Defining and Analyzing Precursors

WILLIAM R. CORCORAN

Nuclear Safety Review Concepts Corporation

History is a vast early warning system.

Norman Cousins

Wouldn’t it be nice if we could identify precursors before they “precursed” disasters? With great retrovisual acuity, experts and laypeople alike can identify the precursors to Challenger, Concorde, Three Mile Island (TMI), Davis-Besse nuclear power plant in 2002, Columbia, and other consequential adverse events.

Consider the space shuttle Challenger. We now know that every shuttle launch that included an O-ring blow-by before the Challenger explosion was a precursor to an explosion in that if the pre-launch ambient temperature had been sufficiently low the O-rings would have failed and the vehicle would have been lost.

In the case of the supersonic airplane Concorde, an examination of the accident history indicates about a half-dozen recorded precursors to the fatal encounter with a foreign object. These precursors involved takeoffs with either foreign objects on the runway or tire blowouts or both. And what about the unrecorded precursors? For instance, were there unrecorded times when Concorde took off when there was a foreign object on the runway? Might these events have been precursors, even though we don’t know about them?

In the case of TMI, we now know that every case of a stuck-open, power-operated relief valve (PORV) that occurred before the accident was a precursor to a potential core meltdown. However, before TMI, few, if any, nuclear reactor engineers would have believed that operators would fail to recognize the symptoms of a stuck-open relief valve; nor would they have believed that operators would reduce makeup flow in the face of symptoms of inadequate coolant inventory.

Has there ever been a serious, consequential adverse event that did not have precursors? Chernobyl and the Hindenburg were said to have come “out of the



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Defining and Analyzing Precursors WILLIAM R. CORCORAN Nuclear Safety Review Concepts Corporation History is a vast early warning system. —Norman Cousins Wouldn’t it be nice if we could identify precursors before they “precursed” disasters? With great retrovisual acuity, experts and laypeople alike can identify the precursors to Challenger, Concorde, Three Mile Island (TMI), Davis-Besse nuclear power plant in 2002, Columbia, and other consequential adverse events. Consider the space shuttle Challenger. We now know that every shuttle launch that included an O-ring blow-by before the Challenger explosion was a precursor to an explosion in that if the pre-launch ambient temperature had been sufficiently low the O-rings would have failed and the vehicle would have been lost. In the case of the supersonic airplane Concorde, an examination of the accident history indicates about a half-dozen recorded precursors to the fatal encounter with a foreign object. These precursors involved takeoffs with either foreign objects on the runway or tire blowouts or both. And what about the unrecorded precursors? For instance, were there unrecorded times when Concorde took off when there was a foreign object on the runway? Might these events have been precursors, even though we don’t know about them? In the case of TMI, we now know that every case of a stuck-open, power-operated relief valve (PORV) that occurred before the accident was a precursor to a potential core meltdown. However, before TMI, few, if any, nuclear reactor engineers would have believed that operators would fail to recognize the symptoms of a stuck-open relief valve; nor would they have believed that operators would reduce makeup flow in the face of symptoms of inadequate coolant inventory. Has there ever been a serious, consequential adverse event that did not have precursors? Chernobyl and the Hindenburg were said to have come “out of the

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence FIGURE 1 Root cause analysis (RCA) and corrective action (CA) after identification of a precursor can prevent a consequential event. blue,” but did they? Would sufficient access to the history of these events reveal precursors that, had they been recognized and attended to, might have averted them? An old cowhand might ask, “Why not head them off at the pass?” That is to say, why not identify and analyze the precursors and take corrective action to prevent the downstream consequential adverse event (Figure 1). WHAT ARE PRECURSORS? The National Academy of Engineering workshop definition of an accident precursor is any event or group of events that must occur for an accident to occur in a given scenario. One dictionary definition (among many) is “one that precedes and indicates the approach of another.” For the purpose of this paper, a precursor is defined as a situation that has some, but not all, of the ingredients of a more undesirable situation. Thus, a precursor is an event or situation that, if a small set of behaviors or conditions had been slightly different, would have led to a consequential adverse event. Has there ever been a consequential event, near miss, or infraction/deviation that did not have a precursor? In some sense of the word, probably not. Have there been consequential events with precursors that have been discounted, dismissed, not recognized, or not understood? Most certainly.

