Human Factors

Human Error Management

SIT Internal

Which statement best describes the lack of

communication as in Gordon Dupont’s dirty
dozen.
a. Over-confidence from repeated experience
on a specific activity.
b. Failure to transmit, receive, or provide
sufficient feedback in order to complete a
task.
c. Go back three steps, and clarify the
message with the receiver.
d. Physical or mental exhaustion threatening
work performance.

2
SIT Internal

Which of the following categories are not part of

the Gordon Dupont’s dirty dozen?
a. Norm, Lack of Communication, Distraction,
Fatigue
b. Lack of Knowledge, Complacency, Lack of
Teamwork
c. Lack of Supervision, Lack of Experience,
Stress, Pressure
d. Pressure, Stress, Fatigue, Distraction

3
 SIT Internal

Learning Outcomes

 Explain and apply Error models and theories.

 Identify active and latent failure.

 Assess the resources required to minimize latent failures.

 Explain the types and classifications of errors

 Understand Boeing MEDA investigation tool for human error

4
 SIT Internal

Scope

 Introduction to Human Error

 Error Models and Theories

 Latent Failure

 Types and Classifications of Errors

 Errors due to Individual Practices and Habits

 Errors associated with Visual Inspection

 James Reasons Study

 Boeing MEDA – Analysis Tool

5
 SIT Internal

Human Error (FAA) 3m

6
https://www.youtube.com/watch?v=D1TPWGYtfTY
 SIT Internal

Introduction
 This module reveals the crux of the Human Factors issues and that is
Human Error. It was suggested a number of times over the duration of this
course that it is normal for humans to make errors.

 This does not make errors acceptable in an ultra-safe system such as

aviation but it does mean that people have to accept that errors will be made
during the course of any particular project or discipline and set systems in
place to catch them before any damage is done.

 Professionals are still expected to go about their job professionally and they
are paid not to make errors. What is the case however is that there are still
many jobs that need to be done that cannot be done without error even by
the best professionals.

7
 SIT Internal

Herald of Free Enterprise

 The Herald of Free Enterprise was a vehicle and passenger ferry that ran
between England and mainland Europe. It capsized just out of Zebruggen
in Belgium.

 The analysis of the disaster showed that the crewman responsible for
checking that the front roll-on / roll-off hatchway was firmly closed and
locked in place was asleep at the time. He was an easy person to blame.
It transpired however that he was on his second straight shift without a
break, was extremely tired and only stayed on after coercion so that the
ferry could continue to work.

 The Captain who had recently asked for $1,000 cameras to be put in place
so that he could monitor the doors being closed in just such an eventuality.
This ‘extra cost’ of the video cameras was refused by the company
Board.

8
 SIT Internal

Challenger, Jan. 28, 1986, exploded 73

Capsized-Prone Design seconds after liftoff, killing the seven
crew

Failure of O-Rings
due design in
193 died as the Herald of Free Booster Rockets
Enterprise took on hundreds of gallons
of water and swiftly capsized. March
1987.
Defensive weaknesses at organization level Credit: Churchtimes UK; Miami Herald; the Conversation, The Independent, Straits Times -
websites
 SIT Internal

Herald of Free Enterprise

 The whole point to come out of this exercise was to move away from the
concept of laying blame and move to a culture that searched for the
potential failures in the system; such as crew manning levels and the
associated tiredness of the crew; or the door monitoring equipment and the
capability of the bridge personnel to double check the forward crew tasks.

 This whole concept was picked up quite dramatically by the aviation industry
and there was a real shift away from zero error tolerance to one of error
management. This meant a cultural change from one of covering up
mistakes so that an aircraft maintenance engineer did not lose his or her
licence to one of open information reporting. It became known as no
blame – no shame but it needed some theoretical back-up to provide validity.

10
 SIT Internal

Error Models and Theories

 Theories and models have to start with basic premises. The building blocks
for the issues that are considered is that people all make mistakes and if
humans make mistakes then the systems they build will have mistakes in
them too. So people have got to expect failures of one sort or another on a
fairly regular basis.

 Next Slide - overall picture in the form of an Anatomy of an Organisational

Accident. The organisation is on the left, the operating environment next,
and the people at the “sharp” end towards the right of the diagram. All of
them provide an opportunity for failure. When all of the latent opportunities
occur at the right time an incident or accident will occur.

11
SIT Internal

12
 SIT Internal

Relationship between Hazards, Defences

& Losses

Ref: Managing the Risks of Organizational Accidents by James Reason

 SIT Internal

Swiss Cheese Model (5m)

https://www.youtube.com/watch?v=KND5py-z8yI 14
 SIT Internal

When “holes” align, accident happens!

15
 SIT Internal

Active and Latent Failures

 In essence, the Reason model suggests there are holes in all of the
defence mechanisms in any system and when they all line up
incident/accident occurs. The trick, of course, is to reduce the number and
size of each of the holes.

 From the Human Error perspective, the basis of unsafe acts, which means
an analysis of failure types, needs to be known. There are two basic failure
types: Active Failures; and, Latent Failures.

