events. The investigator performing the change analysis identifies specific differences between the accident-free situation and the accident scenario. These differences are evaluated to determine whether the differences caused or contributed to the accident. For example, why would a system that operates correctly 99 times out of 100 fail to operate as expected one time?

Conducting Change Analysis. Change analysis is relatively simple to use. As illustrated in Figure 7-7 it consists of six steps. The last step, in which investigators combine the results of the change analysis with the results from other techniques, is critical to developing a comprehensive understanding of the accident.

When conducting a change analysis, investigators identify changes as well as the results of those changes. The distinction is important, because identifying only the results of change may not prompt investigators to identify all causal factors of an accident.

 

Figure 7-7.  The change analysis process is relatively simple.

Figure 7-7.jpg (24203 bytes)

The results of a change analysis can stand alone, but are most useful when they are combined with results from other techniques. For example, entering change analysis results into the events and causal factors chart helps to identify potential causal factors.

To conduct a change analysis, the analyst needs to have a baseline situation. This baseline situation can be:

  • The same situation but before the accident (e.g., previous shift, last week, or last month)

  • A model or ideal situation (i.e., as designed or engineered).

Generally, it is recommended that boards compare the accident sequence to the same situation in an accident-free state—the operation prior to the accident—to determine differences and thereby identify accident causal factors. In order for the comparison to be effective, investigators must have sufficient information regarding this baseline situation.

The following data sources can be a starting point for acquiring a good working knowledge of the system, facility, or process under study prior to the accident or event; however, the list of input requirements should be tailored to fit the specific circumstances and needs of the investigation:

  • Blueprints

  • Equipment description documents

  • Drawings

  • Schematics

  • Operating and maintenance procedures

  • Roles and responsibilities

  • Job/task descriptions

  • Personnel qualifications

  • Results of hazard analysis

  • Performance indicators

  • Personnel turnover statistics.

A sample change analysis worksheet is presented at the end of this section for reference. This worksheet may be modified as necessary to meet specific requirements.

To develop the information needed to conduct a change analysis, it is useful for the board to list any changes they identify from their information-gathering activities on a poster board set up in the board's common meeting room. At the beginning of the investigation, the board members should simply note the changes they identify as they find them and not worry about analyzing the significance of the changes. Often, in the early stages of an investigation, there is insufficient information to determine whether a change is important or not.

As the investigation progresses, it will become clear that some of the changes noted on the poster board are insignificant and can be crossed off the list. The remaining changes that seem to be important for understanding the accident can then be organized by entering them into the change analysis worksheet.

Board members should first categorize the changes according to the questions shown in the left-hand column of the worksheet. That is, the board should determine if the change pertained to, for example, a difference in:

  • What events, conditions, activities, or equipment were present in the accident situation that were not present in the baseline (accident-free, prior, or ideal) situation (or vice versa)

  • When an event or condition occurred or was detected in the accident situation versus the baseline situation

  • Where an event or condition occurred in the accident situation versus where an event or condition occurred in the baseline situation

  • Who was involved in planning, reviewing, authorizing, performing, and supervising the work activity in the accident versus the accident-free situation

  • How the work was managed and controlled in the accident versus the accident-free situation.

Reviewing the worksheet may also prompt the investigators to identify additional changes that were not originally listed.

To complete the remainder of the worksheet, first describe each event or condition of interest in the column labeled, "Accident Situation." Then describe the related event or condition that occurred (or should have occurred) in the baseline situation in the column labeled, "Prior, Ideal, or Accident-Free Situation."   The difference between the events and conditions in the accident and the baseline situations should be briefly described in the column labeled, "Difference."  As a group, the board should then discuss the effect that each change had on the accident and record the evaluation in the final column of the worksheet.

Table 7-5 below shows a partially completed change analysis worksheet containing information from the case study to demonstrate the change analysis approach. The worksheet allows the user to compare the "accident situation" with the "accident-free situation" and evaluate the differences to determine each item's effect on the accident.

A change analysis summary, as shown in Table 7-6, is generally included in the accident investigation report. It contains a subset of the information listed in the change analysis worksheet. The differences or changes identified can generally be described as causal factors and should be noted on the events and causal factors chart and used in the root cause analysis, as appropriate.

Table 7-5. Sample change analysis worksheet.

Factors

Accident Situation

Prior, Ideal, or Accident-Free Situation

Difference

Evaluation of Effect
WHAT

Conditions, occurrences, activities, equipment 

  1. Design and ES&H reviews were not performed.
  2. Established review process was bypassed.
  3. Hazards associated with the work being performed were not identified. No review of as-built drawings. No excavation permit. No underground utility survey.
  1. Project design and ES&H review are performed by appropriate groups to ensure adequate review and the safety and health of employees.
  2. Construction packages are approved by facilities project delivery group.
  3. A preliminary hazard analysis is performed on all work.
  1. Environmental Group assumed design role and removed ES&H review from task.
  2. Environmental Group approved work packages.
  3. No preliminary hazard analysis was performed on construction task.
  1. Design and ES&H reviews were not performed, contributing to the accident.
  2. Construction packages were not approved by facilities group.
  3. Hazards were not identified, contributing to the accident.
WHEN

Occurred, identified, facility status, schedule

 e e e e
WHERE

Physical location, environmental conditions

 Sump location was placed above a 13.2 kV electrical line. Sump is placed in a non-hazardous location. Inadequate design allowed sump to be located above a 13.2 kV line. Sump location was placed above an electrical line, which was contacted by a worker jackhammering in the area.
WHO

Staff involved, training, qualification, supervision

 Environmental Group assumed line responsibility for project. Environmental Group serves as an oversight/support organization to assist line management in project. Support organization took responsibility of line function for project management. Lack of oversight on project.
HOW

Control chain, hazard analysis monitoring

 Management allowed Environmental Group to oversee construction tasks. Management assures that work is performed by qualified groups. Hazards analysis was not conducted. Hazards were not identified, contributing to the accident.
OTHER e e e e

NOTE: The factors in this worksheet are only guidelines but are useful in directing lines of inquiry and analysis.

 

Table 7-6. Case Study: Change analysis summary.

Prior or Ideal Condition

Present Condition

Difference
(Change)

Environmental Group serves as an oversight/support organization to assist line management in project.

Environmental Group assumed line responsibility for project.

Support organization takes responsibility for a line function.

Project design and ES&H reviews are performed by appropriate groups to ensure adequate review and the safety and health of employees.

Environmental Group assumed design role and removed ES&H review from task.

Design and ES&H reviews were not performed.

Work is stopped when unexpected conditions are found.

Work continued.

No opportunity to analyze and control hazards of changed work conditions.

A preliminary hazard analysis is performed on all work.

No preliminary hazard analysis was performed on maintenance task.

Hazards associated with the work were not identified. No review of as-built drawings. No excavation permit. No underground utility survey.

Sump is placed in a non-hazardous designated location.

Sump was located above a 13.2 kV electrical line.

Inadequate design allowed sump to be located above a 13.2 kV line.

Note: A potential weakness of change analysis is that it does not consider the compounding effects of incremental change (for example, a change that was instituted several years earlier coupled with a more recent change). To overcome this weakness, investigators may choose more than one baseline situation against which to compare the accident scenario. For example, decreasing funding levels for safety training and equipment may incrementally erode safety. Comparing the accident scenario to more than one baseline situation (for example, one year ago and five years ago and then comparing the one- and five-year baselines with each other) can help identify the compounding effects of changes.