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence What Keeps a Precursor from Being a Real McCoy? The “real McCoy” in this case is, of course, a highly consequential adverse event. When less than a real McCoy happens, the real McCoy does not occur for one of three reasons: (1) an exacerbating factor was missing; (2) a mitigating factor was effective; or (3) both. To express these three ideas as equations, we have: {Real McCoy} = {Precursor} + {Exacerbating Factor(s)} (1) Equation 1 says that, if the next occurrence of the precursor includes specific exacerbating factors, a consequential event will result. {Real McCoy} = {Precursor} − {Mitigating Factor(s)} (2) Equation 2 says that, if the next occurrence of the precursor situation does not include important defenses, barriers, or other mitigating measures, a consequential event will result. {Real McCoy} = {Precursor} + {Exacerbating Factor(s)} − {Mitigating Factor(s)} (3) Equation 3 combines the thoughts of Equations 1 and 2. Can Real McCoys Be Precursors? As was recently illustrated, a real McCoy can be a precursor, too. On January 8, 2002, at St. Raphael Hospital in Connecticut, a woman was killed in an operating room when she was given nitrous oxide instead of oxygen. Three days later, another woman was killed in the same operating room in the same way, thus providing a tragic example of not learning from experience. Precursors of this type can be expressed by Equation 4: {Real McCoy}(N+1) = {Real McCoy}(N) + {Nothing} + {Time} (4) This equation says that, if an adverse event is not effectively investigated and appropriate corrective action taken, the causes of the event may continue to exist. And as long as the causes continue to exist, a similar event may occur. Examples of this type include the infamous Ford Explorer-Bridgestone/Firestone episode and the tragedies of Therac-25, a radiation therapy accelerator. Real McCoys might also be considered precursors using Equation 4a: {Worse Real McCoy}(N+1) = {Real McCoy}(N) + {Nothing} + {Time} + {Exacerbating Factor(s)} (4a)

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence An example of this was the loss of some of the crew of the USS Squalus (SS-192), which was a precursor to the loss of the entire crew of the USS Thresher (SSN-593). Both submarines sank because of loss of hull integrity. The real McCoy and the precursor are related by both Equation 4 and Equation 2, which together are captured in Equation 4a. If real McCoys are also precursors that indicate the approach of a downstream real McCoy, wouldn’t prudent people take action to head them off at the pass? Near Misses A near miss is a special kind of precursor (some people like to say “near hit” or “close call” for the same concept). In general, we think of a near miss as a precursor with ingredients that differ in only minor or non-robust ways from those necessary for a consequential event. For instance, when the necessary exacerbating factors are highly likely, the precursor is called a near miss. For example, running a red light in a busy intersection without causing a collision is a near miss. The exacerbating factor would have been another vehicle crossing the intersection. Similarly, one would expect a precursor to be called a near miss if the mitigating factors were unlikely or not robust. For example, a steam pipe break that does not result in injuries because the workers happen to be at lunch when it happens could be considered a near miss. (This actually happened at Millstone Unit 2 in the mid-1990s.) The near miss concept suggests the following: {Real McCoy} = {Near Miss} +/− {Not Much} (5) Many people believe that investigations of near misses should be commensurate with investigations of the corresponding averted consequential events. Thus, many shuttle launches prior to Challenger and Columbia were “secret” near misses. Some Concorde accidents before the fatal one were also “secret” near misses. Managers and program people should be asking what kept a near miss from being worse and how close it came to being a real McCoy. Perhaps, in the cases of Challenger and Concorde, the near misses were not obvious or fully appreciated as precursors. Unveiling Precursors If it were known that a specific event was a precursor of an accident, people would certainly do something to avert the next real McCoy. This is almost a tautology, but it needs to be said. However, many precursors that should indicate the approach of a real McCoy are not recognized. For example, Concorde program personnel kept records of precursors involving Concorde aircraft, but apparently they did not “connect the dots” to envision an encounter with a foreign