16
 SIT Internal

Active Failures

 Active failures are the result of unsafe acts (errors and violations)
committed by those at the "sharp end" of the system (pilots, air traffic
controllers, maintenance engineers, frontline personnel). They are the people
at the human-system interface whose actions can, and sometime do, have
immediate adverse consequences.

 As an example, the case in which an engineer who fits a bolt but forgets to
lockwire it having been interrupted by a work colleague would be considered
an active failure.

17
SIT Internal

18
 SIT Internal

Latent Failures
 Are created as the result of decisions, taken at the higher echelons of the
organization. Their damaging consequences may lie dormant for a long time,
only becoming evident when they combine with local triggering factors (e.g.,
errors, violations and local conditions) to breach the system's defences.

 Are all present within the system well before the onset of a recognizable
accident sequence.

 Are rarely addressed when people are looking for scapegoats or someone
to ‘blame’.

 But they are everywhere and they are the information that is needed if a
tangible affect is to be felt on system safety.

 Some failures are latent, meaning that they have been made at some point in
the past and lay dormant. Removing 1st rect team, tx to hangar.
Unintended consequences, 1st line
don’t own aircraft mx, kpi on hangar

19
SIT Internal

A better example
would be (a) under
torqued, or over-
torqued; (b) worn-out
nut. (to replace vs
examine condition).

Diaphragm fitted
wrongly; machine
drwgs not clear, top
and bottom view
confusing

20
 SIT Internal

Latent Failure

 With the distinction between active and latent failures how they can be
reduced or eliminated within the system need to be considered. In this
respect, latent failures present the biggest challenge for the simple
reason that they are hidden. The secret is to find some way of being able to
identify them before they become an issue through accident or incident.

 In general terms, latent failures can be attributed to local factors, which are
present in the immediate workplace, and organisational factors that lie
"upstream" from the workplace. That is, organisational factors create the
local error and violation-producing conditions.

21
 SIT Internal

Examples of Latent Failures

 A new checklist from the manufacturer reads:

 “A supervisor check is now required upon completion of the assembly

of the new stage prior to fitting to the aircraft.”

 This is passed to the unit typist to transfer to the company documentation.

She types:

 “A supervisor check is not required upon completion of the assembly of

the new stage prior to fitting to the aircraft.”

 Supervisory checks are not done.

 An aircraft accident is due to incorrect assembly of the new stage

by a new staff member.

22
 SIT Internal

Gradual Erosion of Supervision

Inadequate Fire Containment

And Corroded Sprinklers

35 people were killed and 500 people

injured when three trains collided in
Clapham, south London. Dec 1988.
Piper Alpha, explosion in July
Wiring human error in signalling system; multiple lapses in overall 1988. 165 killed.
oversight and management of the testing processes. Standards
Credit: bbc.co.uk; offshore technology.com - websites
deteriorated.
 SIT Internal

MRT Tunnel Flood (Oct 2017)

Limited Engineering Hours, Ramping-Up of Upgrades, Build-
Up of Engineering Capability, Tight Schedules …

Straits Times. 6 Dec 2017

Minister Khaw Boon

Wan
24
SIT Internal

SINGAPORE - SMRT Trains was hauled to

court on Tuesday (Feb 8) over a 2018
incident in which a train rolled over a
worker's foot that later had to be
amputated.

A representative from the rail operator

appeared before a district court to face the
single charge under the Workplace Safety
and Health Act of failing to take the
necessary measures to ensure the safety
and health of its employee at work.

According to court documents, on or before

Dec 12, 2018, the rail operator is said to
have failed to carry out a risk assessment
and set out safe work procedures in relation
to the "limited movement procedure".

25
 SIT Internal

Share an example / experience of a

Latent Failure.

26
 SIT Internal

Latent Conditions

 Examples: Poor design, Gaps in

Supervision, Shortfalls in Training,
“Missionitis” Culture

 May be present for several years

 Combine with local conditions and active http://simmaronresearch.com/wp-content/uploads/2013/04/Pathogens.jpg

failures – resulting in an accident

Latent means hidden so latent failure in this context means

failures that are already around in the system just waiting for
the right conditions before they become evident. Latent
failures are created as the result of decisions, taken at the
higher echelons of the organization.
 SIT Internal

Local Factors
 Study by FAA / CASA was carried out within the engineering facilities of a
major world airline with the result that 12 local factors and 8 organizational
factors were identified as having an adverse effect upon the working
practices of those on the hangar floor.

 1. Knowledge, skills and experience meant being unfamiliar with a

defect or aircraft type, lack of specific training or skills, inappropriate
experience for a job, changes in aircraft type clashing with past routines or
expectations, etc.

 2. Morale issues were characterised by personality clashes, frustration,

being unhappy with the work situation, inadequate incentives, insufficient
consultation with the workforce, etc.

 3. Tools, equipment and parts are always an issue in maintenance

engineering. In most cases problems with availability, quality, location,
delivery and/or collection, identification, handling heavy or awkward items,
etc.

28
 SIT Internal

 4. Support – Problems with support from other areas, people unavailable

in other areas, under-manning, avionics or other trade cover, third party
companies and their local representatives, etc.