7.3.4 Events and Causal Factors Analysis

The following describes the process for using the events and causal factors chart to determine the causal factors of an accident. This process is an important first step in later determining the root causes of an accident. The results of this analysis can be used with a tier diagram (see Section 7.3.5.1) if desired. The quality and accuracy of root cause analysis depends on the results of the events and causal factors analysis. Therefore, the events and causal factors analysis must be complete and thorough.

Events and causal factors analysis requires deductive reasoning to determine which events and/or conditions contributed to the accident.

Getting Started. Before starting to analyze the events and conditions noted on the chart, the board must first ensure that the chart contains adequate detail. Both change and barrier analyses should be conducted and the results incorporated into the chart before the analysis begins. Also, the board must resolve any obvious gaps in data before this analysis begins.

By the time the board is ready to conduct a preliminary analysis of the chart, a great deal of time will have been devoted to adding, removing, and rearranging events and conditions on the chart. In all likelihood, the chart will be lengthy, possibly containing 100 events or more. Given the magnitude of data, one can become overwhelmed with where to begin identifying causal factors. It is easiest and most efficient to begin with the event on the chart that immediately precedes the accident and work backwards.

Conducting the Analysis. Examine the first event that immediately precedes the accident. Evaluate its significance in the accident sequence by asking, "If this event had not occurred, would the accident have occurred?" If the answer is, "The accident would have occurred whether this event happened or not" (e.g., worker punched in to work at 0700), then the event is not significant. Proceed to the next event in the chart, working backwards from the accident.

If the answer to the evaluation question is, "The accident would not have occurred without this event," then determine whether the event represented normal activities with the expected consequences. If the event was intended and had the expected outcomes, then it is not significant. However, if the event deviated from what was intended or had unwanted consequences, then it is a significant event.

Carefully examine the events and conditions associated with the significant event by asking a series of questions about this event chain, such as:

  • Why did this event happen?

  • What events and conditions led to the occurrence of the event?

  • What went wrong that allowed the event to occur?

  • Why did these conditions exist?

  • How did these conditions originate?

  • Who had responsibility for the conditions?

  • Are there any relationships between what went wrong in this event chain and other events or conditions in the accident sequence?

  • Is the significant event linked to other events or conditions that may indicate a more general or larger deficiency?

The significant events, and the events and conditions that allowed the significant events to occur, are the accident's causal factors.

Repeat this questioning process for every event in the chart. As a causal factor is identified, write a summary statement that describes the causal factor on an adhesive note of a unique color and place the note above the event chain from which it was derived, as shown in Figure 7-8 below, when constructing the chart manually. If a computer graphics program is used to construct the chart, use a hexagon to represent causal factors.

Figure 7-8. Events and causal factors analysis; driving events to causal factors.

Fig7-8.jpg (76338 bytes)

 

Sometimes events and conditions from several different event chains are related and suggest a larger, more significant causal factor. For example, in two side-by-side event chains, the conditions "procedure did not address electrical hazard" and "electrical hazard not discussed in pre-job brief" may indicate that the electrical hazard was not identified in the hazard analysis for the activity. In such a case, the board can write a causal factor concerning the hazard analysis, place it on the chart, and connect it with an arrow to the two event chains from which it was derived (see Figure 7-9 below). Alternatively, the board can record the same causal factor twice and place it above each of the applicable event chains.

Figure 7-9. Grouping root causes on the events and causal factor chart.

Fig7-9.jpg (103883 bytes)

 

TIP

Not all event chains will produce causal factors. However, it is important to prepare a complete set of events in order to understand the circumstances leading up to the accident and to assure that all significant events have been identified.

After these steps have been completed for each event on the chart, the process should be repeated with all board members to ensure that nothing has been overlooked and that consensus has been reached.

When the board is satisfied that all causal factors have been identified on the chart, efforts can then be focused on initiating the root cause analysis.

7.3.5 Root Cause Analysis
TIP

Root cause analysis should be conducted for every occurrence, regardless of severity or complexity.  Minor incidents often foreshadow more serious events.

Accidents are symptoms of larger problems within a safety management system. Although accidents generally stem from multiple causal factors, correcting only the local causes of an accident is analogous to treating only symptoms and ignoring the "disease."  To identify and treat the true ailments in a system, the root causes of an accident must be identified. Root cause analysis is any technique that identifies the underlying deficiencies in a safety management system that, if corrected, would prevent the same and similar accidents from occurring.

Root cause analysis is a systematic process that uses the facts and results of the core analytic techniques to determine the most important reasons for the accident. Root cause analysis is not an exact science and therefore requires a certain amount of judgment. The intent of the analysis is to identify and address only those root causes that can be controlled within the system being investigated, excluding events or conditions that cannot be reasonably anticipated and controlled, such as some natural disasters. The core analytic techniques—events, and causal factors analysis, barrier analysis, and change analysis—provide answers to an investigator's questions regarding what, when, where, who, and how. Root cause analysis is performed to resolve the question, "Why?"

Once several (or all) of the recommended core analytic techniques have been performed, the accident investigation board should have a broad understanding of the accident's events and conditions, along with a fairly extensive list of suspected causal factors. A root cause analysis is performed to refine the list of causal factors and categorize each according to its significance and impact on the accident.

Refining causal factors entails identifying any commonality or linkages that suggest more fundamental causal factors. The core functions and guiding principles of integrated safety management provide a useful framework for grouping causal factors and identifying the underlying safety management deficiencies that caused the accident. For example, causal factors in an accident might include "failure to follow procedures," "failure to establish a fire watch," and "failure to stop work when unanticipated conditions arose." By reviewing the five core functions of integrated safety management, it becomes clear that each of these causal factors reflects an underlying failure to perform work within controls, which is core function #4. Other causal factors in an accident may demonstrate similar relationships with the other core functions and guiding principles. The underlying management system deficiency, as defined by the related causal factors, is a candidate root cause.

There may be more than one root cause of a particular accident, but probably not more than three or four. If more are thought to exist at the conclusion of the analysis, the board should re-examine the list of causal factors to determine which causes can be further combined to reflect more fundamental (root) causes. This section provides some examples of root cause analysis and discusses analytical tools that can help accident investigators determine the root causes of an accident.

TIP

In any accident, there may be a series of causal factors, one leading to another.  One of the most important responsibilities of the investigation board is to pursue each factor in the series until the board is assured that actual root causes are identified.

Conducting the Analysis. To initiate a root cause analysis, the facts surrounding the accident must be known. In addition, the facts must be analyzed using other analytic methods to ascertain an initial list of causal factors. A rather exhaustive list of causal factors must be developed prior to the application of root cause analysis to ensure that final root causes are accurate and comprehensive.

TIP

If a root cause analysis is attempted before all the significant facts are known or the full spectrum of causal factors is determined, it is likely that the systemic root causes will not be discovered.

The board should examine the evidence collected from the accident scene, witness statements, interviews, and facility documents. It should then determine whether additional information will be needed for the particular root cause technique they are performing.

It is important that the accident investigation board work together to determine the root causes of an accident. One of the board's primary responsibilities is to identify an accident's causal factors so that judgments of need can be prepared and appropriate corrective measures can be developed and implemented. Therefore, all board members must participate in the root cause analysis; it cannot be left solely to a single member of the board.

Root cause analysis can be performed using computerized or manual techniques. Regardless of the method, the intent is to use a systematic process for identifying root causes.

