Professional Documents
Culture Documents
Safety Science
journal homepage: www.elsevier.com/locate/ssci
a r t i c l e i n f o a b s t r a c t
Article history: Accident causation analysis is a good way to trace industrial accident causes and ultimately to prevent
Received 7 June 2016 similar accidents from happening again. Classification of accident causes can not only provide a compre-
Received in revised form 27 September hensive understanding of accident but also benefit causes statistics. Although many accident cause clas-
2016
sification models or taxonomies have been proposed, yet some models are domain-specific while others
Accepted 1 October 2016
Available online 6 October 2016
are too general or complicated for practical application. To address the basic two issues of accident anal-
ysis, which are (1) what is the failure and (2) how does the failure happen, a new model is presented from
both system safety perspective and control theory perspective. First, complex systems can be decom-
Keywords:
Accident causes classification
posed into six components, which are machine, man, management, information, resources, and environ-
Risk analysis ment from the view of system safety factors. From control theory perspective, actuator, sensor, controller,
Complex industrial system and communication are defined as system factors’ functional abstractions. The combinations of system
System safety factors and control functions form a matrix model for accident causation analysis and classification,
named Accident Causation Analysis and Taxonomy (ACAT) model. Then a comparison with existing cause
classification schemes is made and the case of BP Texas refinery accident is used to illustrate its
capability.
Ó 2016 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.ssci.2016.10.001
0925-7535/Ó 2016 Elsevier Ltd. All rights reserved.
W. Li et al. / Safety Science 92 (2017) 94–103 95
and most straightforward way is to answer the following two For a long time, man, machine, media, management, and mission
questions: (1) what is the failure and (2) how does the failure hap- have been recognized as main elements contributing to accidents.
pen? Apparently, elements of a system are the subjects of failures. However, it is too vague to include failures caused by supervision,
Previous studies (Edwards, 1972; Harris, 2006) have defined many decision making, regulations, or safety attitudes into management
system elements, such as man, machine, material, information, etc. failure. Traditional management factor is a general subject which
The 5M (Man, Machine, Media, Management, and Mission) model cannot provide more detailed types of failure. Based on accidents
has been generally accepted as a structured form to describe sys- review, we identified six system safety factors, which are Man
tem factors and identify systemic risks. Conventionally, manage- (M), Machine (M), Management (M), Environment (E), Information
ment is a broad concept which includes communication, (I), and Resources(R). Among these system safety factors, machine
supervision, decision making, regulations, etc. With the growing refers to hardware in plant including all kinds of instruments,
scale of management risks control (Waring, 2015), it is necessary equipment, or vehicles. Man, which is also called human, refers
to decompose system in detail and redefine a new model for sys- to on-site personnel like operator, maintenance worker, office
tem factors. Apart from the conventional 5M, information and stuff, installers, or field supervisor. Their duties are to implement
resource are considered in this paper. Information consists of pro- the decisions from managers. Management refers to supervision
cedures, programs, methods, standards, regulations, etc. Resources or decisions made by managers from plant units, companies, agen-
include training, experts, raw materials, fund, products, etc. On the cies, or government. Information includes procedures, programs,
other hand, it is because subject fails to perform its function that methods, standards, regulations, or laws. Resources include train-
accident happens. Hence, another important part of accident anal- ing, experts, raw materials, fund, energy, or products. Environment
ysis model should be function definition. Control theory has pro- does not mean the physical environment but a social environment
ven to be a useful method for safety management of complex because the physical environment like weather is beyond control-
systems (Wahlström and Rollenhagen, 2014). According to control lability. It usually includes safety culture, attitude, or issues left
theory, a process comprises functions like actuator, sensor, over by history. Take BP Texas refinery accident as an example,
controller, etc. As Leveson (2004) stated in her research, safety inadequate preliminary hazard analysis and mechanical integrity
problem can be treated as a control problem and failures occur program (Baker et al., 2007) are categorized into information fail-
because the controller cannot handle components adequately. ure. To prevent this type of failure, attention should be paid to pro-
Therefore, control theory is used to describe the functions of each gram formulation and evaluation.
system factors. Based on both system elements and control theory, So far, the first problem, which is what is the failure, has been
it is concluded that system elements and their functions dictate the settled. Further, it should be noted that every subject has dynamic
type of failure. In other words, accidents result from object’s func- characteristics rather than being a static element. In other words,
tion failure. The new model presented in this paper uses failure the nature of system safety factors failure is that they did not per-
taxonomy (subjects) defined from system safety perspective to form their definitive functions. In the next section, the problem of
guide causation analysis and uses control theory to describe safety how does the failure happen will be addressed.
constraints (or functions) failure.