 5. Fatigue – Problems with tiredness, unusually slow working, disturbed

sleep patterns, particularly at the beginning of a shift, the balance between
work and rest, noticeable increases in slips, lapses and fumbles, etc.

 6. Pressure – Problems with high workload, the workforce being spread

too thinly over the jobs, many interruptions, hassle from management or
customers, too little time to do the job to the highest standards, etc.

29
 SIT Internal

 7. Time of Day – Problems with shift patterns, time of day or night,

closeness to the deadline, etc.

 8. Environment – Problems with rain, snow or fog, temperature (either

too hot or too cold), high noise levels, inadequate lighting, insufficient
environmental protection, etc.

 9. Computers – Being unfamiliar with the computer type or mode of

operation, unfriendly interfaces and software, the introduction of a new
system, insufficient terminals, some people being "computer shy," etc.

30
 SIT Internal

 10. Paperwork – This includes unclear Technical Log entries,

unavailability of relevant manuals or procedures, failures to complete
paperwork correctly, inconvenience or difficulty of locating relevant material,
etc.

 11. Inconvenience – This relates to ease of access (or lack of it) to the
job, pace of work going on around, congestion around the aircraft, airside
traffic conditions, etc.

 12. Safety – Problems with hazard warnings, quality of safety equipment,

safety training and awareness of hazards, personal protective equipment,
etc.

31
 SIT Internal

Organizational Factors

 1. Organisational structure – This concerns worries about restructuring

and downsizing, ill-defined duties and responsibilities, too many layers of
management, necessary tasks not covered by the existing structure, etc.

 2. People Management – Lack of top-level awareness of problems at the

sharp end, ill-defined career pathways, the wrong balance between
incentives and disciplinary measures, workforce insufficiently consulted, etc.

 3. Provision of tools and equipment – Lack of proper equipment and

resources in the workplace, existing equipment is inadequate to cope with
new aircraft types, cost-cutting is put before the needs of the job, workplace
facilities are out of date, etc.

Rewarded for Kaizen….

32
 SIT Internal

Organizational Factors

 4. Training and Selection – Trade skills out of step with current needs,
inadequate balance between avionics and mechanical trades, insufficient
licensing incentives, recruitment and selection not netting the right kind of
apprentices, etc.

 5. Commercial Pressure – Conflicts between quality standards and

commercial and operational pressures, conflicts between safety standards
and commercial and operational- pressures, etc.

 6. Planning – Poor quality of planning and scheduling, remoteness of

planners from the reality of the job, conflicts between long-term strategic
plans and the immediate needs of the present jobs, plans and schedules
being unclear or unworkable, etc .

Pressure to authorize…

Monthly Sales Target (behind….)

33
 SIT Internal

Organizational Factors

 7. Buildings – Inadequate building maintenance, inadequate equipment

maintenance, necessary improvements deferred on cost grounds, requests
for maintenance and improvements not acted upon, etc.

 8. Communication – Workforce being isolated from managerial decision

makers, bottom-up communications ignored, unclear or ambiguous
communications, communications that promote a "them and us" attitude, etc .

34
 SIT Internal

 So, what proportion of incidents and accidents are caused by human error?

 The answer varies depending on who the commentator is, between 60 %

and 80 % with a pretty consistent commentary around 76% which is at the
upper end of the range. That means 3 out of every 4 are caused by human
error.

 It begs the question of why it has taken so long for Human Factors Courses
to be part of the system.

35
SIT Internal

30% - 1 hour

36
 SIT Internal

Prof James Reason on Human Error (18m)

37
https://www.youtube.com/watch?v=4qnoc5EkFCE
SIT Internal
 SIT Internal

Types and Classifications of Errors

 Slips can be thought of as actions not carried out as intended or planned,

e.g. 'transposing digits when copying out numbers, or misordering steps in a
procedure.

 Slips typically occur at the task execution stage, lapses at the storage
(memory) stage and mistakes at the planning stage.

 Lapses are missed actions and omissions, i.e. when somebody has failed to
do something due to lapses of memory and/or attention or because they
have forgotten something, e.g. forgetting to replace an engine cowling.

 Mistakes are a specific type of error brought about by a faulty plan/intention,

i.e. somebody did something believing it to be correct when it was, in fact,
wrong, e.g. an error of judgement such as mis-selection of bolts when fitting
an aircraft windscreen.

39
 SIT Internal

Slips

 Many people are familiar with the feeling that they have been doing a familiar
task on autopilot. Slips occur when we perform a routine action that was out
of place in the situation, usually because we are distracted, and habit takes
over. For example, in the first week of January, it is not uncommon to write
the previous year. Many slips in maintenance are slips of the pen, where a
signature is put in the wrong place or a checklist item is missed. Slips also
occur when using tools and when activating cockpit controls.

While performing maintenance on the co-pilot's circuit breaker panel, the

Emergency Locator Transmitter was accidentally activated via the cockpit
arm/on switch. The switch is poorly located and inadequately guarded.