Manual root cause analysis methods include tier diagramming and compliance/noncompliance. Each is effective as a systematic method for identifying root causes. However, the compliance/noncompliance method reflects the limited applicability of certain techniques and underscores the need for the board to select analytic methods commensurate with the accident's scope, complexity, and severity.

Computerized techniques can be somewhat more sophisticated and generally speed the process of root cause identification. It is important to note, however, that computerized techniques are dependent on the quality and quantity of data input. Moreover, at least one member of the board should be very familiar with the software package, including its limitations. An overview of these methods is provided below.

7.3.5.1 Tier Diagraming

Tier diagraming is a technique used to identify both the root causes of an accident and the levels of line management that have the responsibility and authority to correct the accident's causal factors.

The board uses tier diagrams to hierarchically categorize the causal factors derived from the events and causal factors analysis. A different diagram is developed for each organization responsible for the work activities associated with the accident. Each diagram is divided into several tiers, depending on the number of management levels in the organization under consideration.

The first diagram should focus on the organization to which the persons (or equipment) directly involved in the accident belonged, usually a contractor or subcontractor organization. The tiers for the first diagram should represent levels of organizational responsibility ranging from the worker level to senior management, as shown in the example tier diagram worksheet in Table 7-7 below. If the accident occurred during subcontractor activities, the first diagram would be composed of the tiers within the subcontractor's organization. A second diagram should then be developed to represent the contractor organization for which the subcontractor was working. A third diagram should be developed to represent the DOE line and oversight organizations responsible for the contractor's (and subcontractor's) activities.

Table 7-7.  Tier diagram worksheet for a contractor organization

Tier

Causal Factors

Root Causes
(optional column)
Tier 5: Senior Management e e
Tier 4: Middle Management e e
Tier 3: Lower Management e e
Tier 2: Supervision e e
Tier 1: Worker Actions e e
Tier 0: Direct Cause e e

In a series of steps, causal factors from the events and causal factors chart are evaluated. Each causal factor is assigned to a level of management responsibility in the tier diagram(s). Linkages among causal factors are then identified and possible root causes are developed. Review of the integrated safety management core functions and guiding principles assists in this synthesis.

Tier diagraming is helpful in identifying and analyzing root causes because it:

  • Helps the board organize and categorize the causal factors identified on the events and causal factors chart

  • Provides a structured method for linking causal factors into higher-level, fundamental organizational deficiencies (root causes)

  • Provides a structured and repeatable approach for assigning management or oversight responsibility for each causal factor

  • Requires the board to assign responsibility for causal factors, from which appropriate judgments of need can later be developed

  • Assists the board in visually and physically organizing significant causal factor data.

Before initiating a root cause analysis using the tier diagram method, the board should be satisfied with the results of the events and causal factors analysis. In addition, the board must have a solid understanding of the line and oversight organizations responsible for the activities associated with the accident.

Getting Started. Once the events and causal factors analysis is complete, a number of causal factors are noted on the events and causal factors chart. These will be the input to the tier diagrams and root cause analysis. Provided below are step-by-step instructions for completing the root cause analysis using tier diagraming. Guidelines and other reminders follow the instructions.

Step 1. Identify significant events/conditions. Review the causal factors listed on the events and causal factors chart to focus only on significant events or conditions (i.e., causal factors).

Step 2. Assign letter designators. Starting at the beginning of the chart, assign a letter to each causal factor (A, B, C...) on an adhesive note. Place the same letter designator on the actual chart where that causal factor is affixed.

Later, the analyst will remove the adhesive notes and place them on the tier diagram. By noting where the causal factor originated, the analyst can easily return to the event chain if a question arises during the root cause analysis.

Step 3. Develop tier diagram framework. Using Table 7-7 as a model, create a tier diagram with the number of tiers commensurate with the line organization being examined. The grid can be drawn on large butcher paper, a white board, or any other large surface for displaying to the board members. For the purposes of this section, a typical contractor organization with six tiers (0-5) is assumed. A review of organizational charts, work control logs, and other such documentary evidence may be helpful in completing this step.

Step 4. Begin with Tier 0. Remove the "direct cause statement" adhesive note and place it in Tier 0, "direct cause."  Remove all other causal factor adhesive notes and place them in Tier 1, "worker actions."

Step 5. Evaluate Tier 1. Beginning with causal factor "A," ask whether the "worker actions–Tier 1" is the organizational level responsible for this causal factor; that is, can this causal factor be attributed to the worker(s) involved in the accident? Use the sample questions listed in Table 7-8 as guidance in completing this step. These questions were derived from the integrated safety management framework and reflect the typical responsibilities for developing and implementing safety management systems that are associated with each of the management levels.

Step 6. Evaluate Tier 2. If the causal factor can be attributed to the worker, ask whether the causal factor is solely attributable to the "worker actions" tier. Did the worker's supervisor have any responsibility for this causal factor? If not, leave the causal factor in Tier 1. If the supervisor had any responsibility for this causal factor, write a letter "A"; in Tier 1 and physically move the causal factor adhesive note to Tier 2.

Step 7. Evaluate other tiers. Continue a similar line of inquiry about the causal factor at each successive tier until satisfied that the causal factor is placed in the tier commensurate with the highest level of responsibility or authority for it. Again, as a causal factor is moved to higher tiers, note the letter designation in the tier from which it is moved. For example, if responsibility for causal factor "A" is found to reside with upper management, the letter "A" should appear in Tiers 1 through 4, with the actual adhesive note placed in Tier 5. If responsibility for the causal factor lies with DOE line management or oversight, move the adhesive note to the tier diagram(s) for the DOE organizations involved.

Table 7-8. Categories and questions for completing root cause analysis tier diagram.

Tier

Typical Integrated Safety Management Responsibilities

Sample Questions for Consideration in Assigning Causal Factors to Management Levels
Tier 5: Senior Management
  • Develop safety policy
  • Communicate policy and expectations
  • Prioritize activities and allocate resources
  • Oversee compliance with contract terms and conditions
  • Monitor safety performance

 

 

 

 
  • Did senior management establish documented safety policies and goals?
  • Were ES&H performance expectations for subcontractor organizations clearly communicated and understood?
  • Was senior management proactive in assuring timely implementation of integrated safety management by line organizations, subcontractors, and workers?
  • Did senior management define and maintain clearly delineated roles and responsibilities for ES&H to effectively integrate safety into sitewide operations?
  • Was senior management involved in the sitewide prioritization of work?
  • Was a process established to ensure that safety responsibilities were assigned to each person (employees, subcontractors, temporary employees, visiting researchers, vendor representatives, lessees, etc.) performing work?
  • Did senior management hold line managers accountable for safety performance through performance objectives, appraisal systems, and visible and meaningful consequences?
  • Did senior management institutionalize the stop-work authority philosophy?
Tier 4: Middle Management
  • Same as Senior Management with smaller span of control, e.g., a facility, rather than an entire site
  • Develop plans and programs to implement policy
  • Oversee problem identification/corrective action processes
  • Solicit and respond to feedback and lessons learned
  • Did management implement policy through plans and programs developed?
  • Was management aware of the status of plans and program implementation?
  • When problems occurred, did management request feedback on the nature of problems?
  • Did management have a system for monitoring and measuring organizational performance?
  • Was a stop-work authority communicated to the organization?
  • Was management involved in the development and implementation of corrective actions?

