Section I
Committee Summary Report



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Section I Committee Summary Report

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence This page intentionally left blank.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence The Accident Precursors Project Overview and Recommendations In 2003, the National Academy of Engineering Program Office undertook the Accident Precursors Project to examine the complex issue of accident precursor analysis and management. This seven-month project was designed to document and promote industrial and academic approaches to detecting, analyzing, and benefiting from accident precursors, as well as to understand public-sector and private-sector roles in using precursor information. The committee examined an array of approaches for benefiting from precursor information and discussed these approaches in a workshop held on July 17 and 18, 2003, in Washington, D.C. This report is the official record of the project and the workshop. THE ACCIDENT PRECURSORS WORKSHOP The workshop brought together experts on risk, engineers, practitioners, and policy makers from the aerospace, aviation, chemical, health care, and nuclear industries. Participants were selected for their expertise and their interest in engaging in a cross-industry dialogue. Presentations by invited experts in the field were followed by targeted discussions in breakout groups. The workshop presentations addressed four general areas: The Opportunity of Precursor Analysis (Section II): the opportunities presented by precursors and some organizational and analytical approaches to detecting and analyzing them

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Risk Assessment (Section III): methods of identifying and modeling different types of precursors Risk Management (Section IV): how risks can be understood and mitigated once precursors have been identified and how organizations can engage their members in this endeavor Linking Risk Assessment and Risk Management (Section V): how linking risk assessment and risk management can create a continuous improvement process and how industry and government can facilitate this Breakout and plenary sessions involved discussions by participants focused on advising both private organizations and government agencies on how they might use precursor information to reduce their risk exposure. Discussions were based on drafts of presenters’ papers (provided before the workshop) and were led by facilitators and designated presenters. The Committee on Accident Precursors evaluated the presentations and discussions, as well as additional submissions from Drs. Frosch and Westrum (Appendixes A and B). The resulting findings and recommendations are based on these inputs and subsequent committee deliberations. Keynote Addresses James Bagian, director of the Department of Veterans Affairs (VA) National Center for Patient Safety, delivered the opening keynote address. Bagian drew on his personal experiences as well as efforts by the VA to promote patient safety. He described the challenges to engaging individuals and organizations, the difficulty of recognizing when current safety standards are inadequate, and the importance of making commitments to the institutional and management processes necessary to achieving lasting, continuous improvements in safety. Elisabeth Paté-Cornell, chair of the Department of Management Science and Engineering at Stanford University, delivered the dinner keynote address. Paté-Cornell highlighted past examples of the management of precursors. In some cases, precursors were ignored, and catastrophes followed. In other cases, precursors were recognized as warning signs, and disasters may have been avoided. Paté-Cornell also provided an overview of some of the precursor models she and her students have developed for use as decision aids. These models have been used in a broad range of applications, from optimizing the alert thresholds of warning systems, such as fire alarms (Paté-Cornell, 1986), to aiding in combating terrorism (Paté-Cornell and Guikema, 2002). Presentations Workshop presenters discussed how precursors could be identified and managed. Michal Tamuz of the University of Tennessee Health Science Center

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence discussed similarities and differences in approaches to collecting and assessing precursor data in the aviation, health care, and nuclear power industries, among others. William Corcoran, president of the Nuclear Safety Review Concepts Corporation, used historical examples to illustrate the distinctions between different kinds of precursors. Martin Sattison, manager of the Risk, Reliability and Regulatory Support Department at the Idaho National Engineering and Environmental Laboratory, provided a historical overview of the U.S. Nuclear Regulatory Commission (U.S. NRC) Accident Sequence Precursor (ASP) Program and outlined lessons that could be transferred to other industries. The next group of speakers described organizational barriers to, and opportunities for, leveraging precursor information to reduce the likelihood of accidents. Dennis Hendershot, senior technical fellow of the Rohm and Haas Company, provided everyday and industrial examples illustrating how systems can be designed or redesigned to make them inherently safer. Tjerk van der Schaaf of the Eindhoven University of Technology pointed out potential “blind spots” in reporting systems, showing why many types of near misses can go unreported. John Carroll of the Sloan School of Management of the Massachusetts Institute of Technology discussed how knowledge about potential accidents could be shared throughout an organization, both formally and informally. The last group of speakers described approaches to engaging stakeholders, institutions, and industries in the process of identifying and managing accident precursors. Linda Connell, director of the National Aeronautics and Space Administration (NASA) Aviation Safety Reporting System (ASRS), described the history and implementation of ASRS and discussed its potential applicability in the health care, nuclear power, maritime, and security domains. Christopher Hart, assistant administrator for the Federal Aviation Administration (FAA) Office of System Safety, identified the hurdles to improving an already high level of safety (a “plateau”) and discussed how a recognition of precursors could help to achieve this end. Yacov Haimes, director of the Center for Risk Management of Engineering Systems of the University of Virginia, discussed the transferability of methods used to identify and mitigate accident precursors to security systems for combating terrorism. INTRODUCTION In the aftermath of catastrophes, it is common to find prior indicators, missed signals, and dismissed alerts that, had they been recognized and appropriately managed before the event, might have averted the undesired event. Indeed, the accident literature is replete with examples, including the space shuttle Columbia (CAIB, 2003), the space shuttle Challenger (Vaughan, 1997), Three Mile Island (Chiles, 2002), the Concorde crash (BEA, 2002), the London Paddington train crash (Cullen, 2000), and American Airlines Flight 587 to Santo Domingo