Driving home instead… pilot in / out of

cockpit, accidentally moved a sw
40
 SIT Internal

Lapses

 A lapse occurs when we forget to complete an action we had been intending

to perform. Examples are forgetting to remove tools or rigging devices at the
end of a job, forgetting to close hatches, or leaving nuts finger tight when the
intention had been to torque them up. One of the most widely reported
lapses in maintenance is failing to replace oil caps. Many lapses occur when
the engineer has been interrupted part way through a task, often when called
away to a more urgent job. They may then fail to return to the task, leave out
a step, or lose their place in the task. In the following case a person forgot to
finish a task after an interruption.

While servicing the no. 2 engine, I was called away by an air carrier
contract fueller on the aircraft to address a problem with opening the fuel
panel door. When this problem was solved, I apparently went back to the
no. 2 engine and took my oil cart and stand away. I have no recollection of
reinstalling the oil tank cap, or closing the cowling door. Later we received
feedback that the engine had experienced a loss of four litres of oil after
landing.
41
Tools left on wing (line work)
 SIT Internal

If an engineer forgot to replace the inspection

plugs after a borescope inspection on a turbine
engine, this would be regarded as a:
a. mistake.
b. lapse.
c. violation.

42
 SIT Internal

Mistakes

 Mistakes are a type of error where the problem has occurred during
thinking rather than doing. The person carries out their actions as planned,
except that what they planned to do was not right for the situation. Reason
describes two types of mistakes, rule-based and knowledge-based.

 Rule-based mistakes occur in familiar situations where an engineer has a

pre-existing 'rule' or guideline they use to guide their actions. This need
not necessarily be a formal rule; it could be a procedure or work habit that
they usually follow in that situation. The mistake happens when the rule no
longer fits the situation, or the engineer mis-identifies the situation.

 For example, an engineer who pushed in a pulled cockpit circuit breaker,

without first stopping to check the cockpit control settings, failed to
apply a good rule or work habit to a familiar situation. In another case, an
electrician wrongly assumed that a colleague had disconnected the power
supply, because this was their routine work practice.

43
 SIT Internal

Mistakes…

A mechanic did not check the position of the flap lever before he pushed
in a cockpit circuit breaker that provided electrical power to a hydraulic
pump. When the pump started, the flaps began to retract automatically.
This could have caused damage to the aircraft, or injured other workers.

In this case, the safety rule is that any mechanic is to leave the flap position up
(retracted). All mechanics are expected to check and not assume otherwise (in their
thinking), when they power up the hydraulics. For that matter whether mechanic or
pilot, they have to check and ensure, before applying any power to the aircraft
systems.

44
 SIT Internal

Teams

Pick any ONE task (Maintenance of Grounded Aircraft) and give examples of
SLIP, LAPSE and MISTAKE that could happen

45
 SIT Internal

Violations in Aircraft Maintenance

 Violations sometimes appear to be human errors, but they differ from slips,
lapses and mistakes because they are deliberate 'illegal' actions, i.e.
somebody did something knowing it to be against the rules (e.g. deliberately
failing to follow proper procedures). Aircraft maintenance engineers may
consider that a violation is well intentioned, i.e. 'cutting corners' to get a job
done on time. However, procedures must be followed appropriately to help
safeguard safety.

 It is an unfortunate fact of life that violations occur in aviation maintenance.

Most stem from a genuine desire to do a good job. Seldom are they acts of
vandalism or sabotage. However, they represent a significant threat to safety
as systems are designed assuming people will follow the procedures.

 There are four types of violations:

46
 SIT Internal

4 Types of Violations
 Routine violations are things which have become 'the normal way of doing
something' within the person's work group. They can become routine for a number of
reasons: engineers may believe that procedures may be over prescriptive and violate
them to simplify a task (cutting corners) to save time and effort.

 Situational violations occur due to the particular factors that exist at the time, such as
time pressure, high workload, unworkable procedures, inadequate tooling, poor
working conditions. These occur often when, in order to get the job done, engineers
consider that a procedure cannot be followed.

 Optimising violations involve breaking the rules for 'kicks'. These are often quite
unrelated to the actual task. The person just uses the opportunity to satisfy a personal
need.

 Exceptional violations are typified by particular tasks or operating circumstances that

make violations inevitable, no matter how well intentioned the engineer might be.

[Poll] Which violation do you think

may be punishable?

47
 SIT Internal

Examples…

 Examples of routine violations are not performing an engine run after a

borescope inspection ("it never leaks").

 An example of a situational violation is an incident which occurred where

the door of a B747 came open in-flight. An engineer with a tight deadline
discovered that he needed a special jig to drill off a new door torque tube.
The jig was not available, so the engineer decided to drill the holes by hand
on a pillar drill. If he had complied with the maintenance manual he could not
have done the job and the aircraft would have missed the service.

 An example of an optimising violation would be an engineer who has to go

across the airfield and drives there faster than permitted.

48
 SIT Internal

Examples

Exc e p t io n a l Vio la t io n s a re ra re oc c u rre n c e s t h a t t a ke p la c e in ve ry

u n u s u a l c irc u m s t a n c e s (e .g. e m e rge n c ie s , e q u ip m e n t fa ilu re ). Th e y
c a n b e t h e re s u lt of a cons cious d e cis ion t o viola t e or a n ins t inct ive
re a ct ion t o t he s it ua t ion .

