Non Newtonian View of Accidents

UNCLASSIFIED
A Non-Newtonian* Model of Accidents Nonand Accident Investigation

Roger Kruse, CSP
Los Alamos National Laboratory Los Alamos, New Mexico
* Isaac Newtons 3rd Law of Motion for every action there is an equal and opposite reaction
UNCLASSIFIED
Operated by the Los Alamos National Security, LLC for the DOE/NNSA
Credit where credit is due
Many of the concepts in this presentation are derived from publications by Erik Hollnagel, University of Linkping, Sweden and Sydney Dekker, Department of Aeronautical Engineering, Lund University, Sweden. Books I would recommend are: The Field Guide to Understanding Human Error, 2006, Dekker Just Culture, 2007, Dekker Barriers and Accident Prevention, 2004, Hollnagel The ETTO Principle: Efficiency-Thoroughness Trade-Off, 2009,
Hollnagel
UNCLASSIFIED
Operated by Los Alamos National Security, LLC for NNSA
What is an Accident Model?

A frame of reference, or stereotypical way of
thinking about an accident
An unspoken, but commonly held belief about

how accidents happen
UNCLASSIFIED
Why should I Care?
WYLFIWYF*
* What You Look For Is What You Find
What you find when you investigate an event is

influenced by the accident model you use
How you try to prevent accidents is influenced

by how you think they happen
UNCLASSIFIED
Evolution of Accident Models

Sequence of Events
(1930s (1970s Present) Present)
Not based on cause and effect
Epidemiological Systemic (Non-Newtonian)

(Emerging)
Based on cause and effect
UNCLASSIFIED
Sequence of Events Model

A simple, linear cause and effect model Accidents are seen as a series of events which occur
in a specific and recognizable order
Domino Theory of Accident Causation - H. W. Heinrich 1931
Caused by unsafe acts or conditions Prevented by fixing or eliminating the weak link or
inserting a barrier to interrupt the series of events
UNCLASSIFIED
Sequence of Events, continued

Sequential models can be intricate, including
hierarchies such as:
Event trees Fault trees
They are attractive because:

Easy to think in a linear series Easy to represent graphically And therefore, easier to understand
UNCLASSIFIED
Epidemiological Model
A complex, linear cause and effect model Accidents result from a series of active failures (unsafe
acts) and latent conditions (hazards)
Based on Accident Causation Model (Swiss Cheese) - James Reason 1990
Caused by degradation of defenses (organizational,

human, technical) Prevented by strengthening barriers and defenses
UNCLASSIFIED
Epidemiological, continued
Accidents result from deficiencies that lay dormant until
triggered by active failures
Focuses attention on the organizational issues and

views human error more as an effect, than a cause
More complex, but still linear with a clear path through

ordered defenses
Because it is linear, it oversimplifies the complex

interactions between the multitude of active failures and latent conditions
UNCLASSIFIED
Systemic Model
A complex, non-linear model Both accidents (and success) emerge from
subtle, unexpected interactions between relatively simple parts of a complex system
Non-Newtonian because cause and effect

relationships generally do not exist
Difficult to represent graphically because it is

non-linear
UNCLASSIFIED
10
Functional Resonance Accident Model (FRAM)

- Erik Hollnagel
UNCLASSIFIED
11
Another way to think about it
Accidents are unexpected combinations of

normal variability within the system
Because the variability is within expected

norms, the accidents are triggered by normal actions, rather than action failures
UNCLASSIFIED
12
Accidents are unexpected combinations of normal variability
Time
UNCLASSIFIED
13
Case Study Swedish Airlines MD-82 Overran End of Runway June 23, 1999
UNCLASSIFIED
14
Ground Spoilers
UNCLASSIFIED
15
How the spoilers and ABS work
Pilot arms spoilers before landing When the aircraft touches down, spoilers are
deployed:
when main gear wheels spin up, or front landing gear is compressed
Deployment of the spoilers activates the ABS