 

Table 7-8.  Example tier diagram approach.  (Continued)

Tier

Typical Integrated Safety Management Responsibilities

Sample Questions for Consideration in Assigning Causal Factors to Management Levels
Tier 3: Lower Management
  • Develop procedures to implement plans and programs
  • Ensure hazard awareness and communication
  • Oversee work planning and execution
  • Solicit and use worker input
  • Implement corrective actions
  • Were required procedures developed and kept current to assure a safe worker environment?
  • Did management implement required programs for worker safety?
  • Was management aware of problems regarding procedure implementation and compliance?
  • Was management involved in the work planning, control, and execution process?
  • Did management have a system for eliciting feedback on work-related hazards?
  • Did management take timely corrective actions when problems occurred or were identified?
  • Did management have a system for identifying and disseminating work process lessons learned?
  • Was stop-work authority defined for first line supervisors and their staff?
Tier 2: Supervision
  • Control the work scope
  • Identify hazards
  • Implement hazard controls
  • Authorize job/tasks
  • Provide feedback and lessons learned
  • Were supervisor's work instructions adequate to allow the work to be performed safely?
  • Was the work environment safe?
  • Were required procedures provided or communicated to the worker by supervision?
  • Did the supervisor provide feedback to management on prior incidents and/or safety concerns?
  • Did the supervisor discuss job hazards with the worker prior to starting work?
  • Did the supervisor implement timely corrective actions based on previous incidents?
  • Did the supervisor confirm the readiness to perform work prior to the execution of work?
  • Did the supervisor provide the worker with the proper tools and equipment to perform the work safely?
  • Did the supervisor define stop-work authority for workers?
Tier 1: Worker Actions
  • Maintain technical competence
  • Perform work within controls
  • Identify hazards and report incidents
  • Stop work, if necessary
  • Were the worker's knowledge, skills and abilities adequate to perform the job safely?
  • Did the worker understand the work to be performed?
  • Were communications adequate to inform the worker of any hazards?
  • Was the worker knowledgeable of the type and magnitude of hazards associated with the work?
  • Was the work covered by procedures?
  • Was the worker trained on the procedures?
  • Did the worker have the right tools and equipment to perform the job safely?
  • Did the worker have stop-work authority?
  • Did the worker understand she/he had stop-work authority?
Tier 0: Direct Cause e e

Step 8. Repeat for each causal factor. Repeat steps 5 through 7 for each causal factor previously placed in Tier 1 of the diagram.

Step 9. Identify linkages. After arranging all the causal factors on the tier diagrams, examine the causal factors to determine whether there is linkage between two or more of them. For example, are two or three causal factors similar enough to indicate poor conduct of operations? Or perhaps several causal factors are related to a lack of worker training. If linkages exist, group the adhesive notes at the highest level where a linkage occurs (see Figure 7-10 below). For example, if causal factors "B" and "F" in Tier 3 are related to causal factor "H" in Tier 4, remove "B" and "F" (noting their location), and affix them to "H" in Tier 4. Next, if one of the causal factors statements accurately describes the commonality among the grouped causal factors, let that causal factor represent the grouping. If not, write a causal factor statement that captures the common theme of all the causal factors in that particular grouping. This statement becomes a potential root cause.

Figure 7-10.  Identifying the linkages on the tier diagram.

Fig7-10.jpg (87797 bytes)

 

Table 7-8 and Appendix D provide typical questions to assist the board identify safety management deficiencies that may have played a role in the accident. If there are two or more causal factors from the tier diagram that relate to deficiencies in implementing a specific core function or guiding principle, consider developing a potential root cause statement that describes the underlying management system deficiency in terms of the core function or guiding principle. For example, several causal factors related to deficiencies in skills, abilities, or knowledge may indicate that line management has failed to assure that worker competence is commensurate with their responsibilities, reflecting a failure to implement Guiding Principle #3.

The board members should continue to examine all of the causal factors until they are satisfied that all applicable linkages have been made.

Step 10. Identify root causes. Evaluate each of the causal factor statements that now appear on the charts. Compare each statement to the definition of a root cause to determine whether it appears to be a root cause of the accident. This step will generally involve a great deal of discussion among board members.

TIP

If a causal factor does not meet the criteria for a root cause, do nothing, it remains a contributing cause of the accident.

If a causal factor (singly or representing a group) meets the criteria for a root cause, denote it as such either using the letters "RC" (root cause) or by some other means. You may find that you need to create a root cause statement based on one or more causal factors. If so, write a summary causal factor statement and place it on the appropriate tier. The board may choose to add a third column, "Root Causes," to the tier diagram (Figure 7-10). The advantage of adding this column is that moving the root cause statements makes them stand out, along with the associated level of management responsibility.

The root cause analysis may reveal causal factors that are not on the events and causal factors chart. These should be added to both the events and causal factors chart and the tier diagram to assure that they are consistent and reflect all of the causal factors as a basis for root cause analysis.

Step 11. Simplify root cause statements. There may be more than one root cause of a particular accident, but probably not more than three. If there are more than that at the end of the tier diagram analysis, the board should re-examine the list of root causes to determine which ones can be further combined to reflect more fundamental deficiencies.

When the board is satisfied that the root causes have been accurately identified and the number of root causes is not excessive, the root cause analysis is complete. The board should capture the essence of the root cause analysis for the accident investigation report, noting the direct, contributing, and root causes of the accident in order to develop judgments of need.

Guidelines and Reminders:

  • Root causes may be found in any tiers of any diagrams. However, they are generally found in higher tiers because that is where managers are most responsible for directing and overseeing activities.

  • The root cause of an accident can be found at the worker level of the tier diagram if, and only if, the following conditions are found to exist:

  • Management systems were in place and functioning, and provided management with feedback on system implementation and performance
  • Management took appropriate actions based on the feedback
  • Management, including supervision, could not reasonably have been expected to take additional actions based on their responsibilities and authorities.
  • Root causes can be found at more than one level of an organization. For example, one root cause may be attributable to Tier 3, while two other root causes are attributable to Tier 5.
  • Root causes are generally attributable to an action or lack of action by a particular group or individual in the line organization.
  • Each "corporate" organization is considered separately for its responsibility in the accident. For example, in DOE, a management and operating (M&O) contractor would be considered as one organization, and DOE would be considered as a second organization. Consequently, the results of one tier diagram may be the input of another. For example, if the upper management of an M&O contractor was responsible for a particular root cause, DOE may share responsibility for that particular root causethere may be a deficiency in the directives given from DOE, insufficient oversight, or some other DOE responsibility that was inadequately fulfilled.

7.3.5.2 Compliance/Noncompliance

The compliance/noncompliance technique is useful when investigators suspect noncompliance to be a causal factor. This technique compares evidence collected against three categories of noncompliance to determine the root cause of a noncompliance issue. As illustrated in Table 7-9 below, these are: "Don't Know," "Can't Comply," and "Won't Comply." Examining only these three areas limits the application of this technique; however, in some circumstances, an accident investigation board may find the technique useful.

Table 7-9. Compliance/noncompliance root cause model categories.