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence (USA Today, May 25, 2003), among many others (Kletz, 1994; Marcus and Nichols, 1999; Turner and Pidgeon, 1997). Recognizing signals before an accident clearly offers the potential of improving safety, and many organizations have attempted to develop programs to identify and benefit from accident precursors. In this summary, the committee examines how these programs can be designed to reduce system risk exposure and the responsibilities of various constituents in implementing or facilitating these programs. At first glance it might appear that the design and operation of precursor programs would be relatively straightforward. This perception may be the result of hindsight bias (Fischhoff, 1975; Hawkins and Hastie, 1990), that is, after an accident, individuals often believe that the accident should have been considered highly likely, if not inevitable, by those who observed the system prior to the accident. (Hindsight bias also helps to explain the frequent discrepancies between pre- and post-accident risk assessments.) In fact, upon examination, designing and running a precursor management program turns out to be challenging. In order to leverage precursor information, precursor programs must be able to identify possible threats before they occur; detect, filter, and prioritize precursors when they occur; evaluate precursor causes; and identify and implement corrective actions (see for example Lakats and Paté-Cornell, in press). Although creating programs with all of these features can be difficult, it is important to consider how it can be done and whether existing programs can be improved. For example, are some individuals, companies, organizations, or even industries better able to envision and respond to potential accidents than others? If so, what processes do they use, and what organizational structures, management approaches, and regulatory frameworks support these processes? The first topic addressed in this summary is the opportunity presented by accident precursors for improving safety. Next, a case is made, based on historical examples, for the need for a better understanding of precursor management. This is followed by several examples of precursor programs illustrating differences and parallels in approaches. The final section includes the committee’s findings and recommendations. Defining Accident Precursors Accident precursors can be defined in a number of ways. To encourage a wide-ranging discussion of alternative definitions and reporting systems, the committee deliberately chose a broad definition. Precursors were defined as the conditions, events, and sequences that precede and lead up to accidents. Based on this definition, precursor events can be thought of loosely as “building blocks” of accidents and can include both events internal to an organization (such as equipment failures and human errors) and external events (such as earthquakes and hurricanes). This definition helped the committee (and the workshop partic-

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence ipants) focus their discussions on the management of events that could progress to accidents, without unduly limiting or foreclosing those discussions. The definition also helped the committee and workshop participants distinguish between actual events and general underlying conditions (such as an organization’s culture) that may not be part of a specific accident scenario but may still influence the likelihood of an accident. Some organizations, such as the U.S. NRC, have chosen to limit the use of the term “precursors” to events that exceed a specified level of severity. For example, precursors might be defined as the complete failure of one or more safety systems and/or the partial failure of two or more safety systems. Similarly, a quantitative threshold may be established for the conditional probability of an accident given a precursor, and events of lesser severity either not considered precursors, or at least not singled out as deserving of further analysis. Other organizations have designed and implemented incident reporting systems that address incidents with a much wider range of severities, including defects or off-normal events that may involve inconsequential losses of safety margins. In such cases, of course, screening, filtering, and prioritizing reported incidents is necessary to identify the events that merit further analysis; in addition, there must be a recognition that the reporting of an event is not necessarily a prejudgment of its risk significance. Both approaches to defining precursors have advantages and disadvantages. Setting the threshold for reporting too high or defining reportable precursors too precisely may mean that risk-significant events may not be reported, especially if they were not anticipated. Moreover, it may be impossible to develop a precise definition of reportable precursors in relatively new or immature technologies and systems or in systems for which no quantitative risk analyses are available. Conversely, setting the threshold for reporting too low runs the risk that the reporting system may be overwhelmed by false alarms, especially if the system design requires some corrective action or substantial analysis for all reported events. In addition, too low a reporting threshold can lead to a perception that the reporting system is of little value. These competing trade-offs can lead to errors, as shown in Table 1. Type I errors are reported events that do not pose a significant risk. Type II errors are events that do pose a significant risk but are not reported. TABLE 1 Errors in Event Reporting   Safety Significant Not Significant Event reported True positive (the event is significant) False positive (Type II error) Event not reported False negative (Type I error) True negative (the event is not significant)

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Finally, even reporting systems based on strict definitions of accident precursors with high thresholds for reporting may need a mechanism that allows for reporting new and previously unexpected precursors if they are judged to be severe. Sometimes, a single unrecognized or “hidden” flaw can render a technology much less safe than had been believed (Freudenburg, 1988), and precursor reporting systems are typically used for technologies in which unforeseen problems can have serious consequences. THE OPPORTUNITY OF PRECURSOR MANAGEMENT Programs for managing accident precursors have a number of benefits, as outlined by van der Schaaf et al. (1991). First, reviewing and analyzing observed precursors can reveal what can go wrong with a particular system or technology and how accidents can develop (modeling). For example, a precursor may reveal a previously unknown failure mode, which can then be incorporated into an updated model of accident risk. Second, because precursors generally occur much more often than accidents, analyses of accident precursors can help in trending the safety of a system (monitoring). For example, a precursor reporting system can provide evidence of improving or deteriorating safety trends and hence decreasing or increasing accident likelihoods. This information might not be apparent from sparse or nonexistent accident data. Trends in observed precursors can also be used to analyze the effectiveness of actions taken to reduce risk. Finally, and perhaps most important, precursor programs can improve organizational awareness (mindfulness) of safety problems (Weick and Sutcliffe, 2001). In organizations where actual accidents are rare, the dissemination of information on accident precursors can reduce complacency. Thus, the establishment of a precursor program may encourage an ongoing dialogue about safety in an organization, resulting in greater awareness of what can go wrong and greater willingness to discuss potential risks and safety hazards. Even if these discussions are not part of the formal precursor program, the more effective safety culture that they represent may still be a result of that program. One way organizations seek to benefit from precursors is by analyzing near misses (sometimes referred to as near accidents, near hits, or close calls), fragments of an accident scenario that can be observed in isolation—without the occurrence of an accident. For a given accident scenario, near misses can and frequently do occur with greater frequency than the actual event (Bird and Germain, 1996). Several examples from the accident literature confirm this expectation, including the Concorde air crash (BEA, 2002), the London Paddington train crash (Cullen, 2000), and the Morton Salt chemical plant explosion (CSB, 2002); all three of these catastrophes were preceded by near misses, and some of the precursor events in the near misses were also parts of the eventual accident scenarios. To organizations seeking to learn about potential accidents, near misses represent inexpensive learning opportunities for analyzing what can go wrong.