system
UNCLASSIFIED
16
MD-82 Forward Pedestal
Spoiler Lever
UNCLASSIFIED
17
Spoiler Lever Unarmed Armed
UNCLASSIFIED
18
Facts
Brake disks cold after landing Per the flight recorders, spoilers did not deploy
and the ABS did not activate
No technical fault with braking system Arming spoilers is a pre-landing checklist item
Co-pilot reads the checklist Pilot arms the spoilers after lowering landing gear
Co-pilot confirms spoilers deployed after landing
UNCLASSIFIED
19
Accident Board Conclusion The cause was inadequate Crew Resource Management (i.e. pilot error) because
The pilot did not arm spoilers before landing, The co-pilot did not report lack of spoiler
deployment after landing
UNCLASSIFIED
20
Old vs. New View of Human Error*

Human error is a cause of
accidents
Human error is a symptom of

trouble inside the system
To explain failure,
investigations must seek failure inaccurate assessments, wrong decisions and bad judgments
To explain failure, do not try

to find where people went wrong.
They must find peoples
Instead, find how peoples
assessments and actions made sense at the time, given the circumstances that surrounded them.
* Dekker, Sydney (2002)The Field Guide to Human Error Investigations

UNCLASSIFIED
21
Flight Crew Information
Pilot
49 years old 6,775 total flight hours 3,500 flight hours in type
Co-pilot
57 years old 17,000 total flight hours 7,000 flight hours in type
UNCLASSIFIED
22
Flight Crew Issues
The assigned co-pilot became ill and a

one with seniority serves as pilot
replacement pilot was called out on short notice.
If substitution is made during flight planning, the Per policy for short notice, the replacement pilot
assumed the duties of person (co-pilot) he replaced
UNCLASSIFIED
23
Effects of Scheduling Problem
Although fully qualified to perform the co-pilot

duties, the replacement pilot had not actually flown as co-pilot for 6 months
After landing, the co-pilot forgot to confirm

spoiler deployment
UNCLASSIFIED
24
ILS Approach Procedure
Lower Landing Gear (when glide slope active) Spoilers armed (when gear down and locked) Flaps FULL (when glide slope captured)
UNCLASSIFIED
25
ILS Approach Procedure
UNCLASSIFIED
26
ILS Approach Procedure with Timeline
At t = 0 At t = 10 At t = 16
Lower Landing Gear (when glide slope active) Spoilers armed (when gear down and locked) Flaps FULL (when glide slope captured)
UNCLASSIFIED
27
The problem is .
It normally takes ~ 10 seconds for gear to go

down and lock
Flight simulators allow 10 seconds for gear

down and locked
But on older aircraft, with worn hydraulics, gear

down and locked can take over 30 seconds to complete
UNCLASSIFIED
28
Timeline on Older Aircraft

At t = 0 Lower Landing Gear
At t = 30 Spoilers armed (when gear down and locked) At t = 16 Flaps FULL
Wind forces (180 knots) can compress landing gear as it is lowered Landing gear must be down and locked before spoilers armed
UNCLASSIFIED
29
Result
Checklist cannot be executed as written

pilot forced to skip step to arm spoiler pilot has to remember to arm spoiler later, when gear is actually down and locked
UNCLASSIFIED
30
Why not just use the brakes?

Excerpt from DC-9 (MD-82) Operating Manual
On extremely slippery runways at high speeds, the pilot is confronted with a rather gradual deceleration and may interpret the lack of an abrupt sensation of deceleration as a total antiskid failure. The natural response might be to pump the brakes or turn off the anti-skid. Either action will degrade braking effectiveness.
UNCLASSIFIED
31
Anything Abnormal? Taken Together:

Assigned co-pilot sick Replacement pilot called out on short notice Replacement pilot assigned as CP, per policy Replacement pilot had not flown recently as CP Pilot chose ILS approach Aircraft had slow landing gear hydraulics Spoilers cannot be armed before gear down ILS approach checklist can not be executed as written Flight simulator allows 10 sec to lower landing gear Wet runway Manual braking discouraged on slippery runways
UNCLASSIFIED
32
Accidents as unexpected combinations of normal variability
Time
UNCLASSIFIED
33
Seem ominous?
Accidents can happen when everything

appears normal
Modeling is difficult and time consuming Impact of subtle interactions is only apparent
after the event
Failure is not always predictable The A/I conclusion might be the accident was
not avoidable (except in hindsight)
What can you do?

