Security Rappel Tower Fatality at Savannah River Site Volume 2

3.8 SYSTEM PERFORMANCE ANALYSIS

The significant departures from normal operating conditions that preceded the accident are discussed in Section 3.8.1, Change Analysis, and Table 3-1. The performance of barriers and controls that could have prevented the accident are discussed in Section 3.8.2, Barrier Analysis, and Table 3-2.

Section 3.8.3, Fault Tree Analysis, was developed using a MORT logic diagram. This is a model of the generic events, basic events, and conditions that represent failures in the management control system. The causal factor analysis presented in Section 3.8.4, Root Cause Analysis, classifies causal factors as root causes and probable causes. These causal factors are discussed in Table 3-3.

3.8.1 Change Analysis

Change analysis was used to address the changes or departure from normal processes that led to the rappelling accident. The change analysis performed by the Board confirmed the results of the earlier events and causal factor analysis and the barrier analysis. The results of the change analysis are summarized in Table 3-1.

3.8.2 Barrier Analysis

Barriers are physical and administrative constraints that prevent an unwanted flow of energy. Barriers are divided into four categories and are listed below in the preferred order of application.

Control barriers - A general class of barriers that relate directly or indirectly to the protection of people or objects from an unwanted energy flow. These barriers are put in place during the design process.
Safety barriers - Safety devices or procedures to reduce hazards to an acceptable risk level that cannot be eliminated through design selection.
Warning devices - If it is not possible to preclude the existence of a hazard, then devices should be used for the timely detection of the condition and generation of a warning signal.
Special procedures - Procedures developed to enable operators to perform their functions safely.

All four categories of barriers were present or required to be present at the ATTA Range Rappel Tower. Table 3-2 summarizes the performance of barriers during the accident.

3.8.3 Fault Tree Analysis

The Board constructed the Fault Tree Analysis shown in Figure 3-10 as an analytical aid. A fault tree is a display of logic gates that shows failures or combinations of failures that led to the accident. An analysis of "failed" logic gates will identify effects that can be analyzed through a causal factor analysis.

3.8.4 Root Cause Analysis

The causal factor analysis presented in Table 3-3 utilizes techniques from MORT-based Root Cause Analysis and the Institute of Nuclear Power Operation's Good Practice OE-907, "Root Cause Analysis." Causal factors are classified as either probable or root causes. This classification is used to differentiate (1) causes that, if corrected, would not by themselves have prevented the accident, but are important enough to be recognized as needing corrective action to improve the quality of the process; and (2) the fundamental causes and associated corrective actions that, if corrected, will prevent recurrence of an event or adverse action.

Table 3-3. Causal Factor Analysis

Root Causes	Discussion
Management	Management did not specifically assign responsibility for hazard evaluation and identification to SRT supervision. As a result, management was not in control of the SWAT competition training process. Management did not provide for organizational communication between WSRC and WSI-SRS on the need for a safety review and risk analysis on the safety railings. The management control system was less than adequate.
Training	The SWAT competition training program was informal, was not based on approved lesson plans, and improperly exposed personnel to hazardous rappelling activities. The training did not use a graded approach with progression to the hazardous rappelling activities. There was no provision for risk-free failures in the training activities.
Policy Implementation	Policy and mission requirements conflict with policy implementation in the SR/WSI-SRS contract. This resulted in the WSI-SRS interpretation of rappelling as a mission requirement from the contract. Safety policy implementation was insufficient in that supervision was not specifically responsible for evaluation and identification of hazards and risks encountered in the performance of SRT training duties. Safety responsibilities are not identified in position descriptions. Safety policies did not control the training process in the SWAT competition training.
Risk Assessment and Hazard Analysis	A risk analysis was not performed during design on the new safety railings on the Rappel Tower. The hazards to rappelling activities were not identified and evaluated, and barriers and controls were not in place to protect team members.
Conduct of Operations	Conduct of operations as implemented by WSI-SRS was deficient because: The safety and risks associated with the Rappel Tower were not assessed. Supervision was not required to inspect the Rappel Tower. A design safety risk assessment was not performed on safety modifications to the Rappel Tower to ensure the modifications did not present additional risk to rappelling operation. Management oversight of the Rappel Tower was not adequate to ensure the training workplace was free from hazards that affect employees. Lesson plans were not in place for SWAT competition training, particularly the hazardous activities - Buddy Rappel and single-rope rappel. Policies and procedures did not ensure that the trainee personnel were effectively utilized and aware of all rappelling limits and hazards. There was not a barrier in place to prevent use of the safety railings beyond the operational capabilities. Acceptance criteria were not documented for returning the Rappel Tower to safe operation following the modifications. There was no provision in required reading for notifying personnel of the tower modifications. There was no ES&H safety walkdown of the tower modifications following safety rail installation or prior to rappelling.
DOE Oversight	Oversight did not reveal deficient conditions in WSI-SRS conduct of operations training and safety in rappelling operations.

Table 3-3. Causal Factor Analysis (continued)

Probable Causes	Discussion
Procedures	Procedures in effect at the time of the rappelling accident did not provide progression of safety responsibility, rope awareness and improperly granted an exception to rappelling on two ropes without an annual safety review.
Safety	The WSI-SRS ES&H organization did not conduct a safety inspection following the installation of the new safety railings on the Rappel Tower and did not evaluate the risks involved in the rappelling activities. WSRC did not provide a safety review of the safety rail design and did not perform a safety analysis of the interface between the safety rails and rappelling operations.
Supervision	Although supervisors are assigned responsibility for safety in procedures, the flowdown of this assigned responsibility is not contained in position descriptions of supervisors in the SRT ranks. This caused the safety railings modification not to be inspected by supervisors present at the accident scene. The rappelling procedure does not assign supervision responsibility for inspection of Rappel Tower modifications.
Design	Failure to conduct a safety review of the safety railings during design resulted in a lack of identification and evaluation of risks to tower fall protection during rappel activities. Barriers were not designed and installed on the safety railings prior to the start of the SWAT competition training. This was caused by a lack of a risk analysis and identification of the safety precedence sequence for the barriers.
Communications	The intent to train on the hazardous Buddy Rappel was not properly communicated to higher supervision nor was it properly discussed by supervision prior to the training. Information pertaining to the safety railings on the Rappel Tower was not adequately communicated to SRT personnel.
Equipment	New safety railings were installed on the Rappel Tower without an adequate safety review to identify the interface between rappelling operations, safety, and procedural requirements for inspections. Safety railings were used for rappelling, an activity for which they were not intended. The new safety railings were not inspected by WSI-SRS ES&H Division and SRT supervision.
Operational Readiness	The safety railings were not ready to be placed into service, and there was not a requirement for an operational readiness review. An operational readiness review with the user, designer, and Safety Division representative could have revealed the interface between rappelling operations and the hazardous safety railings.

Please send comments to support@tis.eh.doe.gov

Last Modified: Friday, 28-Feb-97 10:09:00