Con s c io u s d e c is ion s m a y in c lu d e la n d in g w it h a n e xc e s s ive

t a ilw in d on a lon g ru n w a y fo llo w in g a n h yd ra u lic s ys t e m s fa ilu re ,
ra t h e r t h a n ris k fu rt h e r c o n s e q u e n c e s d u rin g t h e t im e it t a ke s t o
re - p os it ion for t h e p re fe rre d ru n w a y.

In s t in c t ive re a c t io n s fa ll m u c h c lo s e r t o t h e c a ve a t t h a t p ilo t s m a y
viola t e ru le s if it is s a fe r t o d o s o – i.e . c o n t in u in g w it h a n u n s t a b le
a p p roa c h t o la n d follo w in g a n u n c o n t a in e d e n gin e fa ilu re .

49
 SIT Internal

Examples…

The centre tank fuel quantity indicator was inoperative. According to the
MEL, before each flight day, the centre tank needs to be sumped.

Since the aircraft was needed at the gate, I signed the log as 'sumped
tank', knowing that there was still about 60-120 litres of fuel in the tank.

I did not want maintenance to take a delay. I was pressured to get the
aircraft on the gate. I felt it was my sole responsibility to get it there with
enough time to make its departure.

What I should have done was to take the delay and sump the tank.

50
 SIT Internal

Why People Violate…

51
 SIT Internal

What category of violations are not performing an functional

leak check after a hydraulic tube replacement ("don’t worry,
it never leaks").
a. Routine
b. Judgmental
c. Optimizing
d. Experiential

52
 SIT Internal

Exception violation in aircraft maintenance tasks can be described

as, violations:
a. occur due to the particular factors that exist at the time, such
as time pressure, high workload, unworkable procedures,
inadequate tooling, poor working conditions.
b. involve breaking the rules for 'kicks'.
c. are things which have become 'the normal way of doing
something' within the person's work group.
d. are typified by particular tasks or operating circumstances that
make violations inevitable, no matter how well intentioned the
engineer might be.

53
 SIT Internal

Error-producing conditions in aviation

maintenance
 Some errors, such as slips, seem to be an unavoidable part of life. If you
perform a simple action often enough (e.g. removing and replacing a fuel cap
1000 times), by the law of averages, an error is almost bound to happen.
Other errors are more closely related to causal factors in the workplace:
issues with the people, environment, actions and resources-in other words,
the elements of the PEAR model. In several studies of maintenance error,
the same error-producing conditions appear repeatedly:
 • Time pressure
 • Problems with equipment, tools and spares
 • Training and experience
 • Coordination within maintenance
 • Fatigue
 • Procedures and documentation
 • Supervision.

54
SIT Internal

55
 SIT Internal

Error management strategies

 In general, you are in an elevated area of risk for human error when one or
more of these conditions apply:

 You are performing a task you have never done before

 Procedures are ambiguous or confusing
 Interruptions occur part way through the task
 Special tools, equipment or spares are unavailable
 There is more time pressure involved than you are used to dealing with
 You are fatigued
 You are working with unfamiliar people
 You feel uneasy or uncomfortable about the task.

56
 SIT Internal

Error management strategies

 One airline developed the following list of key behaviours together with its
maintenance personnel. Each of the seven statements was developed in
response to incidents, and helped to create a new set of standard practices
at the organisation. Seven key behaviours In maintenance.

 When performing principal systems or structures maintenance, we must

review the current maintenance instructions before beginning a task
 We must document all additional disassemblies not specified in the
task instructions
 We must document job status at end of shift, or when moving to a new
task
 We must attach a red tag to all disassemblies that might be
inconspicuous to anyone closing the work area
 We must confirm the integrity of each adjacent connection after
installing any line replacement unit (LRU)
 We must complete all required checks and tests
 We must, when closing a panel, conduct a brief visual scan for safety-
related errors
57
 SIT Internal

Error capture

 The first objective of error management should be to reduce errors by

identifying and correcting error producing conditions. This will involve
looking carefully at each of the elements of the PEAR model in the workplace
to find areas where improvements can be made. After efforts have been
made to reduce errors, there are two remaining error-management
strategies: error capture, and error tolerance.

 While you cannot prevent all errors, it is possible to detect many errors
before they cause harm. Post-maintenance functional or operational
checks, and dual inspections are examples of procedures designed to
capture errors before they have a chance to cause harm.

 However, these procedures rely on human performance, and likewise, can

fail because of human error. Checks and inspections are sometimes omitted
because of factors such as time pressure or overconfidence. The error
probabilities included at the beginning of this section included an estimate
that around 10 per cent of dual inspections are ineffective.

58
 SIT Internal

The first objective of error management should be to reduce

errors by (choose the most appropriate statement below). This
will involve looking carefully at each of the elements of the
PEAR model in the workplace to find areas where
improvements can be made.
a. Ensure proper supervision.
b. identifying and correcting error producing conditions.
c. only trained personnel can be tasked, with a follow-up
independent check.
d. design a robust self-check system to detect errors.

