Embed Size (px)
Citation preview
Human Error: Anatomies of Accidents
Anthony J Spurgin
IEEE Section Meeting
8-26--2009
Human Error:Anatomies of Accidents
Outline of Presentation•Introduction•Accidents cover all industries
–Listing of a number of accidents given•Brief general discussions on some of the accidents
–Role of NTSB and Human Reliability Experts–View of Media
•Causes of Accidents, including human error– In Depth Analysis of a few accidents
•Lessons Learned, effect of context•Comments
Introduction: Some Assumptions About Accidents
• Everyone knows what an accident is: something that happens to others!
• Usual assumptions: Random failures, and usually involving people
• Humans cannot be relied upon and cause accidents
• Humans have to rescue us from machine failures• Most accidents are due to single failures• We cannot do anything about accidents
Analysis of Accidents
• Very visible accident reports from:– Nuclear, Chemical plant, Airplanes, Railways, roads
• Brief discussion about the accidents• Some accidents will be discussed some detail. • NTSB Accident reports focus on specific causes
- comment• Human Reliability persons consider what are the
causes of accidents and how to mitigate or minimize their effects
Industry Accident Consequence
Nuclear 3Mile Island 3/79 $2 Billion, no deaths short term
Nuclear Chernobyl 4/86 Deaths:36 short 4000 long term +++
Space Challenger 1/86 Shuttle loss and crew(7)
Space Columbia 2/04 Orbiter and crew on re-entry
Air Transport Tenerife 3/77 2 x747s crews and most passengers (583)
Air Transport JFK 11/02 Airbus 300, 265 plus 5 on ground
Petro-Chemical Bhopal 12/84 3,000 plus 8,000 deaths
Petro-Chemical Texas City 3/05 $1.5Billion, 31 deaths, 100injur’d
Oil-Rig Piper Alpha 7/88 $3.5 Billion, 165 deaths
Rail Way Flaujac 8/85 31 deaths & 91 inj
Rail Way King’s Cross 11/87 31 deaths
Human Error
• Are Humans prone to errors?
• What leads to humans taking erroneous actions?
• Careful analysis of accidents indicates that one has to consider the context under which the accident took place
• The context can vary according to the accident
Accident Analysis Process
• Gain access to all available reports, Google, Wikipedia
• Produce an independent evaluation of the events
• Produce an event sequence diagram of the events
• Draw conclusions relative to the various impacts on human error: design decisions, training, management involvement, etc.
NASA Challenger Accident
OK
OK
OK
OK
OK
OK
YES
YES
YES
YES
YES
YES
YES
NO
NO
NO
NO
FAIL
FAIL
NO
NO
NO
IncorrectSFB Design
Decision Launch
ColdOperatingConditions
Strong windConditions/Vibrations
Infexible 'O' Rings
LaunchDecision
CatastrophicChallenger
Failure
Three Mile Accident
Pressure operatedrelief valves
open
Turbine and ReactorTrip
Auxiliary feedwaterfails to automatically
start: key valvesisolated
Reactor Pressure drops and Safety Injection
initiated
Operations onfeed water system
leads to loss of feed
Prior valve test ofaux. feed valves
Complete lossof secondary side
heat removal
Instrument indications:PORV valve shut
Boiling occurs in core: steam in reactor space
pushes out water
Pressurizerlevel rises
Operators switchoff safety injection
Initial Core damage
Pressurizer relief tank disk fails,
moisture detectedin containment
Operators switchon safety injection
Operators realizeaccident is a SBLOCA
Collapse of Core due to cold SI flow
ReactorOnce-though
Steam Generator
Pressurizer
ReactorPump
Condenser
Turbine
Main Feedwaterpump
Auxiliary feedwaterpump
safetyinjection
pump
Containment
PRT
PORV
water storagetank
SafetyValve
SafetyValve
Alternator
Boratedwatertank
JFK AirbusAccident
InitiatingEvent
747 Inducedturbulence
Pilot'sResponse
to turbulence
AA Training Program
Airbus 300Fin/RudderStructural Problem
Fin/RudderFailure &
Crash
Inadequate
Poor
Good
Good
Not acceptable
Acceptable
Crash
OK
OK
OK
OK
LittleInfluence
Strong Influence
Boeing 747s Tenerife Accident
Terminal
ControlTower
1 2 3 4Exit0
0
X
KLMPan Am
Other PlanesParked
Taxiway
RunwayAccident
site
ConsequenceKLM on runway,PanAm moving
on runway
Communicationsdifficulties bwt
Tower and Crews
KLM Captaindecides to take-off
Initiating EventBomb Explosion
Accident
OK!
OK!
OK!
OK!
Yes
Yes
Yes
Yes
NO
NO
NO
NO
Flights diverted to Tenerife &
access congestion
Texas CityBP Refinery Accident
RaffinateSplitter
BlowdownTank
LevelIndicator
LevelIndicator
ChargePump
ControlValve
ControlValve
ReliefValve Relief
Valve
Texas CityBP Plant Accident
Initial EventOperator Fills vessel
operator hears alarm& acts to stop filling vessel
operator notes level above alarm state & acts to stop filling vessel
Operator calculateslevel
level IndicatorWorks
Continues tofeed raffinate
column
Stops feed OK
Increasesvolitility of fluid
operator sees level approached alarm state & acts to stop filling vessel
level sesor alarmfunctions
Yes
Yes
No
NoNo
Yes
No
NoOverfills
Raffinate unit
PressurizesRaffinate Column & Pressure Relief valve
opens
Yes
No
Yes
Does not increase volatility of Fluid
Volatilityof Fluid
affected byoperator action
Fluid Ignitesand kills/wounds
persons
Overfillsdump tank
YesFluid
Escapes
Yes
Isolates Heat Exchanger
Fluid continuous to leave Raffinate Vessel
No
Operator acts to stop feeding and dumps fluid to dump column
No
Flaujac (South West France) Railway Accident
TrainsLate
Confusion over trainschedule
TrainsCrash
Yes
No
No
Possibly NoCrash
Good Com- munications
Protocol
Passenger trainnot buffered from express
No
Yes
Yes
No
No
Crash
Human Error: Context Effects and other Observations
• Training
• Information Layout and Availability
• Procedure Layout and Organization
• Prior Design influences and effects
• Management Influences
Comments
• Official Accident Reviews often result in Human Error being the cause, often the human is set-up to fail and does
• PRAs rely on the combination of equipment and human error estimation to estimate the risk of operation
• The PRA is a good start to the process but one can see that more needs to be done to cover things like the effects of design limits and HRA methods to be based upon context rather than the task
• The predicted human error rate range is bounded and this has consequences for any designer and manager
