Chapter 24

Management Oversight
Risk Tree Analysis

24.1 INTRODUCTION

Management oversight and risk tree (MORT) is an analysis technique for identifying
safety-related oversights, errors, and/or omissions that lead to the occurrence of a
mishap. MORT is primarily a reactive analysis tool for accident/mishap investi-
gation, but it can also be used for the proactive evaluation and control of hazards.
MORT analysis is used to trace out and identify all of the causal factors leading
to a mishap or undesired event.
The MORT analysis utilizes the logic tree structure and rules of fault tree analysis
(FTA), with the incorporation of some new symbols. This means that MORT can be
used to generate risk probability calculations such as FTA. MORT analysis provides
decision points in a safety program evaluation where design or program change is
needed. MORT attempts to combine design safety with management safety.

24.2 BACKGROUND

This analysis technique falls under the system design hazard analysis type (SD-HAT).
Refer to Chapter 3 for a description of the analysis types. A smaller and less complex
form of MORT has been developed that is referred to as mini-MORT.
The MORT technique is a root cause analysis tool that provides a systematic
methodology for planning, organizing, and conducting a detailed and comprehen-
sive mishap investigation. It is used to identify those specific design control

Hazard Analysis Techniques for System Safety, by Clifton A. Ericson, II

Copyright # 2005 John Wiley & Sons, Inc.

423
424 MANAGEMENT OVERSIGHT RISK TREE ANALYSIS

measures and management system factors that are less than adequate (LTA) and
need to be corrected to prevent the reoccurrence of the mishap or prevent the unde-
sired event. The primary focus of MORT is on oversights, errors, and/or omissions
and to determine what failed in the management system.
The MORT analysis is applicable to all types of systems and equipment, with
analysis coverage given to systems, subsystems, procedures, environment, and
human error. The primary application of MORT is in mishap investigation to ident-
ify all of the root causal factors and to ensure that corrective action is adequate.
The MORT analysis is capable of producing detailed analyses of root causes
leading to an undesired event or mishap. By meticulously and logically tracking
energy flows within and out of a system, MORT analysis compels a thorough
analysis for each specific energy type. The degree of thoroughness depends on the
self-discipline and ability of the analyst to track logically the flows and barriers in
the system.
The analyst can master MORT analysis with appropriate training. The analyst
must have the ability to understand energy flow concepts, for which at least a
rudimentary knowledge of the behaviors of each of the basic energy types is necess-
ary. Ability to logically identify energy sources and track flows in systems is an
essential skill. Ability to visualize energy releases or energy exchange or transform-
ation effects is another helpful skill. Since MORT analysis is based on an extended
form of FTA, the FTA technique itself could be used as a replacement for MORT
analysis. A condensed version of MORT, called mini-MORT, could also be used.
Use of MORT is not recommended for the general system safety program since it
is complex, time consuming, unwieldy in size, and difficult to understand. Other
hazard analysis techniques are available that provide results more effectively.
MORT could be used for mishap investigation, but FTA is more easily understood
and just as effective.

24.3 HISTORY

The MORT analysis technique was developed circa 1970 by W. G. Johnson of the
Aerojet Nuclear Company. The development work was sponsored by the Energy
Research and Development Administration (Department of Energy, formerly the
Atomic Energy Commission) at the Idaho National Engineering Laboratory
(INEL). MORT analysis is predicated upon hazardous energy flows and safety
barriers mitigating these flows.

24.4 THEORY

The theory behind MORT analysis is fairly simple and straightforward. The analyst
starts with a predefined MORT graphical tree that was developed by the original
MORT developers. The analyst works through this predefined tree, comparing the
management and operations structure of his or her program to the ideal MORT
 24.6 WORKSHEET 425

structure, and develops a MORT diagram modeling the program or project. MORT
and FTA logic and symbols are used to build the program MORT diagram. The
predefined tree consists of 1500 basic events, 100 generic problem areas, and a
large number of judging criteria. This diagram can be obtained from The MORT
User’s Manual [1].
The concept emphasizes energy-related hazards in the system design and the
management structure. MORT analysis is based on energy transfer and barriers to
prevent or mitigate mishaps. Consideration is given to management structure,
system design, potential human error, and environmental factors.
Common terminology used in MORT analysis charts includes the following
acronyms:

. LTA: less than adequate

. DN: did not
. FT: failed to
. HAP: hazard analysis process
. JSA: job safety analysis
. CS&R: codes standards and regulations

The generic MORT diagram has many redundancies in it due to the philosophy that
it is better to ask a question twice rather than fail to ask it at all.
The MORT analysis is based on the following definitions:

Accepted or assumed risk Very specific risk that has been identified, analyzed,
quantified to the maximum practical degree, and accepted by the appropriate
level of management after proper thought and evaluation. Losses from assumed
risks are normally those associated with earthquakes, tornadoes, hurricanes, and
other acts of nature.
Amelioration Postaccident actions such as medical services, fire fighting, rescue
efforts, and public relations.

24.5 METHODOLOGY

Table 24.1 shows an overview of the basic MORT analysis process and summarizes
the important steps and relationships involved. This process consists of utilizing
design information and known hazardous energy source information to verify
complete safety coverage and control of hazards.

24.6 WORKSHEET

The MORT analysis worksheet is essentially a slightly modified fault tree with some
added symbols and color coding. All of the symbols, rules, and logic of FTA
426 MANAGEMENT OVERSIGHT RISK TREE ANALYSIS

TABLE 24.1 MORT Analysis Process

Step Task
1 Define system.
2 Plan MORT analysis.
4 Acquire data.
5 Conduct MORT analysis.
6 Recommend corrective action.
7 Monitor corrective action.
8 Track hazards.
9 Document MORT analysis.
Description
Define, scope, and bound the system. Define the
mission, mission phases, and mission
environments. Understand the system design
and operation.
Establish MORT analysis goals, definitions,
worksheets, schedule, and process. Divide the
system under analysis into the smallest
segments desired for the analysis. Identify items
to be analyzed and establish indenture levels for
items/functions to be analyzed.
Acquire all of the necessary design and process
data needed (e.g., functional diagrams, code,
schematics, and drawings) for the system,
subsystems, and functions. Refine the system
information and design representation for MORT
analysis.
a. Using the predefined tree, draw a new diagram for
the system under review.
b. Color code events on tree diagram.
c. Continue analysis until all events are sufficiently
analyzed with supporting data.
Recommend corrective action for hazards with
unacceptable risk. Assign responsibility and
schedule for implementing corrective action.
Review the MORT diagram at scheduled intervals to
ensure that corrective action is being
implemented.
Transfer identified hazards into the hazard tracking
system (HTS).
Document the entire MORT process on the
worksheets. Update for new information and
closure of assigned corrective actions.

(see Chapter 11 on FTA) apply to MORT analysis. New symbols added specifically
for MORT are shown in Figure 24.1. Events on the MORT diagram are color coded
according to the criteria in Table 24.2.
The MORT analysis is essentially an FTA that asks what oversights and omis-
sions could have occurred to cause the undesired event or mishap and why in
terms of the management system. In some ways, MORT analysis is like using the
basic MORT diagram as a checklist to ensure everything pertinent is considered.
Figure 24.2 shows the top level of the ideal MORT analysis from the MORT
User’s Manual. Figure 24.3 expands the S branch of the MORT shown in
Figure 24.2. Figure 24.4 expands the M branch of the MORT shown in Figure 24.2.
Figure 24.5 expands the 1 branch of the MORT shown in Figure 24.3. Figure 24.6
expands the 2 branch of the MORT shown in Figure 24.5.
 24.7 ADVANTAGES AND DISADVANTAGES 427

Symbol Name Description

General event Describes general event.

A basic component failure; the primary, inherent,

Basic event failure mode of a component. A random failure
event.

Undeveloped event An event that could be further developed if desired.

Satisfactory event Used to show completion of logical analysis.

Normally expected An event that is expected to occur as part of normal

event system operation.

A risk that has been identified, analyzed, quantified

Assumed risk transfer
to the maximum practical degree, and accepted.
Indicates where a branch or subtree is marked for
In Out Transfer the same usage elsewhere in the tree. In and out or
to/from symbols.
The output occurs only if at least one of the inputs
OR gate
occurs.

The output occurs only if all of the inputs occur

AND gate together.

Constraint Constraint on gate event or general event.

Figure 24.1 MORT symbols.