59
 SIT Internal

Error capture

 The following incident report illustrates a case in which a check designed to

capture error was ineffective because of poor decision making:

At the end of a shift, we realised that an engine hadn't been run to

check for oil leaks when the aircraft was to be placed on line. Under
pressure to avoid a delay due to this oversight, the run was carried
out too quickly, and the engine was not un-cowled properly to check
for oil leaks.

Consequently, after departure that particular engine ran out of oil as

the result of a damaged seal. Several factors were involved here-
primarily fatigue and inexperience.

60
 SIT Internal

Error tolerance in aviation maintenance

 Even if an error has occurred, and has not been detected, it may still be
possible to manage the risk associated with it. Error tolerance is an
approach designed to eliminate single points of failure so that errors not
captured in the system do not lead to an accident. One approach is to
minimise the simultaneous disturbance of multiple redundant systems.

 In the airline industry, the special maintenance precautions applied with

extended-range twin-engine operations (ETOPS} are an example of such
an approach. When an aircraft is being maintained under ETOPS
procedures, the performance of identical maintenance actions on multiple
elements of critical systems is avoided wherever possible. For example,
the staggered maintenance required under ETOPS procedures reduces the
risk that the same error will be made on both engines of a twin-engine
aircraft.

 The following example illustrates a case where a functional check was not
part of a maintenance procedure. If it had been, an error might have been
captured and the accident could have been prevented.

61
 SIT Internal

Perceived Risks and Perceived Benefits

Time pressure and high workload increase the likelihood of all types of
violations occurring. People weigh up the perceived risks against the
perceived benefits, unfortunately the actual risks can be much higher

62
 SIT Internal

Errors due to Individual Practices

and Habits
 Where procedures allow some leeway, aircraft maintenance engineers often
develop their own strategies or preferred way of carrying out a task.
Often, a 'good' rule or principle is one that has been used successfully in the
past.

 Problems occur when the rule or principle is wrongly applied. For

example, aircraft pipe couplings are normally right hand threads but applying
this 'normally good rule' to an oxygen pipe (having a different thread) could
result in damage to the pipe. Also, there can be dangers in applying rules
based on previous experience if, for example, design philosophy differs, as in
the case of Airbus and Boeing.

 An example of applying a bad rule is the British Rail technician in the

Clapham train accident who had acquired the practice of bending back
old wires rather than cutting them off and insulating them.

63
 SIT Internal

Clapham Train Accident

64
 SIT Internal

Errors associated with Visual Inspection

 There are also two particular types of error which are referred to particularly
in the context of visual inspection, namely Type 1 errors and Type 2 errors.

 A Type 1 error occurs when a good item is incorrectly identified as faulty;

a Type 2 error occurs when a faulty item is missed.

 Type 1 errors are not a safety concern per se, except that it means that
resources are not being used most effectively, time being wasted on further
investigation of items which are not genuine faults.

 Type 2 errors are of most concern since, if the fault (such as a crack)
remains undetected, it can have serious consequences (as was the case in
the Aloha accident, where cracks remained undetected).

65
 SIT Internal

There are also two particular types of error which are referred to
particularly in the context of visual inspection, namely Type 1 errors
and Type 2 errors. They can be explained as:
a. A Type 1 error occurs when a good item is incorrectly identified
as faulty; a Type 2 error occurs when a faulty item is missed.
b. A Type 2 error occurs when a good item is incorrectly identified
as faulty; a Type 1 error occurs when a faulty item is missed.
c. A Type 1 error is not a safety concern, but a Type 2 error is a
serious safety concern.
d. None of the above.

66
 SIT Internal

Prof James Reason’s Study

 Reason analysed the reports of 122 maintenance
incidents occurring within a major airline over a 3 year
period. He identified the main causes as being:

 Omissions (56%)
 Incorrect installation (30%)
 Wrong parts (8%)
 Other (6%)

 It is likely that Reason's findings are representative for the

aircraft maintenance industry as a whole. Omissions can
occur for a variety of reason, such as forgetting, deviation
from a procedure (accidental or deliberate). or due to
distraction. The B737 double engine oil loss incident, in
which the HP rotor drive covers were not refitted is an
example of omission.
 Incorrect installation is unsurprising, as there is usually
only one way in which something can be taken apart but
many possible ways in which it can be reassembled.
67
 SIT Internal

Test Cell & Engine Damaged by Fire

2/3 & 2 hours

68
 SIT Internal

Bloomberg, Feb 2020

69
 SIT Internal

Installation Errors

 Reason illustrates this with a simple example of a bolt and several nuts,
asking the questions:

70
 SIT Internal

Implications of Errors (ie Accidents)

 In the worst cases, human errors in aviation maintenance can and do cause
aircraft accidents. However, accidents are the observable manifestations of
error. Like an iceberg which has most of its mass beneath the water line, the
majority of errors do not result in actual accidents.