UNCLASSIFIED
34
How do you feel about this?
Work as Imagined
Work as Done
UNCLASSIFIED
35
Things go right because:

Systems are well designed and maintained Work planners can anticipate and compensate
for abnormal conditions
Procedures are complete, correct and current People behave as they are expected to as
they are taught Therefore, humans are a liability and performance variability is a threat.
UNCLASSIFIED
36
Things go right because people:

Learn to overcome design flaws and functional
glitches
Adapt their performance to meet the demands

of a dynamic work environment
Interpret and apply procedures to match

changing conditions
Can detect and correct when things go wrong

Therefore, humans are an asset without which the work could not be successfully completed.
UNCLASSIFIED
37
How most work happens
S U C C E S S
UNCLASSIFIED
38
The traditional focus is pre-job
Work planning Hazard Analysis Procedures Pre-Jobs
Work as Imagined
Work as Done
UNCLASSIFIED
39
More focus on post-job
Work as Imagined
Work as Done
Post-Job Normally Review Successful!
UNCLASSIFIED
40
Six Simple Questions

What happened the way it should have? What didn't happen the way it was supposed to? What hazards did we miss? Which steps did we have to interpret? Where did we detect and correct? Where did we have to make do to get the job done?
UNCLASSIFIED
41
UNCLASSIFIED
42
A question to ponder .
The basis for the Sequence of Events and
Epidemiological models is the assumption of cause and effect relationships
In the Systemic model, accidents are seen to emerge

from unexpected interactions of normal variability in the system rather than cause and effect relationships
So, does causality exist?
UNCLASSIFIED
43
Cause and Effect in the Real World

Cause is inferred from observation, but is not always
something that can be observed directly
Normally, we repeatedly observe Action A followed by

Effect B and conclude that B was caused by A
Action A
Effect B
Observable
Not Observable (concluded)
Observable
Source: Hollnagel, Erik (2004) Barriers and Accident Prevention

UNCLASSIFIED
44
UNCLASSIFIED
45
Cause and Effect in Investigations

Investigations involve the notion of backward causality,
i.e., reasoning backward from Effect to Action
We observe Effect B, assume that it was caused by

something and then try to find out which preceding Action was the cause of it
Action ?
Effect B
Observable
Not Observable (constructed)
Observable
Source: Hollnagel, Erik (2004) Barriers and Accident Prevention

UNCLASSIFIED
46
Common problems working backwards

Human tendency to draw conclusions that are not
logically valid
We tend to use educated guesses, intuitive judgment,

or common sense rather than rules of logic
Event timelines create sequential relationships that

seem to infer a causal relationship
Because lots of actions are taking place, there is

usually one that seems plausible
UNCLASSIFIED
47
Requirements for a cause effect relationship

1. The cause must precede the effect (in time) 2. The cause and effect must be contiguous in
time and space
3. The cause and effect must have a necessary

and constant connection between them, such that the same cause always has the same effect
UNCLASSIFIED
48
Any causes on this list?

Assigned co-pilot sick Replacement pilot called out on short notice Replacement pilot assigned as CP, per policy Replacement pilot had not flown as CP for 6 months Pilot chose ILS approach Aircraft had slow landing gear hydraulics Spoilers cannot be armed before gear down ILS approach checklist can not be executed as written approach checklist not doable as written Flight simulator allows 10 sec to lower landing gear Wet runway Manual braking discouraged on slippery runways
UNCLASSIFIED
49
What is a cause?
The identification, after the fact, of a limited set of aspects of the situation that are seen as necessary and sufficient conditions for the observed effects to have occurred. The cause, in other words, is constructed rather than found.
- Hollnagel, Erik (2004) Barriers and Accident Prevention
The cause of an accident is not found in the rubble, it is constructed in the mind of the investigator.
- Dekker, Sydney (2002)The Field Guide to Human Error Investigations
UNCLASSIFIED
50

Non Newtonian View of Accidents

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Non Newtonian View of Accidents

Uploaded by

Copyright:

Available Formats

UNCLASSIFIED

A Non-Newtonian* Model of Accidents Nonand Accident Investigation

Credit where credit is due

What is an Accident Model?