Don’t Know

Can’t Comply

Won’t Comply
Never knew This is often an indication of poor training or failure in a work system to disseminate guidance to the working level. Scarce resources Lack of funding is a common rebuttal to questions regarding noncompliance. However, resource allocation requires decision-making and priority- setting at some level of management. Boards should consider this line of inquiry when examining root causes pertaining to noncompliance issues. No reward An investigator may have to determine whether there is a benefit in complying with requirements or doing a job correctly. Perhaps there is no incentive to comply.
Forgot This is usually a local, personal error. It does not reflect a systemic deficiency, but may indicate a need to increase frequency of training or to institute refresher training. Don’t know how This issue focuses on lack of knowledge (i.e., the know-how to get a job done). No penalty This issue focuses on whether sanctions can force compliance, if enforced.
Tasks implied This is often a result of lack of experience or lack of detail in guidance. Impossibility This issue requires investigators to determine whether a task can be executed. Given adequate resources, knowledge, and willingness, is a worker or group able to meet a certain requirement? Disagree In some cases, individuals refuse to perform to a standard or comply with a requirement that they disagree with or think is impractical. Investigators will have to consider this in their collection of evidence and determination of root causes.

The basic steps for applying the compliance/noncompliance technique are:

  • Have a complete understanding of the facts relevant to the event
  • Broadly categorize the noncompliance event
  • Determine why the noncompliance occurred (i.e., the subcategory or underlying cause).

For example, investigators may use this technique to determine whether an injured worker was aware of particular safety requirements, and if not, why he or she was not (e.g., the worker didn't know the requirements, forgot, or lacked experience). If the worker was aware but was not able to comply, a second line of questioning can be pursued. Perhaps the worker could not comply because the facility did not supply personal protective equipment. Perhaps the worker would not comply in that he or she refused to wear the safety equipment. Lines of inquiry are pursued until investigators are assured that a root cause is identified.

Lines of questioning pertaining to the three compliance/noncompliance categories follow. However, it should be noted that these are merely guides; an accident investigation board should tailor the lines of inquiry to meet the specific needs and circumstances of the accident under investigation.

  • Don't Know: Questions focus on whether an individual was aware of or had reason to be aware of certain procedures, policies, or requirements that were not complied with.
  • Can't Comply: This category focuses on what the necessary resources are, where they come from, what it takes to get them, and whether personnel know what to do with the resources when they have them.
  • Won't Comply: This line of inquiry focuses on conscious decisions to not follow specific guidance or perform to a certain standard.

By reviewing collected evidence, such as procedures, witness statements, and interview transcripts, against these three categories, investigators can pursue suspected compliance/noncompliance issues as causal factors.

Although the compliance/noncompliance technique is limited in applicability, by systematically following these or similar lines of inquiry, investigators may identify causal factors and judgments of need.

7.3.5.3 Automated Techniques

Several root cause analysis software packages are available for use in accident investigations. Generally, these methods prompt the investigator to systematically review investigation evidence and record data in the software package. These software packages use the entered data to construct a tree model of events and causes surrounding the accident. In comparison to the manual methods of root cause analysis and tree or other graphics construction, the computerized techniques are quite time-efficient. However, as with any software tool, the output is only as good as the input; therefore, a thorough understanding of the accident is required in order to use the software effectively.

Many of the software packages currently available can be initiated from both PC-based and Macintosh platforms. The Windows-based software packages contain pulldown menus and employ the same use of icons and symbols found in many other computer programs. In a step-by-step process, the investigator is prompted to collect and enter data in the templates provided by the software. For example, an investigator may be prompted to select whether a problem (accident or component of an accident) to be solved is an event or condition that has existed over time. In selecting the "condition" option, he or she would be prompted through a series of questions designed to prevent a mishap occurrence; the "event" option would initiate a process of investigating an accident that has already occurred.

TIP

Analytical software packages can help the board:

  • Remain focused during the investigation
  • Identify interrelationships among data
  • Eliminate irrelevant data
  • Identify causal factors (most significantly, root causes).

The graphics design features of many of these software packages can also be quite useful to the accident investigation board. With little input, these software packages allow the user to construct preliminary trees or charts; when reviewed by investigators, these charts can illustrate gaps in information and guide them in collecting additional evidence.

It is worth underscoring the importance of solid facts collection. While useful, an analytic software package cannot replace the investigative efforts of the board. The quality of the results obtained from a software package is highly dependent on the skill, knowledge, and input of the user.

7.4 Using Advanced Analytic Methods

The four core techniques can be effectively applied to many investigations, but the analysis of more complex accidents may have to be supplemented with more sophisticated techniques. These techniques require in-depth knowledge and specialized expertise beyond the scope of this workbook. However, several are discussed briefly here to ensure awareness of their applicability to the accident investigation process. The chairperson, board members, and any subject matter experts should determine which methods to employ, based on their familiarity with various methods and the severity and complexity of the accident.

7.4.1 Analytic Trees

Analytic tree analyses are well defined, useful methods that graphically depict, from beginning to end, the events and conditions preceding and immediately following an accident. An analytic tree is a means of organizing information that helps the investigator conduct a deductive analysis of any system (human, equipment, or environmental) to determine critical paths of success and failure. Results from this analysis identify the details and interrelationships that must be considered to prevent the oversights, errors, and omissions that lead to failures. In accident investigations, this type of analysis can consist of both failure paths and success paths, and can lead to neutral, negative, or positive conclusions regarding accident severity.

TIP

An analytic tree enables the user to:

  • Systematically identify the possible paths from events to outcome
  • Display a graphical record of the analytical process
  • Identify management system weaknesses and strengths.

The analytic tree process begins by clearly defining the accident; "branches" of the tree are constructed using logic symbology. Following is a summary overview of the approach to constructing an analytic tree, which is illustrated in Figure 7-11 below. It should not be inferred that this is the only way to construct or use analytic trees, since a variety of analytic tree methods is available.

Figure 7-11.  The analytic tree process begins with the accident as the top event.

Fig7-11.jpg (112607 bytes)

 

As the events at the bottom branches of the tree become more specific, the causal factors of the accident are developed. When the event at the bottom contains no other events that allowed it to occur, a decision must be made regarding whether the event is a causal factor or is not relevant to the outcome of the accident (top event). When processed through the logic gate, each bottom tier should be necessary and sufficient to lead directly to the failure or success of the event on the next higher tier.

The steps required to prepare an analytic tree are described below.

Step 1. Define the top event as the accident. As in events and causal factors analysis, the event should be defined as a single, discrete event, such as "worker strikes 13.2 kV primary feeder cable."

Step 2. Acquire a working knowledge of the accident effects, the work situation, and the upstream processes that preceded them. A comprehensive understanding of the management system is also needed to develop the tree.

Step 3. Based on the facts, postulate the possible scenarios by which the accident occurred. All accidents are complex events that become interrelated to produce the unwanted event (accident). This step should force the investigator to analyze the facts of the accident and try to visualize all possible scenarios. As the investigation continues and as new evidence is introduced, a different scenario could develop. Before the tree is constructed, it is important to visualize it using different possible scenarios consistent with the facts.

Step 4. Construct the analytic tree, starting with the top event and using the proper logic gates and symbols. The tiers beneath the top event should explain the reason for failure or success of that event. The proper use of symbols and transfers is crucial to understanding this graphic model.

Step 5. It is important for each board member to validate the analytical tree for completeness, logic, and accuracy. As new facts and evidence are discovered, the tree must be updated to reflect these changes. The validation process should begin as soon as the tree is constructed. The purpose of this validation review is to confirm that:

  • The tree meets its intended objectives
  • The management systems are fully and clearly described
  • Inputs to logic gates are necessary and sufficient to logically produce the stated output events.