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence object on takeoff that could destroy an aircraft. Precursors to Challenger (O-ring blow-by) and Columbia (foam strikes) also went unrecognized. Notice that all of the “postcursor” real McCoys mentioned in this paper were preceded by precursors that did not sufficiently indicate their approach. If the precursors had been “unveiled” for the threats they indicated, the accidents might have been averted. To unveil something is to reveal its true nature, and clearly lives, pain, assets, and careers could be saved if organizations could unveil precursors. People unveil precursors when they make inferences from events and situations (because events and situations are not capable of implying anything on their own). One systematic approach to making inferences from potential precursor events and situations is root-cause analysis, which can be helpful in deconstructing events and situations to aid decision making.1 ROOT-CAUSE ANALYSIS In applying root-cause analysis to possible precursor events and conditions, two questions must be considered: (1) how does one select events and situations as potential precursors; and (2) how does one perform a root-cause analysis on selected events and situations. Before a precursor can be analyzed, it must be recognized as an ingredient in a recipe for dire consequences. If today’s anomaly or today’s usual practice cannot be envisioned as an ingredient in such a recipe, there is no hope that it will be unveiled or detected. For example, at Davis-Besse, a U.S. nuclear power plant, there were dozens of anomalies that were recognized, in retrospect, as ingredients in a recipe for an extended shutdown. When one anomaly is not recognized as a precursor, the failure can be explained as a narrow gap in knowledge. But when dozens of anomalies are not recognized, one begins to wonder about programs, processes, organizations, interfaces, and, of course, safety culture. At Davis-Besse, as reported in local newspapers, there were many precursors: leaky control-rod drive-mechanism joints that encouraged tolerance of leakage boric acid deposits in the reactor vessel head area from leaks the presence of alloy 600, which is subject to cracking time, temperature, and stress criticism by the Nuclear Regulatory Commission (that was ignored) of the boric acid corrosion-control program predictions by an industry group that cracks were likely 1   For Internet access to a large community of root cause analysis practitioners, as well as links, files, database tables, and other resources, see http://groups.yahoo.com/group/Root_Cause_State_of_the_Practice/.

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence small cracks (not knowable directly) boric acid issuing from the small cracks (not knowable directly) difficulties in inspecting reactor vessel heads because of the design truncated inspections disapproval of proposed changes to facilitate inspections news of alloy 600 cracks in similar plants increase in rust-colored boric acid deposits clogging of radiation-monitor system filters fouling of containment air-cooler heat-transfer surfaces failure to do root-cause analyses of any of these anomalies falsified auditing of the boric acid corrosion-control program poor regulatory and industry oversight How can events and conditions be understood as possible precursors? Equations 1–5 can be a helpful starting point. For serious real McCoy situations that match Equations 4 and 4a, such as Squalus and the first St. Raphael fatality, the root-cause analyses should include consideration of these events as precursors. There are obvious lessons to be learned, and these events should have been examined for (1) their potential for being repeated and (2) their potential of being repeated and being worse. In the case of the submarine Squalus, half of whose crew was rescued after the vessel sank, the investigation did not focus sufficiently on the factors that had kept the consequences from being worse. Understandably so. The Squalus accident was the first time the submarine rescue system (the basis for today’s submarine rescue systems) was used. The investigation, however, did not result in advising submarine commanders to choose test sites sufficiently deep to achieve test objectives but shallow enough to avoid collapsing unflooded compartments. This is a special case of an important safety principle that tells us not to take risks in excess of those for which there is some benefit (see Corcoran [2002] for a list of the safety principles). Accidents that are narrowly averted (near misses as described by Equation 5) should be examined as precursors, focusing on the factors that kept the consequences from being worse. It is more difficult to recognize as precursors events and situations with less obvious similarities to accidents. To assist in recognizing these, the event or situation should be considered in terms of Equations 1–3, which indicate the potential likelihood and severity of the possible accident to determine if the event should be considered for further precursor analysis. Root-Cause Analysis of Precursors Anecdotal experience suggests that the difference in occurrence rates between the levels of severity of accidents, near misses, compromises, and infractions is