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Near misses are especially important for organizations that have not experienced a major accident, because they enable these organizations to experience what March et al. (1991) refer to as “small histories”—or fragments of what might be experienced if an accident occurred. To benefit from near misses, organizations ranging from hospitals to manufacturing facilities and airlines to power plants, have set up management systems for reporting and analyzing near misses (see examples documented in this report and Barach and Small, 2000; Bier and Mosleh, 1990; Jones et al., 1999; van der Schaaf, 1992). Analyses of accident precursor data can also be useful in conjunction with probabilistic risk analyses (PRAs). A PRA, also sometimes called a quantitative risk assessment or probabilistic safety assessment, is a method of estimating the risk of failure of a complex technical system by deconstructing the system into its component parts and identifying potential failure sequences. PRA has been used in a variety of applications, including transportation, electricity generation, chemical and petrochemical processing, aerospace, and military systems. PRA methods make it possible to quantify the likelihood that each type of precursor will lead to accidents of different severities by assessing the conditional probability of accidents given certain precursors (Bier, 1993; Cooke and Goosens, 1990; Minarick and Kukielka, 1982). Such information can be helpful in prioritizing precursors for further investigation and/or corrective action. For an in-depth discussion of PRA, see for example Bedford and Cooke (2001) or Kumamoto and Henley (2000). Precursor analyses have different strengths and weaknesses than PRAs and can, therefore, be used in conjunction with PRA models. PRA risk estimates are often heavily dependent on assumptions in the PRA model. For example, although every attempt is made to include important dependencies when they are recognized, a PRA may nonetheless incorrectly assume that two particular events are independent of each other. Because empirical data on observed precursors are relatively free of such assumptions, they can be used to assess the validity of those assumptions. Thus, if two events are positively correlated rather than independent, precursors involving both of them will tend to occur more often than predicted under the assumption of their independence, providing a potentially more accurate estimate of accident risks (and a check on the validity of the PRA model). Other approaches have also been used to take advantage of precursor data. Automated surveillance systems, fault detection algorithms, and a variety of alarm systems are examples of systems that attempt to recognize precursors automatically. These methods have one common characteristic—they attempt to leverage precursor data to gain a better understanding of potential accidents. Compared to purely statistical analyses of observed accident frequencies, near-miss analyses, PRA methods, and other precursor analyses can be viewed as examples of “decomposition” (i.e., breaking an accident scenario up into its component parts or building blocks). Forecasting expert J. Scott Armstrong of

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence the Wharton School, University of Pennsylvania, notes that decomposition typically leads to better judgments, particularly in cases where uncertainty is high (as in the likelihood of an accident, where estimates can vary by orders of magnitude). Armstrong (1985) describes the following merits of decomposition: It allows the forecaster to use information in a more efficient manner. It helps to spread the risk; errors in one part of the problem may be offset by errors in another part. It allows the researchers to split the problem among different members of a research team. It makes it possible for expert advice to be obtained on each part. Finally, it permits the use of different methods on different parts of the problem. Comparing Accident Analysis and Precursor Analysis One of the most attractive aspects of precursor analysis is the abundance of precursor events compared to actual accidents (Bird and Germain, 1996). Thus, precursor data sets are often much richer than accident data sets. Analyzing precursor data can therefore reduce the uncertainty about the likelihood of an accident and lead to better decisions. The committee believes that in many cases precursor events can be more effectively analyzed than accidents. After an accident, it may be difficult to determine what actually occurred for a variety of reasons: damage can be so severe that accident reconstruction may be inaccurate; the investigation may require too much time or money; legal and financial concerns may create disincentives that affect the investigation (e.g., individuals or organizations may be unwilling to disclose information that could increase their liability, or they may share information selectively); and witnesses may be unavailable. In contrast, when analyzing accident precursors, the system itself is usually intact, and stakeholders and witnesses may be more willing to report and share information about the event. Comparing precursor analysis with accident analysis also reveals some of the challenges of benefiting from precursor information. Because precursors are likely to be numerous, resource limitations may make it impractical to investigate all of them to the level of detail that would normally be used in an accident investigation. Hence, thresholds are often set to select the precursors that are most indicative of system risk (Paté-Cornell, 1986). If a large number of precursors are considered important enough for analysis, they may be subjected to further prioritization and filtering. Moreover, the potential for precursor events to develop into actual accidents might be unclear. As in any use of decomposition methods, the resulting model may not be entirely accurate (Bier et al., 1999); for example, there may be erroneous assumptions as to which additional events would be necessary to cause an accident given a particular precursor. In fact, non-accident precursors are inherently ambiguous (Bier and Mosleh, 1990) because they provide indications