Step 6. Each relationship between events should be evaluated to determine the causal factors of the accident (top event). As these tiers flow down to the end events, the specific events of the analytic tree will be developed and will help describe why the top event occurred, by organizing the accident's evidence in a way that helps the board identify the accident's causal factors. Though the chart is highly structured, identifying root causes is not a mechanical process. Considerable reasoning and judgment are required from the board to determine root and contributing causes.

Step 7. Add to the analytic tree as new evidence is acquired and new possible scenarios are developed. The tree must be a working analytical tool that will have several iterations before the final tree is developed. If new possible scenarios are introduced, do not reject the scenario if it does not fit the tree. It might be necessary to construct a new tree for a new scenario. It is important that all possible scenarios be considered; they should be rejected only because they do not fit the facts, not because they are improbable.

Step 8. Through the iterative process of fact-finding and analysis identify the causal factors.

The basic conventions for constructing an analytic tree are to:

  • Use common and accepted graphic symbols for events, logic gates, and transfers. (Figure 7-12 below displays the symbols used in analytic trees.)

Figure 7-12.  Analytic trees are constructed using symbols.

Fig7-12.jpg (186161 bytes)

  • The analytic tree should be constructed as simply as the accident allows. The tree should flow logically from the top event to the more specific events. If an event occurs that has no relevance to the accident, a diamond symbol should note that there is no further development of this event.
    •
  • Keep the tree logical. The tree should be validated at each level to ensure that each contributing event logically proceeds to the top event. The lower-tier input events should be only those that are necessary and sufficient to produce the next tier event. It is important for events to logically flow to other events that are supported by the facts.
    •
  • Use the proper logic gate that describes the relationship between the events. The proper selection and use of the logic gates will identify the interaction between lower-tier events and the top event.
    •
  • The event descriptions should be simple, clear, and concise. The descriptions should be sufficiently detailed and logical that they can be understood without referring to another section.
    •
  • The final analytic tree should be limited in the number of tiers placed on a single page. For legibility and readability, it is best that only four or five tiers be placed on a single page.
    •
  • Use a common numbering system for the events. Each event is identified by the decimal numbering system. The number of digits in the decimal event numbering system should correspond to the tier on which the event is located. (For example, the fourth tier will contain four digits.) This system for numbering will uniquely describe an event and systematically trace its development through subbranches and branches to the first-tier event. Each successively higher-level event can be identified by dropping the last digit from the number. For example:
    •

1
1.1
1.1.1
1.1.1.1
1.1.1.1.1		 Top Event
First Tier
Second Tier
Third Tier
Fourth Tier
Fifth Tier
  • A modified decimal system for numbering events can be adapted for transfer symbols, beginning with the letter designation for the transfer. If the transfer letter is A, then the corresponding numbers could be A.1.3.2. The numbering system is the same as the decimal system, with an alphabetic symbol as the first digit corresponding to the transfer. The fourth subtier that is transferred would be labeled as shown below:
D
D.2
D.2.2
D.2.2.1
D.2.2.1.2		 Transfer
First Subtier
Second Subtier
Third Subtier
Fourth Subtier
  • Use transfers to avoid duplication of identical branches or segments of the tree and to reduce single-page tree complexity. Whenever two or more gate output events have identical details in the substructures contributing to their occurrence, that substructure should be constructed under only one of the output events; it should then be transferred to the others through the use of transfer symbols. The event must be identical to be transferrable. Transfers should also be used below the bottom-tier events on a page to indicate continuance of subbranches of those events on other pages. Whenever there is insufficient space on a page to develop a branch below an event at any level, a transfer immediately below that event indicates that the branch is developed on another page.
  • Do not number or letter logic gates; use numeric and alphanumeric decimal identification designations only for events.
  • Follow the left-to-right convention of indicating time sequencing or order of performance for related events on a single tier. It should also be apparent that a higher-tier event has greater significance (more impact on the top event) and occurs later than the more detailed contributory events located on lower tiers within its branch.

Below, Figure 7-13 shows an example format for the layout of an analytic tree. Although each accident will dictate its own shape, this example displays all elements in an analytic tree. Figure 7-14 is an example of a completed analytic tree for a grinding wheel accident. The lowest tier shows that the tool rest was not set correctly, the operator did not wear goggles, and the machine guard was removed for convenience. This example displays how the lower-tier elements contribute (flow) to the top event.

Figure 7-13.   The layout of an analytic tree shows logical relationships.

Fig7-13.jpg (66602 bytes)

Figure 7-14.  A completed analytic tree shows the flow of lower-tier elements to top event.

Fig7-14.jpg (138625 bytes)

7.4.2 Management Oversight and Risk Tree Analysis (MORT)

MORT—a comprehensive analytical tree technique—was originally developed for DOE to help conduct nuclear criticality and hardware analysis. It was later adapted for use in accident investigations and risk assessments. Basically, MORT is a graphical checklist, but unlike the events and causal factors chart, which must be filled in by investigators, the MORT chart contains generic questions that investigators attempt to answer using available factual data. This enables the investigator to focus on potential key causal factors. The MORT chart's size can make it difficult to learn and use effectively. For complex accidents involving multiple systems, such as nuclear systems failures, MORT can be a valuable tool but may be inappropriate for relatively simple accidents. MORT requires extensive training to effectively perform an in-depth causal analysis of complex accidents. If needed, the MORT analysis is usually performed by board members with substantial previous experience in using the MORT techniques.

TIP

The benefits of MORT are that it:

  • Uses the analytic tree method to systematically dissect an accident
  • Serves as a detailed road map by requiring investigators to examine all possible causal factors (e.g., assumed risk, management controls or lack of controls, and operator error)
  • Looks beyond immediate causes of an accident and instead stresses close scrutiny of management systems that allowed the accident to occur
  • Permits the simultaneous evaluation of multiple accident causes through the analytic tree.

In evaluating accidents, MORT provides a systematic method (analytic tree) for planning, organizing, and conducting a comprehensive accident investigation. Through MORT analysis, investigators identify deficiencies in specific control factors and in management system factors. These factors are evaluated and analyzed to identify the causal factors of the accident.

Detailed knowledge and understanding of management and operating systems is a prerequisite to a comprehensive MORT analysis. Therefore, it is most effective if investigators have collected substantial evidence before initiating the MORT process. The management system data required include procedures, policies, implementation plans, risk assessment program, and personnel. Information about the facility, operating systems, and equipment is also needed. This information can be obtained through reviews of physical evidence, interview transcripts, management systems, and policies and procedures.

The symbols used on the MORT chart are similar to those used for other analytical trees. The symbols that differ for the MORT chart are the scroll normally expected event) and the oval satisfactory event). The event distinguishes events that are typically a part of any system, such as change and normal variability. The satisfactory event describes events that may be accident causal factors but are a necessary part of the operation, such as functional (part of the system) and people or objects in the energy channel. In addition to using the traditional transfer symbol (triangle), the MORT chart includes capital letters as drafting breaks and small ovals as risk transfers.

The first step of the process is to obtain the MORT charts and select the MORT chart for the safety program area of interest evaluating each event. Next, the investigators work their way down through the tree, level by level, proceeding from known to unknown. Events should be coded in a specific color relative to the significance of the event (accident). The color-coding system used in MORT analysis is shown in Table 7-10 below. An event that is deficient, or less than adequate (LTA) in MORT terminology, is marked red. The symbol is circled if suspect or coded in red if confirmed. An event that is satisfactory is marked green in the same manner. Unknowns are marked in blue, being circled initially and colored in if sufficient data do not become available, and an assumption must be made to continue or conclude the analysis.

