Human Factors in Safety Cases

Human Factors in Safety Cases Introduction to Human Factors There are multiple components that make up all but the simplest systems – there may be mechanical components, software, humans, electrical components and the procedures or directions for making the system do its work. There may be implicit laws of physics and engineering, coded directions in a software language or operating procedures from training manuals. In the construction and operation of a system, we would hope that all the components work together exactly as designed, and that the original design was exactly as required. In our real world, this is not necessarily true. Mechanical components wear out, software can be mis-coded, the procedures may be incorrect or badly taught, the original design may be flawed and even if all this is correct, the human component may still fail! Perfectly naturally humans get tired (wear out), forget (the simplest) things, have limited abilities of strength and concentration, and will try to make things a little bit easier for themselves. Unfortunately, the design and construction of the other system components can almost ‘force’ the human to wear out, compromise the human physical ability, dull or swamp the senses or just give too many things to remember at once. These, on their own or in combination, can easily lead into hazardous situations, and hazards can lead to compromises in safety i.e. accidents. The ‘human factor’ in system design needs to be understood and optimised according to human ability, such that the system becomes optimised, agile and safe. The human component in a system needs to be given as much attention as the mechanical components, the operating procedures and the management tasks. It has been said that the ‘human factor’ causes or contributes to anywhere between 60% and 90% of all accidents. Why doesn’t it get 60% to 90% of the resources allocated to it? The Human Caused the Accident Historical Incident On May 11, 1996, ValuJet flight 592 crashed into an Everglades swamp shortly after take off from Miami International Airport, Florida. Both pilots, the three flight attendants, and all 105 passengers were killed. Before the accident, the flight crew reported to air traffic control that it was experiencing smoke in the cabin and cockpit. The evidence indicates that five fiberboard boxes containing as

many as 144 chemical oxygen generators, most with unexpended oxidizer cores, and three aircraft wheel/tire assemblies had been loaded in the forward cargo compartment shortly before departure. These items were being shipped as company material. Additionally, some passenger baggage and U.S. mail were loaded into the forward cargo compartment, which had no fire/smoke detection system to alert the cockpit crew of a fire within the compartment. On August 19, 1997, the NTSB issued its aircraft accident report entitled “In-Flight Fire and Impact With Terrain; ValuJet Airlines Flight 592.” In that report, the NTSB determined that one of the probable causes of the accident resulted from a fire in the aeroplane’s Class D cargo compartment that was initiated by the actuation of one or more of the chemical oxygen generators being improperly carried as cargo [FAA 1998]. On the face of it, the cause of this disaster appears to have little to do with human error – there was a fire in the hold, the aircrew could not have done anything to counter it, and the aircraft crashed. However, investigators learned that several individuals had committed several individual errors over a two month period, each relatively insignificant, but in that combination and in that particular sequence, the disaster was just waiting to happen [Strauch 2002]. The fire was started by oxygen generating canisters that were being carried as company materials (COMAT). They had been installed in another aircraft to provide the emergency oxygen supply in case of cabin air pressure loss, but had gone beyond their use-by date, and so had been removed and were being transported back to the aircraft owners. In its report on the disaster the National Transport Safety Board (NTSB) uncovered a series of so-called human errors [NTSB 1998]: 1. The oxygen cylinders were not clearly labelled as hazardous materials by the manufacturer or by the maintenance crew, even though there was a general awareness that heat was generated when the cylinders were initiated. 2. Whilst the work card for the task of removing oxygen cylinders did call for the use of a safety cap to be used after removal, this was not done. The work card was signed off as if this task had been completed. 3. During the final inspection of the cargo before it was taken to the aircraft loading ramp, the inspector noticed the lack of safety caps, but was satisfied that “it would be taken care of”, he did not check to see that anything had actually been done. 4. The oxygen cylinders were not correctly/securely packaged, labelled or prepared for transport, enabling them to be free to move about. 5. The potentially hazardous content of the shipment box was not communicated about between maintenance staff, storage staff, ramp-loaders and flight crew. Other contributory factors were also highlighted [ibid.]: 1. There had been a push for smoke detection and deluge equipment to be installed in aircraft holds. The FAA terminated the rule-making action to require

such systems citing that these systems were not cost beneficial, and that they would not provide a significant degree of protection to the occupants. 2. Safety equipment was provided to the aircrew in the form of oxygen masks and smoke goggles. Emergency procedures stated that he crew should don these as soon as smoke is reported. There was no evidence that this had been done – the voice recordings were all clear (i.e. un-muffled), and there was evidence that the crew were proceeding with smoke clearance actions. It was noted that the plastic packaging for this emergency equipment was of a strong nature that usually required both hands or a sharp implement to actually open. Many points of critical interest come from these findings. Unfortunately, it is likely that if just one of the ‘human factors’ errors had been identified the cargo would not have been loaded. The regulator (FAA) appears not to have understood all the purposes of the proposed smoke detection and deluge systems; earlier warning may have given enough time for this flight to return and evacuate the aircraft, even with the hold fire progressing. Finally, even with all the concentration on the human factor, consideration of the small detail of the emergency equipment packaging might have given extra time. Tragic. Historical Incident A demolition firm was ordered to pay £43,000 in fines and costs after a court heard how a four-year-old child was seriously injured when a 20-tonne loading shovel vehicle [digger] rolled down a hill and tipped over. The driver was part of a team carrying out landscaping work at a housing estate demolition site. On the day of the accident, the driver was using the shovel when a colleague asked for assistance with his task. The driver left the vehicle with the front scoop elevated and loaded when he parked it. This caused it to roll away and tip over when it hit the road edge. The loading shovel injured two children aged four and five, who were playing near the site, as well as the driver who tried to stop it from toppling over. One child suffered serious crush injuries with two broken legs. The court heard that the driver had not received any training on how to use the loading shovel correctly. In addition the demolition site had not been adequately cordoned off to prevent children from playing close to the works [BSC 2006]. This incident highlights further areas where human-based contributions at different levels can conspire to cause a critical accident. Three points of interest come from this report. Firstly, the equipment safety awareness of the driver – leaving a loaded shovel in the elevated position (it was easier than unloading). Secondly, the lack of training provided to the driver – probably the responsibility of someone far removed from the site. Lastly, the failure of the cordoning-off procedures – again probably not the responsibility of anyone directly involved in the accident. James Reason quotes a social scientist when discussing the way that multiple defences intended to give depth to accident prevention are sometimes easily defeated in unimagined ways [Weick in Reason 1997];

We know that single causes are rare, but we don’t know how small events become chained together so that they result in a disastrous outcome … to anticipate and forestall disasters is to understand regularities in the way small events can combine to have disproportionately large effects.