The rest of this study is organized as follows. In Section 2, a brief 2.2. Control theory
description of basic theories including system safety factor and
control theory are introduced. Based on those theories, an Accident The essence of control theory is to use sensors to measure the
Causation Analysis and Taxonomy (ACAT) model is proposed and output and then compare output performance with desired perfor-
its elements and functions are defined in this section. In Section 3, mance by monitor and finally sent feedback to the input actuators.
a comparison with other existing accident causation analysis Generally, control theory is used in control system engineering in
models is made. Then the BP Texas refinery accident is used to the industrial field. At present, the philosophy of control theory
illustrate the new model and a comparison with logic tree is has been applied in system safety analysis of complex systems.
provided in Section 4. Finally in Section 5, conclusions are made. Coze (2005) presents that the nature of complex system is that dif-
ferent system components interact with each other to implement
their functions. It means that when system safety factor fails to
2. Concepts and model perform its function, hazards or accidents occur.
Conventionally, different considerations are defined for each
2.1. System safety factors factor of system to detail its potential risks (Everdij and Scholte,
2013). However, due to lack of standards for the interpretation of
Since the concepts of man-machine-media (environment) these factors, different reference presents varied considerations.
model was first proposed by T.P. Wright, it has had a profound It leads to poor consistency in application. Hence, a structured the-
effect on accident analysis and prevention (Miller, 1991). After- ory is needed to guide the establishment of subgroups. Control the-
ward, Management and Mission were introduced and the 5M ory can describe factors’ functions and their communications with
model was established. In consideration of the complexity of sys- a closed loop. Each component in a control structure indicates a
tem failure, more system factors have been incorporated into 5M particular function that one factors should complete. A simplified
model. For instance, Miller (1967) summarized seven system diagram of a control structure is shown in Fig. 1. The basic compo-
safety factors, which are man, machine, media, management, time, nents are actuator, sensor, and controller and communication,
cost, and information. Irani et al. (2001) proposed a variation ‘‘5M”
(i.e. Man, Machine, Method, Material, and Money) model to evalu-
ate the impact of human, process and technology factors on infor-
mation system failure. Kozuba (2013) suggested that though many Actuator System Sensor
efforts had been made to prevent undesirable flight-related events,
human factor, technical factor and organizational factor were still
the main causes. Of all these systematic safety factor models, the
initial 5M model is the most widely used one and has been gener- Controller
ally accepted in many areas, especially in aviation domains. It is a
structured method which describes the subjects of safety analysis. Fig. 1. Simplified diagram of a control system.
96 W. Li et al. / Safety Science 92 (2017) 94–103
Table 2
ACAT model and elements’ definitions.
Function
Man (M) H 11 H 12 H 13 H 14
Machine (M) H 21 H 22 H 23 H 24
Management (M) H 31 H 32 H 33 H 34
Information (I) H 41 H 42 H 43 H 44
Resources (R) H 51 H 52 H 53 H 54
Environment (E) H 61 H 62 H 63 H 64
No Description No Description
H11 Fail to take effective actions H41 Wrong or inadequate information
H12 Fail to monitor, or fail to detect the human failure in time H42 Fail to monitor or update information
H13 Fail to follow procedures H43 Fail to establish information
H14 Lack of effective communication between operators H44 Fail to deliver or interpret information
H21 Design deficiency or malfunction H51 Lack of training, experts, raw materials,
fund, energy or products
H22 Fail to monitor or detect the machine failure in time H52 Fail to monitor the resource spending or
changes
H23 Lack of sufficient machine maintenance H53 Inadequate allocation of resources
H24 Information from equipment is not captured or interpreted H54 Fail to deliver resources or resources
needs
H31 Fail to manage workers or equipment or organization appropriately H61 Ignore warnings or issues in previous
events
H32 Fail to monitor organizational failure or manage change H62 Fail to monitor the environment change
H33 Fail to follow procedures or organizational inadequate decision H63 No response to poor safety culture or
attitude
H34 Lack of communication within decision levels H64 Lack of communication culture
W. Li et al. / Safety Science 92 (2017) 94–103 97
3.2. 5M model
3.3. HFACS
Fig. 3. 5M model (adapted from (Miller, 1991). Although the Human Factors Analysis and Classification System
(HFACS) proposed by Wiegmann and Shappell (2003) mainly
addresses human factors failure, it shows great advantages as an
3.1. 3M model accident causes taxonomic approach (Lenné et al., 2012). Four
types of failures were presented, including unsafe acts, precondi-
3M represents man (human), machine, and media (environ- tions for unsafe acts, unsafe supervision and organizational influ-
ment), see Fig. 2. It contradicts the traditional accident causation ences, as shown in Fig. 4. Apart from human errors, underlying
theory which blame single operator or equipment failure. Based latent conditions were also considered in HFACS framework,
on this, a new scientific field called Man-Machine-Environment including environment factors such as weather, lighting, equip-
System Engineering (MMESE) emerges (Long and Dhillon, 2015). ment design, automation, etc. Unlike 5M model, subcategories
However, due to its over-simplicity, it had been quickly replaced were defined for each of these failures, which increases its
by frameworks with more factors. consistency.