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence of system safety (e.g., the fact that an actual accident did not occur), as well as indications of risk (e.g., the fact that a precursor did occur). Thus, if a precursor occurs and no accident follows, some individuals may (correctly or incorrectly) conclude that the system is less prone to accidents than was initially believed, and there may be disagreements and debates about how seriously that precursor should be taken. Because of their less dramatic end states, precursor events may seem less salient as lessons learned than accidents. For example, corrective actions developed in response to precursor data may be less persuasive and more open to question than corrective actions based on actual accidents (March et al., 1991). Because accidents are at least partly random, there is no guarantee that corrective actions adopted in response to even relatively severe precursors will actually prevent an accident. Decision makers may, therefore, pay less attention to precursors than to accidents, and it may be difficult to persuade them to make changes in technical or organizational designs based on observations of precursors. Finally, legal concerns may compel an organization to analyze an accident thoroughly but may also inhibit the use of precursor data. For example, showing that an organization knew about a particular precursor but did not take corrective action could increase the organization’s liability in the event of an actual accident. As a result, some organizations may be reluctant to establish formal precursor reporting programs; for example, they may rely on oral, rather than written, notification of observed precursors. We can also compare the costs associated with precursor and accident analysis. Accidents can have a number of direct costs, such as medical expenses, costs associated with employee convalescence, and equipment damage. In contrast, precursor events may have minimal if any direct costs. Accidents also have a number of indirect costs that may far outweigh the direct costs. Typical indirect costs include lost production, a drop in employee morale, scheduling delays, additional hiring/training, legal costs, and the costs of implementing corrective actions. After a precursor event, many of these indirect costs may not apply (e.g., there may be no lost production) or may be lower than if an actual accident had occurred. From this comparison, one might wonder if implementing a precursor analysis program can be more cost effective than assuming the risks and costs of the accident the program is intended to prevent. To the committee’s knowledge, no comprehensive cost-benefit analysis of precursor analysis programs has been conducted. Nonetheless, the committee firmly believes that precursor programs can be, and often are, cost effective. That is, the costs associated with achieving risk reduction through a precursor program are far lower than the risk-adjusted costs assumed when no such program is in place and precursors are not systematically analyzed.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence ating the risks posed by deviations. Deviations that are judged to be unacceptable after careful scrutiny should trigger corresponding contingency responses. Recommendation 3. Activities with potentially significant risks should be subjected to an appropriate level of hazard analysis, which should then be used to help identify and define precursor events of concern. Reporting Precursors Finding 4. Barriers to reporting precursor events include a variety of factors: fear of blame for an event; reluctance to report a coworker’s failure; concerns about liability; and lack of time to complete reports. Precursor events that do not result in damage or loss, are witnessed by only a few people, or that cannot be readily monitored by a surveillance system can be difficult to capture in a reporting system. For management to learn of such events, the workforce must be actively engaged in the program. Christopher Hart outlines a number of legal and political barriers that can impede the reporting of potential errors to management or regulatory authorities, including (p. 147 in this volume): The belief that an individual may be held responsible for a precursor event that he or she reports. The potential for criminal prosecution of the individuals involved in an event. The possibility that the information could be disseminated to the public. The possibility that the information could be used in civil litigation proceedings. Others have cited additional barriers to reporting, including lack of confidence that a report will result in safety improvements and lack of time to complete the report and still complete other tasks (Bridges, 2000). Management must develop strategies to overcome such barriers. Recommendation 4. Organizations that implement precursor management systems should ensure that the work environment encourages honest reporting of problems as part of a positive safety-improvement culture. Prioritizing Precursors and Disseminating Precursor Information Finding 5. Organizations considering or implementing precursor programs face a variety of challenges, including filtering and prioritizing reports for effective analysis and identifying sound risk-reduction responses to observed precursors.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Programs that motivate individuals to report precursors face other challenges, such as how to manage the reported information effectively. If only a few reports are submitted, they can all be analyzed and disseminated to the relevant parties (as is typically done for serious accidents). However, if a large number of precursor reports are submitted, resource constraints may make it difficult to analyze all of them, and it may be impractical to share information about all reported events with everyone participating in the program. For example, ASRS receives about 2,900 reports a month, only 15 to 20 percent of which are logged because of resource constraints (Strauss and Morgan, 2002). Prioritizing precursor events once they have been reported can also be a challenge. A number of approaches are currently used to prioritize precursors. In some programs, one or more individuals involved in the program simply screen precursor events and prioritize them subjectively. Sometimes, a database of historical events and precursors is used for trending purposes (e.g., to identify increasing or decreasing rates of particular types of precursors over time). In addition, mathematical modeling can be used to assess the probability of an accident conditional on a given type of precursor—as a measure of precursor severity, for example. PRA can be used to estimate the likelihood of accidents based on precursor information and to reduce uncertainties about accident risk. Delphi approaches can also be used to solicit and aggregate expert information on the likelihood of accidents. Recommendation 5. Organizations should link precursor programs to the hazard assessment methodology used to manage safety and reliability, thereby developing a basis for setting priorities and using precursor information to establish measurements for improvements in risk. Organizational Commitment The ability to leverage precursor information to reduce risk exposure depends heavily on organizational endorsement, commitment, and leadership. Organization leaders must be involved in the development and implementation of precursor programs and must have a clear understanding of each program’s structure, merits, and potential vulnerabilities. Finding 6. Each organization has its own management structures, history, and culture, which are integral to both its safety philosophy and the role of precursor programs as part of the organization’s commitment to safe, reliable operation. The design of a precursor program must be sensitive to the characteristics of the particular situation, such as management structures, industry and organizational history, government and labor relations, the regulatory environment, legal