Seeing Beyond the

Visible

71
SIT Internal

72
SIT Internal
 SIT Internal

 Errors that do not cause accidents but still cause a problem are known as
incidents. Some incidents are more high profile than others, such as errors
causing significant in-flight events that, fortuitously, or because of the skills
of the pilot, did not become accidents. Other incidents are more mundane
and do not become serious because of defences built into the maintenance
system.

 However, all incidents are significant to the aircraft maintenance industry, as

they may warn of a potential future accident should the error occur in
different circumstances. As a consequence, all maintenance incidents
have to be reported to the CAAS. These data are used to disclose
trends and, where necessary, implement action to reduce the likelihood
or criticality of further errors.

Under-Torque causing engine

seizure…
74
 SIT Internal

 It is likely that the greatest proportion of errors made by aircraft maintenance

engineers are spotted almost immediately they are made and corrected.
The engineer may detect his own error, or it may be picked up by colleagues,
supervisors or quality control.

 It is vital that aircraft maintenance engineers learn from their own errors
and from the errors made by others in the industry.
Tail Ballast incident

75
 SIT Internal

 When an error occurs in the maintenance system of an airline, the engineer

who last worked on the aircraft is usually considered to be 'at fault'. However,
blame does not necessarily act as a positive force in aircraft maintenance: it
can discourage engineers from 'coming clean' about their errors. They may
cover up a mistake or not report an incident.

 It may also be unfair to blame the engineer if the error results from a failure
or weakness inherent in the system which the engineer has accidentally
discovered (for example, a latent failure such as a poor procedure drawn up
by an aircraft manufacturer - possibly an exceptional violation).

Lost tools 76
 SIT Internal

Avoiding and Managing Errors

 The first point is to accept that reducing errors to an absolute minimum is

always a goal of any error management process. The second issue is to
contain them. Error management (EM) is a very broad term covering a wide
variety of measures. These can be classified under two headings:

 Error reduction: Measures designed to limit the occurrences of errors,

and
 Error containment: Measures designed to limit the adverse
consequences of those errors that still occur.

77
 SIT Internal

 Error management has actually been around for a long time as anyone would
expect. It just has not been put forward as an acceptable approach. In the
past, people have targeted zero error as the safety issue rather than error
management per se. This has as much to do with the culture of the industry
people are in as it has to do with any particular management or
organisational bent towards punishment for errors.

 In the past, the regulatory authorities have been guilty of leaping out from
behind bushes having regarded errors being committed. This tactic has
more to do with the mandate of an enforcement agency than it does with a
safety regulatory authority. It is fair to say that most authorities have
changed their approach to regulation quite markedly over the last 10 or 15
years for the better.

 Managing errors within the aviation industry has always been part of the
mandate and many of the systems currently have in place are set up for
specifically that reason.

78
 SIT Internal

Measures to minimize Errors

 minimise the error liability of the individual or the team;

 reduce the error vulnerability of particular tasks or task

elements;

 discover, assess and then eliminate error-producing (and

violation-producing) factors within the workplace;

 diagnose organisational factors that create error-producing

factors within the individual, the team, the task or the
workplace;
 enhance error detection;

 increase the error tolerance of the workplace or system;

 make latent conditions more visible to those who operate and manage the
system;

 improve the organisation's intrinsic resistance to human fallibility.

79
 SIT Internal

HOW to reduce errors at work? Share

one IDEA.

80
 Short Answer submissions (1/2)

Name Response
Thorough breakdown on the task’s objective for the day and clarification of
SEAN LEROY RAJAH role management amongst staff involved in the project. Ensure task is
signed off diligently upon completion.

LEE KWEE JYE, when ensure always seek help

JOSHUA

Have signage to remind what to look for

WEE CHUN YEE GIGGS

TING WEN QUAN Use adminstrative control

ENG SIAK PENG always follow manual/checklist

MOHAMED Take breaks

SHARAFATH

DILYS LEE YU LIN Do things at a time and mark its completed

 Short Answer submissions (2/2)

Name Response

MUHAMMAD AMIRUL-
Stay alert and have enough rest always
MUQMIN

XUE WAN HAO always check when in doubt

ARIC GEORGE PHILIPS Ask other people check your work

JADEN LIM Rewards for good practices

 SIT Internal

 One of the things likely to be most effective in preventing error is to make

sure that engineers follow procedures. This can be effected by ensuring
that the procedures are correct and usable, that the means of presentation of
the information is user friendly and appropriate to the task and context, that
engineers are encouraged to follow procedures and not to cut corners.

 Ultimately, maintenance organisations have to compromise between

implementing measures to prevent, reduce or detect errors, and making
a profit. Some measures cost little (such as renewing light bulbs in the
hangar); others cost a lot (such as employing extra staff to spread workload).

 Incidents tend to result in short term error mitigation measures but if an

organisation has no incidents for a long time (or has them but does not know
about them or appreciate their significance), there is a danger of
complacency setting in and cost reduction strategies eroding the defences
against error. Reason refers to this as "the unrocked boat".

83
 SIT Internal

The “Unrocked Boat”. Source: ICAO SMS Course

84
 SIT Internal

 It is important that organisations balance profit and costs, and try to ensure
that the defences which are put in place are the most cost-effective in terms
of trapping errors and preventing catastrophic outcomes.