3.4. AcciMap model Apparently, all of these researches have contributed a lot to
accident causation analysis of complex system. Meanwhile, argu-
Accident Map (AcciMap) model is a six-layer framework com- ments, comparisons, and improvements have never stopped.
posed of government, regulators and associations, company, man- (Ergai et al., 2016; Salmon et al., 2012; Underwood and
agement, staff, and work, as shown in Fig. 5. Rasmussen (1997) Waterson, 2014).
designed this six-level model mainly for industrial risk manage- The ACAT model developed in this paper can be seen as an
ment. A vertical interaction control mechanism was first explained extension of conventional 5M model. It defines the subgroups of
by assuming accident as control failures between actors at each of each element in more detail by incorporating control theory.
these levels (Cassano-Piche et al., 2009). It decomposes a system Meanwhile, it provides a structured accident causes taxonomy
from the view of organizational levels. However, some comments approach.
pointed that it lacks a failure taxonomy to guide analysis In order to make an overall comparison, seven characteristics
(Salmon et al., 2012). are chosen, which respectively are generality, communicability,
integration, consistency, taxonomy, completeness, and simplicity.
3.5. STAMP model The number of circle ‘‘s” indicates the extent to which one model
has certain characteristic. Models with more circles have wider
Leveson’s STAMP (Systems-Theoretic Accident Model and Pro- applicability than those with less circles. For example, generality
cesses) model described socio-technical system as a dynamic con- was evaluated for each model in the first row in Table 3. TeCSMART
trol process, see Fig. 6. She described some basic system was driven from a comparative analysis of 13 systemic accidents in
components and focused on the upper levels of the AcciMap different domains, including aerospace field, petrochemical field,
model. For example, Congress and Government Regulatory Agen- public health, economic field, medicine field, etc.
cies were defined in much more detailed compared with AcciMap. (Venkatasubramanian and Zhang, 2016). Therefore, TeCSMART
Besides, it provided detailed guidance for accident factors classifi- was assigned seven circles, which means that it has the strongest
cation (Leveson, 2004). universality or generality than the other six models. The compar-
isons are shown in Table 3.
3.6. TeCSMART model
4. Model evaluation with BP Texas refinery case
To identify common failure mechanisms and modes across dif-
ferent domains, Venkatasubramanian proposes a seven-level con- 4.1. Incident description and logic tree
ceptual framework, called Teleo-Centric System Model for
Analyzing Risks and Threats (TeCSMART) (Venkatasubramanian One of the largest industrial disasters occurred at BP Texas City
and Zhang, 2016). It comprises of society, government, regulatory, refinery on March 23, 2005, leading to 15 fatalities, 180 injures and
market, company, plant, and equipment, as shown in Fig. 7. It pro- over 1.5 billion dollars of financial losses (CSB, 2007). Like most
vides a more complete and broad view of system failure. Compared other industrial disasters, what happened to BP Texas City Refinery
with AcciMap model, it considers two more factors, which are soci- is a doomed event rather than a random anomaly. A brief descrip-
ety and market. However, modeling system at multiple levels tion of this accident is introduced.
requires a substantial amount of expert knowledge, which makes The accident occurred during startup of the isomerization unit
the analysis of the process too complicated and time-consuming. (ISOM) raffinate splitter section. Fig. 8 illustrates the brief
Implementation and
assurance
Manufacturing Management
Maintenance and Evolution
Manufacturing
processes from ISOM startup to accident. According to the investi- these events were not further grouped into one category. Second,
gation report, potential hazards existed in every step of the pro- some root causes were not detailed enough for the convenience
cess, which finally contributed to the severe consequences. of developing corresponding measures. For example, ‘‘Production
In order to trace the root causes, the US Chemical Safety Board pressures” was summarized as one of the root causes, but whether
(CSB) report provided a detailed logic tree map (CSB, 2007). Gener- these pressures were caused by budget or market was not indi-
ally, the operable basic events of logic tree, which are drawn at the cated. Besides, this deductive and top-down method cannot
bottom of the figure, are regarded as root causes. It has been pro- include all possible initiating events identified by investigators.