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence considerations and constraints, the financial health of the industry and organization, and public perceptions of the risks posed by the industry in question. To ensure continued participation, precursor programs must also lead to demonstrable improvements in safety. Because improvements resulting from precursor programs may not be readily visible to the casual observer, they should be audited and evaluated in terms of both risk reduction and cost effectiveness, and the resulting information should be shared with the people expected to participate in the program to encourage them to continue their participation. Evaluating whether safety improvements achieve the desired objectives requires organizational and management commitment to the program, as well as adequate resources. Recommendation 6. Precursor programs should be implemented with the commitment of management at all levels, and measurable safety improvements attributable to the program should be publicized. Engaging Industry Finding 7. Many precursor events (and major accidents) occur in the private sector. Therefore, to reduce accident rates through precursor management, the private sector must be actively engaged in identifying and managing precursor events. Although an increasing number of companies in high-hazard industries (i.e., industries that may experience catastrophic events) have initiated precursor or near-miss reporting programs, the committee believes this represents only a small fraction of the companies that could benefit from such programs. The committee encourages companies that do not have programs in place to examine industry best practices and implement programs suited to their needs and the hazards they face. Recommendation 7. Companies in high-hazard industries should institute and/ or maintain formal precursor programs for the collection, analysis, and sharing of risk-related information. Finding 8. In some cases, channels for communicating risk-related information among companies in high-hazard industries are weak or nonexistent. Many companies have valid concerns about sharing information, such as concerns about releasing proprietary information and/or the legal implications of sharing information. As a result, important information may either not be shared or may be shared only after it has been stripped of essential facts, so that it is of relatively little use to the recipient.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Participation by multiple parties in information sharing often amplifies the benefits derived from the information, especially when the parties face common risks. Hence, the committee encourages companies to work to overcome the barriers and develop novel approaches to sharing risk-related information. For instance, in a regulated industry, a private third party could play the role of honest broker, instead of a government agency, with government approval of the overall approach. A similar model is already being used in the chemical industry, where a number of chemical companies participate in the Process Safety Incident Database maintained by the Center for Chemical Process Safety (CCPS). The CCPS (a division of the American Institute of Chemical Engineers) collects, de-identifies, and shares anonymous information about accidents, incidents, and near misses with participating companies (Kelly and Clancy, 2001). Recommendation 8. Companies in high-hazard industries should develop strategies for sharing risk-related information with other companies, when possible, as well as with other plants and facilities within their own companies, and should work to make proprietary information “shareable” between companies. Finding 9. Greater cross-industry sharing of risk-related research, experiences, and practices could be widely beneficial, as evidenced by the cross-industry learning experienced at the workshop. The advance of precursor practices and research requires open channels of communication—not only among the facilities of a single company or among firms in the same industry, but also among industries. It was evident at the workshop that industries have much to learn from each other and that obstacles in one industry might be overcome by leveraging the research and practices of other industries. More cross-industry sharing would encourage both research and the conversion of research results to reliable, effective practices. Cross-industry sharing could be facilitated by bringing together members of high-hazard industries regularly to discuss risk-related issues. This could be done by trade organizations, the National Academies, the Society for Risk Analysis, the Public Entity Risk Institute, and/or government bodies. Recommendation 9. Organizations should support and participate in cross-industry collaborations on precursor management and research. Engaging Government Even though government institutions are already engaged in facilitating the reporting and analysis of precursors, the committee believes that government could do more to foster the cross-company and cross-industry sharing of information. However, government actions must be carefully considered to ensure

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence that they encourage rather than discourage individuals and organizations from participating in precursor identification and management programs. Finding 10. Existing regulatory models for using precursor data are potentially applicable to multiple industries. Government agencies seeking to leverage precursor information in an industry should consider adapting approaches that have already been developed for other industries. For example, analogous versions of the ASAP and ASRS models have been developed for industries other than aviation. In the ASAP model, each company collects and manages near-miss and precursor data in parallel with other companies using similar data-collection methods. Phimister et al. (2003) and Barach and Small (2000) discuss similar reporting systems in the chemical and health care industries, respectively. In the ASRS model, a third party (in this case, NASA) is endorsed by the regulatory agency as an honest broker. The Department of Veterans Affairs uses a similar reporting system in health care settings. Transferring precursor program models from one industry to another must be done carefully, however. Workforces may have different cultures that affect the acceptability of particular models; stakeholders may have different relationships; issues of proprietary information may impede the transfer of safety-sensitive information; and legal issues may hinder the sharing of information. Finally, incentives for sharing information about risks may differ from one industry to another. Steps that can be taken to encourage the adoption of precursor programs include providing economic incentives for information sharing, aligning market mechanisms to encourage precursor management (e.g., through reductions in insurance premiums), and third-party inspections of corporate risk-management programs (Carroll and Hatakenaka, 2001; Kunreuther et al., 2002). Recommendation 10. Government agencies overseeing high-hazard industries or technologies that do not have a cohesive strategy for managing precursor information should develop an initial agency policy on precursor management to initiate a dialogue on how precursors can and should be managed. The committee notes that some industries and agencies have already initiated activities consistent with this recommendation. For example, a white paper prepared by the Volpe Center (2003) served as the basis for a discussion at a railroad industry workshop held in 2003. The paper and workshop helped initiate an industry dialogue to evaluate how precursor information is currently used in the industry and how it could be used more effectively to improve railroad safety. In addition, as part of the Safety Data Initiative at the Bureau of Transportation Statistics, working groups have been charged with collecting better data on accident precursors and expanding the collection of near-miss data to all modes of transportation (BTS, 2002b).