 An unspoken, but commonly held belief about

Why should I Care?

 What you find when you investigate an event is

 How you try to prevent accidents is influenced

Evolution of Accident Models

 Epidemiological  Systemic (Non-Newtonian)

Based on cause and effect

Sequence of Events Model

Sequence of Events, continued

 They are attractive because:

Based on Accident Causation Model (Swiss Cheese) - James Reason 1990

 Caused by degradation of defenses (organizational,

 Focuses attention on the organizational issues and

 More complex, but still linear with a clear path through

 Because it is linear, it oversimplifies the complex

 Non-Newtonian because cause and effect

 Difficult to represent graphically because it is

Functional Resonance Accident Model (FRAM)

Another way to think about it

 Accidents are unexpected combinations of

 Because the variability is within expected

Accidents are unexpected combinations of normal variability

How the spoilers and ABS work

 Deployment of the spoilers activates the ABS

MD-82 Forward Pedestal

Spoiler Lever Unarmed Armed

 Co-pilot confirms spoilers deployed after landing

Old vs. New View of Human Error*

 Human error is a symptom of

 To explain failure, do not try

 They must find peoples

 Instead, find how peoples

* Dekker, Sydney (2002)The Field Guide to Human Error Investigations

Flight Crew Information

Flight Crew Issues

 The assigned co-pilot became ill and a

replacement pilot was called out on short notice.

Effects of Scheduling Problem

 Although fully qualified to perform the co-pilot

 After landing, the co-pilot forgot to confirm

ILS Approach Procedure

ILS Approach Procedure

ILS Approach Procedure with Timeline

 It normally takes ~ 10 seconds for gear to go

 Flight simulators allow 10 seconds for gear

 But on older aircraft, with worn hydraulics, gear

Timeline on Older Aircraft

At t = 30 Spoilers armed (when gear down and locked) At t = 16 Flaps FULL

 Checklist cannot be executed as written

Why not just use the brakes?

Anything Abnormal? Taken Together:

Accidents as unexpected combinations of normal variability

 Accidents can happen when everything

What can you do?

How do you feel about this?

Things go right because:

Things go right because people:

 Adapt their performance to meet the demands

 Interpret and apply procedures to match

 Can detect and correct when things go wrong

An unspoken, but commonly held belief about

What you find when you investigate an event is

How you try to prevent accidents is influenced

Epidemiological Systemic (Non-Newtonian)

They are attractive because:

Caused by degradation of defenses (organizational,

Focuses attention on the organizational issues and

More complex, but still linear with a clear path through

Because it is linear, it oversimplifies the complex

Non-Newtonian because cause and effect

Difficult to represent graphically because it is

Accidents are unexpected combinations of

Because the variability is within expected

Deployment of the spoilers activates the ABS

Co-pilot confirms spoilers deployed after landing

Human error is a symptom of

To explain failure, do not try

They must find peoples

Instead, find how peoples

The assigned co-pilot became ill and a

Although fully qualified to perform the co-pilot

After landing, the co-pilot forgot to confirm

It normally takes ~ 10 seconds for gear to go

Flight simulators allow 10 seconds for gear

But on older aircraft, with worn hydraulics, gear

Checklist cannot be executed as written

Accidents can happen when everything

Adapt their performance to meet the demands

Interpret and apply procedures to match

Can detect and correct when things go wrong

In the Systemic model, accidents are seen to emerge

So, does causality exist?

Normally, we repeatedly observe Action A followed by

We observe Effect B, assume that it was caused by

We tend to use educated guesses, intuitive judgment,

Event timelines create sequential relationships that

Because lots of actions are taking place, there is