ven a convenient method to analyze accident causes. However, for In other words, some evidence indicated in reports was not identi-
a large and complex system, the logic tree will be too complex and fied as possible causes in logic tree.
voluminous for readers to understand. In this case, the original
report showed the logic tree in thirteen whole pages. According 4.2. Causes taxonomy with new model
to those detailed but also complicated logic trees, 75 bottom
events were identified. Failures in procedures, training, policies, There have been many excellent articles studying this disaster,
communications, oversights, operations, software system, and see (Holmstrom et al., 2006; Manca and Brambilla, 2012; Saleh
budgets were all placed in the layer of root causes. However, there et al., 2014). Admirably, not only technical reasons or human errors
are some limitations to the logic tree method. First, no taxonomies but also managerial and organizational factors were considered in
or summaries were provided since some bottom events are repet- these researches. It suggests that a broad view of accident analysis
itive or refer to the same type of causes. For example, there are five and prevention is the general trend. Given that official accident
basic events revealing that ‘‘lack of training” is a crucial cause, but reports usually dissect accidents in extreme detail because many
100 W. Li et al. / Safety Science 92 (2017) 94–103
Table 3
Comparison of ACAT model with other models.
Table 4
BP Texas city accident causes taxonomy with ACAT.
It is obvious that BP group, managers, OSHA, and hazard analysis operators, between Health and Safety Executive and BP, between
team are blamed to take responsibilities for managerial failures. databases and logbooks, between budget cuts and maintenance
From the view of control failure, inappropriate behaviors of agents needs, between market and company, etc.
or functions of subjects can be recognized in four columns. For The causes in italic represent the bottom events identified in
instance, the fourth column (H14–H64) indicates failures in com- logic tree. By comparing causes listed in logic tree and in ACAT
munications, including miscommunications or lack of communica- table, it can be concluded that the ACAT model can not only help
tions between supervisors and operators, between machine and to identify accident causes from different levels but also classify
102 W. Li et al. / Safety Science 92 (2017) 94–103
CSB, US Chemical Safety and Hazard Investigation Board, 2007. Investigation report: Luo, X., Zhao, S., Zeng, X., Li, L., 2014. Research on fatigue risk management of
refinery explosion and fire. <http://www.csb.gov/assets/1/19/csbfinalreportbp. airport staff. In: Proceedings of the 13th International Conference on Man-
pdf> (Dec. 11, 2015). Machine-Environment System Engineering. Springer, Berlin Heidelberg, pp. 3–
Debrincat, J., Bil, C., Clark, G., 2013. Assessing organisational factors in aircraft 12.
accidents using a hybrid Reason and AcciMap model. Eng. Fail. Anal. 27, 52–60. Manca, D., Brambilla, S., 2012. Dynamic simulation of the BP Texas City refinery
Dulac, N., 2007. A framework for dynamic safety and risk management modeling in accident. J. Loss Prev. Process Ind. 25 (6), 950–957.
complex engineering systems Doctoral dissertation. Massachusetts Institute of Miller, C.O., 1967. The Role of Systems Safety in Aerospace Management. Institute of
Technology. Aerospace Safety and Management, University of Southern California.
Edwards, E., 1972. Man and machine: systems for safety. In: Proceedings of British Miller, C.O., 1991. Investigating the management factors in an airline accident.
Airline Pilots Association Technical Symposium. British Pilots Association, Flight Safety Digest 10 (5), 1–15.
London, pp. 21–36. Ouyang, M., Hong, L., Yu, M.H., Fei, Q., 2010. STAMP-based analysis on the railway
Ergai, A., Cohen, T., Sharp, J., Wiegmann, D., Gramopadhye, A., Shappell, S., 2016. accident and accident spreading: taking the China-Jiaoji railway accident for
Assessment of the human factors analysis and classification system (HFACS): example. Saf. Sci. 48 (5), 544–555.
intra-rater and inter-rater reliability. Saf. Sci. 82, 393–398. Rasmussen, J., 1997. Risk management in a dynamic society: a modelling problem.
Everdij, M.H.C., Scholte, J.J., 2013. Unified framework for FAA risk assessment and Saf. Sci. 27 (2), 183–213.
risk management toolset of methods for safety risk management. Federal Rasmussen, J., Suedung, I., 2000. Proactive Risk Management in a Dynamic Society.