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Finding 11. There is already an ongoing research agenda in precursor analysis and management. The committee believes that further research on precursor management would lead to higher levels of system safety. Given the number and severity of technological accidents in the past two decades, research should be considered a high priority for agencies that regulate high-hazard industries. The source(s) and amount of funding for such research will vary from one industry to another. Because many disciplines in engineering, physical sciences, and social sciences can contribute to precursor analysis and management, and because the research needs vary from one industry to another, it is difficult to prioritize research topics. However, areas of general interest that may benefit precursor management programs might include: the identification of trends in large amounts of statistical data; the design of fault-tolerant systems; human factors analysis; the design of human-machine interfaces; team dynamics in safety-critical system operations; and organizational learning and leadership. Research topics directly usable in precursor programs might include: data acquisition methods; improved fault-detection algorithms; risk modeling and trending methods; the relative effectiveness of alternative regulatory frameworks for precursor reporting and management; industry epidemiological analyses; and strategies for engaging large organizations in risk management. Academia, industry, government, and collaborative public-private projects could all be involved in research on these topics and other challenges identified in the papers in this report. The committee also believes that basic research on precursor management would benefit numerous industries. Some of the most effective practices in precursor management are summarized in this report, but there are still significant uncertainties about the effectiveness of different approaches—partly because of insufficient scientific evaluations of precursor management methods. For example, basic scientific research could compare the merits of voluntary and mandatory reporting systems or quantify the decrease in system risks affected by precursor programs (e.g., using PRA or industry epidemiological analysis). The committee encourages the National Science Foundation and the mission agencies to support basic research in these and related areas. Recommendation 11. Mission agencies with discretionary research budgets should support precursor-related research and pilot studies relevant to their respective missions. In addition, funding agencies and foundations should support basic research on using accident precursors in risk management programs and the characteristics of effective precursor information management.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence CONCLUSION The practice of searching for and learning from accident precursors is a valuable complement to other safety management practices, such as sound system engineering, adherence to standards, and the design of robust, fault-tolerant systems. Maintaining safety is an ongoing, dynamic process that does not stop when a technology has been designed, built, or deployed. Despite the best engineering practices, and despite strict adherence to standards and ongoing maintenance, indicators of future problems can and do arise. Organizations that formally search for and manage accident precursors can continually find opportunities for improving safety and can thereby reduce the probability of disasters. REFERENCES Armstrong, J.S. 1985. Long-Range Forecasting: From Crystal Ball to Computer. New York: John Wiley and Sons. Asch, D.A., and R.M. Parker. 1988. The Libby Zion case: one step forward or two steps backward? New England Journal of Medicine 318(12): 771–775. ASRS (Aviation Safety Reporting System). 2001. The Office of the NASA Aviation Safety Reporting System. Callback 260. Moffet Field, Calif.: National Aeronautics and Space Administration. ASRS. 2003. ASRS Program Overview. Available online: http://asrs.arc.nasa.gov/overview_nf.htm. Barach, P., and S.D. Small. 2000. Reporting and preventing medical mishaps: lessons from non-medical near miss reporting systems. British Medical Journal 320(7237): 759–763. Bates, D.W., L.L. Leape, D.J. Cullen, N. Laird, L.A. Petersen, J.M. Teich, E. Burdick, M. Hickey, S. Kleefield, B. Shea, M. Vander Vliet, and D.L. Seger. 1998. Effect of computerized physician order entry and a team intervention on prevention of serious medication errors . Journal of the American Medical Association 280(15): 1311–1316. Bates, D.W., J.M. Teich, J. Lee, D. Seger, G.J. Kuperman, N. Ma’Luf, D. Boyle, and L. Leape. 1999. The impact of computerized physician order entry on medication error prevention. Journal of the American Medical Informatics Association 6(4): 313–321. Battles, J.B., H.S. Kaplan, T.W. Van der Schaaf, and C.E. Shea. 1998. The attributes of medical event-reporting systems: experience with a prototype medical event-reporting system for transfusion medicine. Archives of Pathology and Laboratory Medicine 122(3): 231–238. BEA (Bureau d’enquetes et d’analyses pour la securite de l’aviation civile). 2002. Accident on 25 July 2000 at “La Patte d’Oie” in Gonesse (95), to the Concorde, registered F-BTSC operated by Air France. Paris: Ministere de l’equipement des transports et du logement. Available online: http://www.bea-fr.org/docspa/2000/f-sc000725pa/pdf/f-sc000725pa.pdf. Bedford, T., and R. Cooke. 2001. Probabilistic Risk Analysis: Foundations and Methods. Cambridge, U.K.: Cambridge University Press. Bier, V.M. 1993. Statistical methods for the use of accident precursor data in estimating the frequency of rare events. Reliability Engineering and System Safety 41: 267–280. Bier, V.M., Y.Y. Haimes, J.H. Lambert, N.C. Matalas, and R. Zimmerman. 1999. A survey of approaches for assessing and managing the risk of extremes. Risk Analysis 19(1): 83–94. Bier, V.M., and A. Mosleh. 1990. The analysis of accident precursors and near misses: implications for risk assessment and risk management. Reliability Engineering and System Safety 27(1): 91–101. Bird, F.E., and G.L. Germain. 