It is not useful to start on the first day by marking everything as needing more information (color-coded blue). Instead, start marking the first MORT chart with red and black for events where there is sufficient evidence. Ideally, all blue blocks eventually are replaced by one of the other colors; however, this may not always be possible.

Table 7-10. MORT color coding system.

Color Code

Significance

Red

The event is less than adequate. Corrective actions are needed. All events colored red must be documented and supported with facts and analyzed as potential causal factors of the accident.

Green

The event is satisfactory and adequate. Credible evidence must support this event to ensure that no corrective actions need to be identified for this event.

Blue

The event has insufficient evidence or information to evaluate. Additional facts or evidence must be collected to analyze this event.

Black

The event is not applicable or relevant to the accident. The event does not need any further investigation.

When the appropriate segments of the tree have been completed, the path of cause and effect (from lack of control by management, to basic causes, contributory causes, and root causes) can easily be traced back through the tree. This becomes a matter of following the red events through the various logic gates. The tree highlights quite clearly where controls and corrective actions are needed and can be effective in preventing recurrence of the accident.

Figures 7-15 through 7-17 show three MORT charts. Below, Figure 7-15 displays the injury, damage, other costs, performance lost, or degraded event. Figure 7-16 describes the incident, barriers, and persons or objects. Figure 7-17 is an evaluation of the management system factors.

Figure 7-15.  The initial MORT chart uses logic symbols.

Fig7-15.jpg (100911 bytes)

 

Figure 7-16.  The accident description can be shown on a MORT chart.

Fig7-16.jpg (190082 bytes)

Figure 7-17.  Management system factors can be shown on a MORT chart.

Fig7-17.jpg (107691 bytes)

 

7.4.3 Project Evaluation Tree (PET) Analysis

PET is an efficient means of performing an in-depth analysis of an operation, project, or system. This analytical tree method is best suited for performing hazard and accident analyses, but it can also be used to identify preventive measures. PET was developed to capture the philosophy and methodology of MORT, but eliminate the complexity of the more than 1,500 logic gates in MORT.

Using PET in an accident investigation requires detailed information regarding the various components of the system, operation, or accident situation, such as procedures, personnel, facilities, and equipment. Using logic symbology, an analyst traces each component of a system through the tree's branches to evaluate each element as a potential causal factor.

TIP

The key benefits of the PET analysis are that it:

  • Provides a simplified approach that applies the tenets of MORT
  • Categorizes information into three main branches—procedures, personnel, and plant or hardware—enabling investigators to examine the factors that impact an accident relatively simply and quickly.

PET is structured for evaluation and analysis of procedures, personnel, and facilities/ hardware. (An example of a PET chart used to analyze procedures is shown in Figure 7-18 below.) PET analysis requires detailed information on these three dimensions. Evaluation of procedures requires procedural instructions, reviews and safety evaluations, work plans, work package instructions, and other data. Personnel evaluation requires job descriptions, organizational charts, training records, course curricula, course materials, interviews, and other data. If the accident was facility- or hardware-related, then drawings, procurement documents, specifications, test plans, system safety plans, hazard analyses, and budget data are required to conduct a comprehensive PET analysis. The scope and depth of the accident investigation dictate the input requirements.

The first step is to organize the data into procedures, personnel, and facilities/hardware. These data are then systematically evaluated using the appropriate PET chart. The next step is to color-code the events. Red is used for events that are less than adequate (LTA), green for events that are satisfactory (adequate), black for events that are not relevant to the accident, and blue for areas that need additional investigation or analysis to reach a decision. (This color-coding system is the same system used for MORT.)

After the chart is completed and the events are color-coded, PET worksheets should be used to evaluate each red item. A PET analysis worksheet is provided at the end of this section. This worksheet is similar to the barrier analysis and change analysis worksheets. It provides the basis for the narrative summary of the analysis.

Figure 7-18. This branch of the PET chart deals with procedures.

Fig7-18.jpg (142007 bytes)

7.5 Other Analytic Techniques

Other analytic techniques may be used for specific investigations, depending on the nature and complexity of the accident. Ultimately, the analytic techniques used in any investigation should be determined by the board chairperson with input from the board members and advisors/consultants. To conduct an effective and timely investigation, the choice normally should be limited to the techniques discussed above. However, if warranted by the circumstances of the accident investigation, experts in various analytic methods may be called upon to use other analytic techniques. It is also important for investigators to understand that many of these analytical processes may have been completed prior to the accident and may be included in authorization basis documentation (e.g., safety analysis reports). This information is useful to the board in developing and understanding its own analysis of the accident. Following are brief descriptions of additional analytic techniques that might be used.

The list of techniques provided in this workbook is not exhaustive. Other analytic techniques that may yield important results for a particular investigation may be necessary and used at the board's discretion.

7.5.1 Time Loss Analysis

Time loss analysis evaluates emergency response performance. The basic assumption of this technique is that every accident sequence has a natural progression that would occur without outside intervention by emergency response personnel (e.g., a fire would eventually burn out without the aid of firefighters).

With this technique, the natural course of accident events is plotted graphically against time. A second line is plotted that shows the positive effect of emergency responders on the natural course of events (i.e., decreasing the end-time of the accident). A second line also can be plotted that displays emergency response actions that made the natural course of events worse or prolonged the end-time of the accident (for example, by contributing to additional injuries). This technique begins with the accident, compares actual events and processes with an ideal response process, and continues until loss ceases.

Time loss analysis is not widely used in accident investigations; however, it can be useful in cases where additional response activities could have decreased the severity of the accident or where investigators suspect that emergency response actions were less than sufficient. Figure 7-19 below displays a time loss analysis chart.

Figure 7-19.  Time loss analysis can be used when emergency response is in question.

Fig7-19.jpg (51114 bytes)

7.5.2 Human Factors Analysis

Human factors analysis identifies elements that influence task performance, focusing on operability, work environment, and management elements. Humans are often the weakest link in a system and can be the system component most likely to fail. Often machines are not optimally designed for operators, thereby increasing the risk of error. High-stress situations can cause personnel fatigue and increase the likelihood of error and failure. Therefore, methods that focus on human factors are useful when human error is determined to be a direct or contributing cause of an accident.

7.5.3 Integrated Accident Event Matrix

An integrated accident event matrix illustrates the time-based interaction between the victim and other key personnel prior to the accident and between the emergency responders and the victim after the accident. It analyzes at what time key personnel performed certain tasks both before and after the accident. This technique complements the events and causal factors chart, but is more specific about the timing of accident events; it is a simple and effective way to develop the accident scenario around the facts related to key personnel and appropriate tasks.

7.5.4 Failure Modes and Effects Analysis

This method is most often used in the hazard analysis of systems and subsystems; it is primarily concerned with evaluating single-point failures, probability of accidents or occurrences, and reliability of systems and subsystems. This technique examines a system's individual subsystems, assemblies, and components to determine the variety of ways each component could fail and the effect of a particular failure on other equipment components or subsystems. If possible, the analysis should include quantified reliability data.

7.5.5 Software Hazards Analysis

This analytic technique is used to locate software-based failures that could have contributed to an accident. This technique may be increasingly important in the future as more operations and systems associated with an accident become computerized and therefore dependent on software.