24.7 ADVANTAGES AND DISADVANTAGES

The following are advantages of the MORT analysis technique:

1. Has a pictorial benefit that aids analysts in visualizing hazards.

2. Can be quantified (but usually is not).

TABLE 24.2 MORT Color Coding

Color Meaning
Red Any factor or event found to be LTA is colored red on the chart. Should be addressed in
the final report with appropriate recommendations to correct the deficiency. Use
judiciously; must be supported by facts.
Green Any factor or event found to be adequate is colored green on the chart. Use judiciously;
must be supported by facts.
Black Any factor or event found to be not applicable is color-coded black (or simply crossed
out) on the chart.
Blue Indicates that the block has been examined, but insufficient evidence or information is
available to evaluate the block. All blue blocks should be replaced with another color
by the time the investigation is complete.
428 MANAGEMENT OVERSIGHT RISK TREE ANALYSIS

Mishap or
Undesired Event

Management System Assumed

Factor LTA (Acceptable) Risks

What Why

Specific Control Management System R1 R1 R1 Rn

Factors LTA Factor LTA

S M

Figure 24.2 MORT top tiers.

Specific Control
Factors LTA
S

Mishap Amelioration Mishap

(Undesired Event) LTA Occurs

Harmful Energy Flow Barriers and Persons or Objects Events & Energy
Controls LTA In Energy Channel Flows Leading to
or Env. Condition Accident
1

Figure 24.3 MORT specific control factors.

Specific Control
Factors LTA
M

Goals Amelioration Mishap

LTA LTA (Undesired Event)

Goals Technical Information Hazard Analysis Safety Program

LTA Systems LTA Process LTA Review LTA

Hazard Analysis Safety Program

Process LTA Review LTA

Figure 24.4 MORT management system factors.

 24.8 COMMON MISTAKES TO AVOID 429

Barriers and
Controls LTA
1

Controls Barriers
LTA LTA

Technical Information Facility Functional Maintenance Inspection Supervision Higher Supervision

System LTA Operability LTA LTA LTA LTA Services LTA

Figure 24.5 MORT barriers and controls diagram.

3. Is simple to perform (once understood).

4. Commercial software is available to assist the analyst.

The following are disadvantages of the MORT analysis technique:

1. Though simple in concept, the process is labor intensive and requires signifi-
cant training.
2. Is limited by the ability of the analyst to identify all the hazardous energy
sources.
3. Tree size can become too large for effective comprehension by the novice.

24.8 COMMON MISTAKES TO AVOID

When first learning how to perform a MORT analysis, it is commonplace to commit

some traditional errors. The following is a list of typical errors made during the
conduct of a MORT analysis:

Barriers
LTA
2

On Energy Between On Persons or

Objects Separate Time/Space
Source

a3 a3 a3 a3

D/N
None Barrier Use
Possible Failed
R4

Task Performance
D/N Errors
Provide
R5

Figure 24.6 MORT barriers diagram.

430 MANAGEMENT OVERSIGHT RISK TREE ANALYSIS

1. Not obtaining the necessary training

2. Not thoroughly investigating all causal factor paths

24.9 SUMMARY

This chapter discussed the MORT hazard analysis technique. The following are
basic principles that help summarize the discussion in this chapter:

1. MORT analysis is a root cause analysis tool similar to FTA.

2. The primary purpose of MORT analysis is for mishap investigation analysis.
3. MORT analysis should be a supplement to the SHA.
4. MORT analysis involves a focus on hazardous energy sources and barriers.
5. MORT analysis is based on an existing predefined tree diagram.
6. MORT provides analysis of the management system for a project.

REFERENCE

1. N. W. Knox, and R. W. Eicher, MORT User’s Manual, SSDC-4 (Revision 2), U.S. Dept. of
Energy, Idaho Falls, ID, 1983.

BIBLIOGRAPHY

Clark, J. L. The Management Oversight and Risk Tree (MORT)—A New System Safety
Program, Proceedings of the 2nd International System Safety Conference, 1975,
pp. 334 – 350.
Johnson, W. G., MORT, the Management Oversight and Risk Tree, U.S. Atomic Energy
Commission, SAN-821-2, U.S. Government Printing Office, Washington DC, 1973.
Johnson, W. G., MORT Safety Assurance Systems, Marcel Dekker, New York, 1980.
Stephenson, J., System Safety 2000: A Practical Guide for Planning, Managing, and Conduct-
ing System Safety Programs, Wiley, New York, 1991, pp. 218 – 255.