1996. Practical Loss Control Leadership. Revised ed. Calgary, Alberta: Det Norske Veritas.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Birkmeyer, J.D., C.M. Birkmeyer, D.E. Wennberg, and M.P. Young. 2000. Leapfrog Safety Standards: Potential Benefits of Universal Adoption. Washington, D.C.: The Leapfrog Group. Bourrier, M. 1996. Organizing maintenance work at two nuclear power plants. Journal of Contingencies and Crisis Management 4: 104–112. Bridges, W.G. 2000. Get Near Misses Reported, Process Industry Incidents: Investigation Protocols, Case Histories, Lessons Learned. Pp. 379–400 in Proceedings of the International Conference and Workshop on Process Industry Incidents: Investigation Technologies, Case Histories, and Lessons Learned. October 2, 5, 6, 2000. New York: American Institute of Chemical Engineers. BTS (Bureau of Transportation Statistics). 2002a. Project 6 Overview: Develop Better Data on Accident Precursors or Leading Indicators. In Safety in Numbers Conference Compendium. Washington, D.C.: Bureau of Transportation Statistics. BTS. 2002b. Project 7 Overview: Expand the Collection of “Near-Miss” Data to All Modes. In Safety in Numbers Conference Compendium. Washington, D.C.: Bureau of Transportation Statistics. Available online: http://www.bts.gov/publications/safety_in_numbers_conference_2002/project07/project7_overview.html. CAIB (Columbia Accident Investigation Board). 2003. Columbia Accident Investigation Board Report. Vol. 1. Washington, D.C.: National Aeronautics and Space Administration. Available online at: www.caib.us/news/report. Carroll, J.S., and S. Hatakenaka. 2001. Driving organizational change in the midst of crisis. MIT Sloan Management Review 42(3): 70–79. Chess, C., A. Saville, M. Tamuz, and M. Greenberg. 1992. The organizational links between risk communication and risk managment: the case of Sybron Chemicals Inc. Risk Analysis 12(3): 431–438. Chiles, J.R. 2002. Inviting Disaster: Lessons from the Edge of Technology. New York: HarperCollins. CIRAS (Confidential Incident Reporting and Analysis System). 2003. CIRAS Executive Report. Glasgow, U.K.: CIRAS. Classen, D. 2003. Engineering a Safer Medication System Creating a National Standard. Presentation to the National Academy of Engineering/Institute of Medicine Workshop on Engineering and the Health Care System, February 6–7, 2003, Irvine, California. Cook, R., D. Woods, and C. Miller. 1998. A Tale of Two Stories: Contrasting Views of Patient Safety. Chicago: National Patient Safety Foundation. Cooke, R., and L. Goossens. 1990. The Accident Sequence Precursor methodology for the European post-Seveso era. Reliability Engineering and System Safety 27: 117–130. CSB (Chemical Safety Board). 2002. Investigation Report: Chemical Manufacturing Incident. NTIS PB2000-107721. Washington, D.C.: Chemical Safety Board. Cullen, W.D. 2000. The Ladbroke Grove Rail Inquiry. Norwich, U.K.: Her Majesty’s Stationery Office. DOT-FAA (U.S. Department of Transportation, Federal Aviation Administration). 1997. Advisory Circular Aviation Safety Action Programs (ASAP), AC# 120-66. Washington, D.C.: Federal Aviation Administration. DOT-FAA. 2000. Advisory Circular Aviation Safety Action Programs (ASAP), AC# 120-66A. Washington, D.C.: Federal Aviation Administration. DOT-FAA. 2002. Advisory Circular: Aviation Safety Action Programs. AC# 120-66B. Washington, D.C.: U.S. Department of Transportation. DOT-FAA. 2003. Advisory Circular: Aviation Safety Action Programs. AC# 120-66C. Washington, D.C.: U.S. Department of Transportation. DOT-NHTSA (U.S. Department of Transportation, National Highway Traffic Safety Administration). 2002. Reporting of Information and Documents About Potential Defects Retention of Records That Could Indicate Defects; Final Rule, CFR, Vol. 67, No. 132. Washington, D.C.: U.S. Department of Transportation.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Dowell, A.M., and D.C. Hendershot. 1997. No good deed goes unpunished: case studies of incidents and potential incidents caused by protective systems. Process Safety Progress 16(3): 132–139. Er, J., H.C. Kunreuther, and I. Rosenthal. 1998. Utilizing third-party inspections for preventing major chemical accidents. Risk Analysis 18(2): 145–153. Evans, R.S., S.L. Pestotnik, D.C. Classen, T.P. Clemmer, L.K. Weaver, J.F. Orme, J.F. Lloyd, and J.P. Burke. 1998. A computer assisted management program for antibiotics and other antiinfective agents. New England Journal of Medicine 338(4): 232–238. Fischhoff, B. 1975. Hindsight = / = foresight: the effect of outcome knowledge on judgment under uncertainty. Journal of Experimental Psychology: Human Perception and Performance 1: 288–299. Freudenburg, W.R. 1988. Perceived risk, real risk: social science and the art of probabilistic risk assessment . Science 242 (4875): 44–49. GAO (General Accounting Office). 1998. U.S. efforts to implement flight operational quality assurance programs. Aviation Safety 17(7-9): 1–36. Hawkins, S.A., and R. Hastie. 1990. Hindsight: biased judgments of past events after the outcomes are known. Psychological Bulletin 107: 311–327. IOM (Institute of Medicine). 2000. To Err Is Human: Building a Safer Health System, L.T. Kohn, J.M. Corrigan, and M.S. Donaldson, eds. Washington, D.C.: National Academies Press. Johnson, J.W., and D.M. Rasmuson. 1996. The US NRC’s Accident Sequence Precursor Program: an overview and development of a Bayesian approach to estimate core damage frequency using precursor information. Reliability Engineering and System Safety 53: 205–216. Jones, S., C. Kirchsteiger, and W. Bjerke. 1999. The importance of near miss reporting to further improve safety performance. Journal of Loss Prevention in the Process Industries 12: 59–67. Kelly, B.D., and M.S. Clancy. 2001. Use a comprehensive database to better manage process safety. Chemical Engineering Progress 97(8): 67–69. Kilbridge, P., and D. Classen. 2002. Surveillance for Adverse Drug Events: History, Methods and Current Issues. VHA Research Series, Vol. 2. Irving, Texas: Veterans Health Administration. Kletz, T. 1994. Learning from Accidents, 2nd ed. Oxford, U.K.: Butterworth-Heinemann. Kumamoto, H., and E.J. Henley. 