7.5.6 Common Cause Failure Analysis

Common cause failure analysis evaluates multiple failures that may be caused by a single event shared by multiple components. Common causes of failures in redundant systems are analyzed to determine whether the same failure contributed to the accident. The general approach to common cause failure analysis is to identify critical systems or components and then use barrier analysis to evaluate the vulnerability to common environmental hazards, unwanted energy flows, and barrier failures. This method is useful for accidents in which multiple barriers failed and a common cause failure contributed to the accident.

7.5.7 Sneak Circuit Analysis

A sneak circuit is an unanticipated energy path that can enable a failure, prevent a wanted function, or produce a mistiming of system functions. Sneak circuit analysis is mainly performed on electronic circuitry, but it can also be used in situations involving hydraulic, pneumatic, mechanical, and software systems. It identifies ways in which built-in design characteristics enable an undesired function to occur or prevent desired functions from occurring. Its importance lies in the distinction from component failure. Sneak circuit failure results from circuit design. Sneak circuit analysis generally employs inductive reasoning and is difficult to employ without the appropriate proprietary software.

7.5.8 Materials and Structural Analysis

Materials and structural analysis is used to test and analyze physical evidence. This technique has made significant contributions to developing credible scenarios and determining the cause of several accidents. It is used whenever hardware, material failure, or structural integrity is a possible issue, but the cause of the failure is unknown.

7.5.9 Design Criteria Analysis

This method involves the systematic review of standards, codes, design specifications, procedures, and policies relevant to the accident. This tool is useful in identifying whether codes exist, how standards or codes were circumvented, and codes or standards that should be in place to prevent recurrence. It can be used similarly to change analysis to examine the accident to determine whether work processes deviated from existing standards, codes, or procedures (i.e., was a piece of equipment used properly as designed and specified?).

7.5.10 Accident Reconstruction

Although not widely used in DOE accident investigations, accident reconstruction may be useful when accident scenes yield sketchy, inconclusive evidence. This method uses modeling to reconstruct the accident-related equipment or systems (i.e., from accident to pre-accident state). Good reconstruction can be more accurate than witness statements, because it applies the laws of physics and engineering.

7.5.11 Scientific Modeling

Scientific modeling models the behavior of a physical process or phenomenon. The methods, which range from simple hand calculations to complex and highly specialized computer models, cover a wide spectrum of physical processes (e.g., nuclear criticality, atmospheric dispersion, groundwater and surface water transport/dispersion, nuclear reactor physics, fire modeling, chemical reaction modeling, explosive modeling). For example, several computer models have been developed to predict the concentrations of hazardous materials in the air at downwind locations from a release. Such modeling is useful in characterizing the consequences of an accidental release of a hazardous material to the atmosphere. Similarly, nuclear criticality models (e.g., the SCALE package or the KENO code) can analyze scenarios that could lead to a critical configuration. In the event of a nuclear criticality, such models could be useful in understanding how the event occurred and what factors were important to the accident scenario (e.g., the presence of "moderating" or "reflecting" materials, such as water, can be very important).

Although useful in some circumstances, scientific modeling is not necessary for most accident investigations. It is only performed for accident scenarios involving complex physical processes (e.g., nuclear criticality, fires, "runaway" chemical reactions and explosions) and is not normally needed for typical occupational and industrial accidents. When scientific modeling is deemed appropriate, it should be performed at the direction of technically competent personnel (e.g., specialists, consultants, or board members who have the requisite technical backgrounds and familiarity with the models being used).

All scientific models have inherent assumptions and uncertainties that limit their accuracy. The board should recognize such limitations when considering the results of scientific models during the accident investigation process. Sometimes the facility in which an accident occurred may choose to perform scientific modeling and may provide those results to the board. In reviewing such results, the board should validate whether it is appropriate to obtain independent expertise to interpret the results and determine the validity of the modeling assumptions.

Key Points to Remember

Determining Facts

  • Begin defining facts early in the collection of evidence.

  • Develop an accident chronology (e.g., events and causal factors chart) while collecting evidence.

  • Set aside preconceived notions and speculation.

  • Allow the discovery of facts to guide the investigative process.

  • Consider all information for relevance and possible causation.

  • Continually review facts to verify accuracy and relevance.

  • Retain all information gathered, even that which is removed from the accident chronology.

  • Establish a clear description of the accident.

Analytical techniques are used to determine the causes of an accident. There are three types of causal factors: the direct cause, contributing causes, and root causes.

Conducting the Analysis

Four core analytic techniques are generally used in DOE accident investigations:

  • Events and causal factors charting and analysis: used to trace the sequence of events and conditions surrounding an accident, as well as to determine the causal factors

  • Barrier analysis: used to examine the effectiveness of barriers (management and physical) intended to protect persons, property, and the environment from unwanted energy transfers

  • Change analysis: used to examine planned or unplanned changes in a system and determine their significance as causal factors in an accident

  • Root cause analysis: used to identify the causal factors, including management systems, that, if corrected, would prevent recurrence of the accident.

Each of these technique has strengths and limitations that should be reviewed before applying it to any given accident. However, the use of the core analytical techniques should be sufficient for most accident investigations. Other techniques are available for complex accidents or when there are special circumstances or considerations. Some of these techniques are MORT, PET, materials and structural analysis, design criteria analysis, integrated accident event matrix, and scientific modeling. Other techniques are available for complex accidents or special accident circumstances.

The following should be considered when performing analyses:

  • Chart events in chronological order, developing an events and causal factors chart as initial facts become available.

  • Stress aspects of the accident that may be causal factors.

  • Establish accurate, complete, and substantive information that can be used to support the analysis and determine the causal factors of the accident.

  • Stress aspects of the accident that may be the foundation for judgments of need and future preventive measures.

  • Resolve matters of speculation and disputed facts through board discussions.

  • Document methodologies used in analysis; use several techniques to explore various components of an accident.

  • Qualify facts and subsequent analysis that cannot be determined with relative certainty.

  • Conduct preliminary analyses; use results to guide additional collection of evidence.

  • Analyze relationships of event causes.

  • Clearly identify all causal factors.

  • Examine management systems as potential causal factors.

  • Consider the use of analytic software to assist in evidence analysis.

 

DOE LOGO.gif (7763 bytes)Barrier Analysis Worksheet

 

Hazard:

 Target:

What were the barriers?

How did each
barrier perform?

Why did the barrier fall?

How did the barrier
affect the accident?
a

 

 

 a a a
a

 

 

 a a a
 

 

a

 a a a

 

DOE LOGO.gif (7763 bytes)Change Analysis Worksheet

 

Factors

Accident Situation

Prior, Ideal, or Accident-Free Situation

Difference

 Evaluation of Effect
WHAT
Conditions, occurences, activities, equipment		 a a a a
WHEN
Occured, identified, facility status, schedule		 a a a a
WHERE
Physical location, environmental conditions		 a a a a
WHO
Staff involved, training, qualification, supervision		 a a a a
HOW
Control chain, hazard analysis monitoring		 a a a a
Other a a a a

Note:  The factors in this worksheet are only guidelines but are useful in directing lines of inquiry and analysis.

 

DOE LOGO.gif (7763 bytes)PET Analysis Worksheet

Prepared by: _________________________________________
Date: _______________________________________________
Accident Investigation: _________________________________

Item No.

Item
Evaluated

PET
Event

Color

 Problem/
Comments		 Responsible
Person/Agency		 Status Final
Completion
Date
a

 

 

 

 

 

 

 

 

 a a a a a a a