 Ultimately, it is the responsibility of each and every aircraft maintenance

engineer to take every possible care in his work and be vigilant for
error. On the whole, aircraft maintenance engineers are very conscious of
the importance of their work and typically expend considerable effort to
prevent injuries, prevent damage, and to keep the aircraft they work on safe.

85
 SIT Internal

Recognizing and Avoiding Hazards

 Numerous studies and statistical reports show that

the workplace can be dangerous. This is
especially true for work environments with heavy
parts being moved about, with rotating machinery,
with toxic or hazardous materials, and with work
locations that are above the ground. All those
factors are present in aviation maintenance shops.
It is well accepted that an aviation maintenance
workshop can be a hazardous place.

 Dangerous means risky, hazardous, or unsafe. In

the safety profession, situations, tools, or other
elements can be either of the following:
 Imminently dangerous – impending or
immediate risk, such as a bare electrical cord
 Inherently dangerous – usually risky, such as
poisons or explosives.

86
 SIT Internal

 Human Factors has played a part in reducing workplace injuries but the
bulk of its contribution has been targeted at reducing human error. Much of
this work is directly applicable to the aviation maintenance workplace. If
nothing else, Human Factors has presented evidence that humans will
commit errors unintentionally no matter how good they are. This evidence
alone has been instrumental in developing systems that can identify and
manage those errors.

 The ultimate fear of any maintenance supervisor, technician, or inspector is

that an error, once committed, will remain undiscovered and ultimately
lead to an accident. There has been some success to date but there is still
no room for complacency. There are both active and latent errors out there
waiting to happen.

 Over the last 50 years, humans have come to understand many of the
factors that contribute to human error. When control is combined with good
human factors design and testing techniques, the effects of many sources of
human error can be controlled.
87
 SIT Internal

Error Management (CASA) 5 mins

88
https://www.youtube.com/watch?v=ryU4fA2IURs
 SIT Internal

What did you learn from the video that

you can apply in the aviation industry.
Limit to just 10 words!

89
 SIT Internal

Boeing
BoeingMEDA
MEDA

https://sassofia.com/news-press/this-october-in-sofia-maintenance- 90
error-decision-aid-meda-training-course-workshop/
 SIT Internal

Boeing MEDA

91
SIT Internal

92
 SIT Internal

Boeing MEDA
The MEDA philosophy is based on this error model. The fundamental philosophy
behind MEDA is:

Maintenance errors are not made on purpose

Maintenance errors result from a series of contributing factors

Most of these contributing factors are part of an airline process, and, therefore,
can be improved so that they do not contribute to future, similar errors.

93
 SIT Internal

Boeing MEDA

94
 SIT Internal

Boeing MEDA – Maintenance Error

In the MEDA model, the maintenance error is the error that directly leads to the event.
The errors that are listed are very specific errors related to maintenance technicians
and inspectors. There are seven different major error types listed:

1. Installation error
2. Servicing error
3. Repair error
4. Fault isolation, test, or inspection error
5. Foreign object damage error
6. Airplane/equipment damage error
7. Personal injury error.

An eighth box is provided for “Other” in case the specific error of interest was not
listed in 1-7 above.

95
 SIT Internal

Boeing MEDA – Contributing Factors

This checklist will help the analyst identify the contributing factors that contributed
to the error. [Remember, if two or more errors combined to cause the event, it is
important to identify which factors relate to which error.]

There are ten major categories of contributing factors in the checklist:

A. Information
B. Equipment, tools, and safety equipment
C. Aircraft design, configuration, and parts
D. The job or task
E. Technical knowledge and skills
F. Individual factors
G. Environment and facility
H. Organizational factors
I. Leadership and supervision
J. Communication

96
 SIT Internal

Boeing MEDA
Error Prevention Strategies
This section is subdivided into two subsections.

Section A asks, “What current existing procedures, processes, and/or policies in your
organization are intended to prevent the incident, but didn’t?”

Section B asks, “List recommendations for error prevention strategies.”

97
 SIT Internal

Boeing MEDA
Types of Error Prevention Strategies
In order to help you think through Error Prevention Strategies, the following material
describes the four major types of strategies that you should consider:

1. Error reduction/error elimination - Examples include increasing lighting to

improve inspection reliability and using Simplified English procedures to reduce the
potential for mis-interpretation.

2. Error capturing - refers to tasks that are performed specifically to catch an error
made during a maintenance task. Examples include a post task inspection, an
operational or functional test, or a verification step added to the end of a long
procedure.

3. Error tolerance - refers to the ability of a system to remain functional even after a
maintenance error.

4. Audit programs - refer to an approach that does not to directly address a specific
contributing factor. An audit is a high-level analysis of the organization to see if there
are any systemic conditions that may contribute to error..
98
 SIT Internal

Summary

 Introduction to Human Error

 Error Models and Theories

 Latent Failure

 Types and Classifications of Errors

 Errors due to Individual Practices and Habits

 Errors associated with Visual Inspection

 James Reasons Study

 Problem Solving / Investigation Tools in Industry

99
 SIT Internal

References

100