2000. Probabilistic Risk Assessment and Management for Engineers and Scientists. New York: John Wiley and Sons. Kunreuther, H.C., P.J. McNulty, and Y. Kang. 2002. Third-party inspection as an alternative to command and control regulation. Risk Analysis 22(2): 309–318. Kunreuther, H.C., S. Metzenbaum, and P. Schmeidler. 2003. Leveraging the Private Sector: Management-Based Strategies for Improving Environmental Performance. Paper Presented at Conference on Leveraging the Private Sector: Management-Based Strategies for Improving Environmental Performance, July 31–August 1, 2003, Resources for the Future, Washington, D.C. Lakats, L.M., and M.E. Paté-Cornell. In press. Organizational warning systems: a probabilistic approach to optimal design. IEEE Transactions on Engineering Management 51(2). LaPorte, T.R. 1988. The United States Air Traffic System: Increasing Reliability in the Midst of Rapid Growth. Pp. 215–244 in The Development of Large-Scale Technical Systems, R. Mayntz and T. Hughes, eds. Boulder, Colo.: Westview Press. LaPorte, T.R., and P. Consolini. 1998. Theoretical and operational challenges of “high-reliability organizations”: air-traffic control and aircraft carriers. International Journal of Public Administration 21: 847–852. Leapfrog Group. 2003. The Leapfrog Group Factsheet: Computerized Physician Order Entry System. Revision 4/18/03. Washington, D.C.: The Leapfrog Group. Lodwick, D.G. 1993. Rocky Flats and the evolution of distrust. Research in Social Problems and Public Policy 5: 149–170. March, J.G., L.S. Sproull, and M. Tamuz. 1991. Learning from samples of one or fewer. Organization Science 2(1): 1–13.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Marcus, A.A. 1995. Managing with danger. Industrial and Environmental Crisis Quarterly 9(2): 139–152. Marcus, A.A., and M.L. Nichols. 1999. On the edge: heeding the warnings of unusual events. Organization Science 10(4): 482–499. Martin, B. 1999. Suppression of dissent in science. Research in Social Problems and Public Policy 7: 105–135. Minarick, J.W., and C.A. Kukielka. 1982. Precursors to Potential Severe Core Damage Accidents: 1969–1979, A Status Report. NUREG/CR-2497. Washington, D.C.: U.S. Nuclear Regulatory Commission. O’Neill, A.C., L.A. Petersen, E.F. Cook, D.W. Bates, T.H. Lee, and T.A. Brennan. 1993. Physician reporting compared with medical-record review to identify adverse medical events. Annals of Internal Medicine 119(5): 370–376. Paté-Cornell, M.E. 1986. Warning systems in risk management. Risk Analysis 5(2): 223–234. Paté-Cornell, M.E., and P. Fischbeck. 1993. Probabilistic risk analysis and risk-based priority scale for the tiles of the space shuttle. Reliability Engineering and System Safety 40(3): 221–238. Paté-Cornell, M.E., and S.D. Guikema. 2002. Probabilistic modeling of terrorist threats: a systems analysis approach to setting priorities among countermeasures. Military Operations Research 7(4): 5–23. Phimister, J.R., U. Oktem, P.R. Kleindorfer, and H. Kunreuther. 2003. Near miss incident management in the chemical process industry. Risk Analysis 23(3): 445–459. Pidgeon, N.F. 1991. Safety culture and risk management in organizations. Work and Stress 12(3): 202–216. Pooley, E. 1996. Nuclear warriors. Time, March 4, pp. 46–54. Reisch, F. 1994. The IAEA asset approach to avoiding accidents is to recognize the precursors to prevent incidents. Nuclear Safety 35: 25–35. Roberts, K.H. 1990. Some characteristics of one type of high reliability organization. Organization Science 1(2): 160–176. Rochlin, G.I. 1999. Safe operation as a social construct. Ergonomics 42(3): 1–12. Rochlin, G.I., T.R. LaPorte, and K.H. Roberts. 1987. The self-designing high-reliability organization: aircraft carrier flight operations at sea. Naval War College Review 40(4): 76–90. Strauss, B., and M.G. Morgan. 2002. Everyday threats to aircraft safety. Issues in Science and Technology 19(2): 82–86. Turner, B.M., and N. Pidgeon. 1997. Man-made Disasters, 2nd ed. London: Butterworth-Heinemann. USNRC (U.S. Nuclear Regulatory Commission). 1978. Risk Assessment Review Group Report. NUREG/CR-0400. Washington, D.C.: Nuclear Regulatory Commission. van der Schaaf, T.W. 1992. Near Miss Reporting in the Chemical Process Industry. Ph.D. Thesis, Eindhoven University of Technology, the Netherlands van der Shaff, T.W., D.A. Lucas, and A.R. Hale, eds. 1991. Near Miss Reporting as a Safety Tool. Oxford, U.K.: Butterworth-Heineman. Vaughan, D. 1997. The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA. Chicago: University of Chicago Press. Volpe Center. 2003. Improving Safety through Understanding Close Calls. Cambridge, Mass.: Volpe Center. Weick, K.E., and K.H. Roberts. 1993. Collective mind and organizational reliability: the case of flight operations on an aircraft carrier deck. Administrative Science Quarterly 38: 357–381. Weick, K.E., and K.M. Sutcliffe. 2001. Managing the Unexpected: Assuring High Performance in an Age of Complexity, Vol. 1. New York: John Wiley and Sons. Weick, K.E., K.M. Sutcliffe, and D. Obstfeld. 1999. Organizing for high reliability. Pp. 81–123 in Research in Organization Behavior 21, R.S. Sutton and B.M. Staw, eds. Stamford, Conn.: JAI Press.

OCR for page 1
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Westrum, R., and A.J. Adamski. 1999. Organizational factors associated with safety and mission success in aviation environments. Pp. 67–104 in Handbook of Aviation Human Factors, D.J. Garland, J.A. Wise, and V.D. Hopkin, eds. Mahwah, N.J.: Lawrence Erlbaum Associates. Wiegmann, D.A., H. Zhang, T. von Thaden, G. Sharma, and A. Mitchell. 2002. A Synthesis of Safety Culture and Safety Climate Research. Technical Report ARL-02-3/FAA-02-2. Urbana-Champagne, Ill.: Aviation Research Laboratory, Institute of Aviation, University of Illinois. White House. 2000. President Clinton Announces New Public-Private Partnerships to Increase Aviation Safety. Press release, January 14. Washington, D.C.: Office of the Press Secretary, White House.