Aviation Administration. <http://www.nlr-atsi.nl/downloads/rarm-toolset-of- Swedish Rescue Services Agency.
methods-for-safety-risk-manage.pdf> (Feb. 16, 2016). Saleh, J.H., Haga, R.A., Favarò, F.M., Bakolas, E., 2014. Texas City refinery accident:
FAA, Federal Aviation Administration, 2000. FAA System Safety Handbook, Chapter case study in breakdown of defense-in-depth and violation of the safety–
15: Operational Risk Management. <https://www.faa.gov/regulations_policies/ diagnosability principle in design. Eng. Fail. Anal. 36, 121–133.
handbooks_manuals/aviation/risk_management/ss_handbook/media/Chap15_ Salmon, P.M., Cornelissen, M., Trotter, M.J., 2012. Systems-based accident analysis
1200.pdf> (Feb. 16, 2016). methods: a comparison of Accimap, HFACS, and STAMP. Saf. Sci. 50 (4), 1158–
Goh, Y.M., Brown, H., Spickett, J., 2010. Applying systems thinking concepts in the 1170.
analysis of major incidents and safety culture. Saf. Sci. 48 (3), 302–309. Shappell, S., Detwiler, C., Holcomb, K., Hackworth, C., Boquet, A., Wiegmann, D.A.,
Harris, D., 2006. The influence of human factors on operational efficiency. Aircr. Eng. 2007. Human error and commercial aviation accidents: an analysis using the
Aerosp. Technol. 78 (1), 20–25. human factors analysis and classification system. Human Factors: J. Hum. Fact.
Hata, A., Araki, K., Kusakabe, S., Omori, Y., Lin, H.H., 2015. Using Hazard Analysis Ergon. Soc. 49 (2), 227–242.
STAMP/STPA in Developing Model-Oriented Formal Specification toward Song, X., Xie, Z., 2014. Application of man-machine-environment system
Reliable Cloud Service. Platform Technology and Service (PlatCon), 2015 engineering in coal mines safety management. Procedia Eng. 84, 87–92.
International Conference, IEEE, 23–24. Underwood, P., Waterson, P., 2014. Systems thinking, the Swiss Cheese Model and
Holmstrom, D., Altamirano, F., Banks, J., Joseph, G., Kaszniak, M., Mackenzie, C., accident analysis: a comparative systemic analysis of the Grayrigg train
Wallace, S., 2006. CSB investigation of the explosions and fire at the BP Texas derailment using the ATSB, AcciMap and STAMP models. Accid. Anal. Prev. 68,
City refinery on March 23, 2005. Process Saf. Prog. 25 (4), 345–349. 75–94.
Irani, Z., Sharif, A.M., Love, P.E., 2001. Transforming failure into success through Venkatasubramanian, V., 2005. Prognostic and diagnostic monitoring of complex
organizational learning: an analysis of a manufacturing information system. systems for product lifecycle management: challenges and opportunities.
Eur. J. Inf. Syst. 10 (1), 55–66. Comput. Chem. Eng. 29 (6), 1253–1263.
Kozuba, J., 2013. The role of the human factor in maintaining the desired level of air Venkatasubramanian, V., 2011. Systemic failures: challenges and opportunities in
mission execution safety. International Conference of Scientific Paper AFASES. risk management in complex systems. AlChE J. 57 (1), 2–9.
Brasov. <http://213.177.9.66/ro/afases/2013/air_force/Kozuba.pdf> (Dec. 11, Venkatasubramanian, V., Zhang, Z., 2016. TeCSMART: a hierarchical framework for
2015). modeling and analyzing systemic risk in sociotechnical systems. AIChE J. http://
Lenné, M.G., Salmon, P.M., Liu, C.C., Trotter, M., 2012. A systems approach to dx.doi.org/10.1002/aic.15302.
accident causation in mining: an application of the HFACS method. Accid. Anal. Wahlström, B., Rollenhagen, C., 2014. Safety management – a multi-level control
Prev. 48, 111–117. problem. Saf. Sci. 69 (1), 3–17.
Leveson, N., 2004. A new accident model for engineering safer systems. Saf. Sci. 42 Waring, A., 2015. Managerial and non-technical factors in the development of
(4), 237–270. human-created disasters: a review and research agenda. Saf. Sci. 79, 254–267.
Long, S., Dhillon, B.S., 2015. In: Proceedings of the 13th International Conference on Wiegmann, D.A., Shappell, S.A., 2003. A human error approach to aviation accident
Man-Machine-Environment System Engineering. Springer, Berlin Heidelberg. analysis: the human factors analysis and classification system. VT Ashgate
Lu, W., Liao, T., 2013. Preliminary discussion on strengthening safety management Press, Burlington.
of urban metro equipment based on 5M1E factors. In: Advances in Industrial
Engineering, Information and Water Resources, 311. WIT Press.