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence FIGURE 2 The occurrence pyramid. about a factor of 10 (Figure 2). Experience with root-cause analysis indicates that, as a general rule, the causes of compromises, infractions, and deviations are the same as the causes of near misses and consequential events. And, investigations of consequential events and near misses show that higher severity events include an accumulation of lower level events and causes. Hence, root-cause analyses of the precursors to accidents should help reduce accident rates. Root-cause analysis is commonly performed on consequential events, although it can also be performed on low-consequence precursors. In all cases, the analysis is based on evidence and goes deep enough to reveal important underlying issues, while ensuring that chains of influence are tightly linked and pursuing the generic implications of causes and effects. In performing a root-cause analysis, eight questions can be applied to accidents, incidents, and near misses (Corcoran, 2002). The first two questions consider the outcome that events might be repeated or might occur as accidents. Questions 3–6 consider influences on outcomes and the factors that limited, controlled, or restricted the consequences. Questions 7 and 8 are meant to “close out” an analysis and risk reduction, which cannot be achieved without implementing corrective actions. Question 1. What were, are, or will be the consequences of the potential precursor? Consequences are adverse outcomes of events. As defined by Equation 4, if nothing is done following an event, it may become a precursor to a similar event in the future with similar consequences. Consequences that should be examined in a root-cause analysis are the actual consequences that have accrued to date, the expected consequences in the pipeline, and potential conse-

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence quences that have so far been averted by the absence of exacerbating factors and/ or the presence of mitigating factors. Question 2. What does the event mean or signify to the victims and other stakeholders? The significance of an event includes potential consequences (mentioned in Question 1) and how the occurrence of that event would impact the stakeholders. Question 3. What vulnerabilities set the stage for the consequences? If the situation had not been set up for the event, it could not have happened. To analyze precursors, you must define “the recipe” for the consequences to occur. Question 4. What triggers or initiates a chain of events? Vulnerability alone does not cause consequences. It takes a trigger or initiating action. For example, what were the triggers for Concorde? Some might say the trigger was a previous aircraft dropping a foreign object on the runway. Others might say it was the takeoff roll-out itself that triggered the accident. Some triggers can be considered precursors in and of themselves. Question 5. What makes the consequences as bad as they are? In some cases, vulnerability and the trigger alone do not cause the consequences of interest. Something else exacerbates the situation, amplifying the adverse effects or continuing the damaging mechanism or the like. Question 6. What kept or is keeping the consequences from being worse? In the vast majority of consequential events, and in all near misses, there were factors that limited, controlled, or restricted the consequences. For example, the 2002 Davis-Besse situation did not become a loss-of-coolant accident because degradation of the reactor vessel head was discovered during repair of a crack in the nozzle. Question 7. What should be learned from the event? Answering this question determines the lessons to be learned, the factual basis of each lesson to be learned, and who should learn the lesson. Question 8. What should be done about it? To avert the consequences of the future real McCoys indicated, suggested, or announced by precursors, corrective actions must include not only controlling the precursor behaviors and conditions, but also controlling the processes that produce them. In determining corrective actions, the chains of causation must be interrupted. The causal events relate to (1) what set up the situation, (2) what triggered the event, and (3) what made the event as bad as it was.

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Tools Several tools are available to assist in answering these questions (Corcoran, 2003a,b). For instance, to help with Questions 3–6, a Comparative TimeLine© can be used to organize data. Graphically oriented approaches, such as event and causal-factors charts, can be useful for laying out events. Staircase trees can be used to establish chains of influence. For answering Questions 7 and 8, tables and matrices can help make sense of influences. Some useful tools include: the missed-opportunity matrix, the barrier-analysis matrix, the cause-consequence matrix, the lessons-to-be-learned matrix, and the regulatory-infraction matrix. CONCLUSION Severe adverse events “from out of the blue” (i.e., accidents without precursors) are rare. Detailed investigations of most adverse events reveal precursors—that is, accidents have been preceded by events, behaviors, and conditions that were ingredients of the recipe for the adverse consequences. Adverse events that seem to come out of the blue are events whose precursors were not recognized. The ability to recognize precursors and respond appropriately is a very valuable organizational skill—especially the ability to identify or unveil precursors. Unless the precursor nature of an event, behavior, or condition is recognized, it is not likely to get much attention. Almost as important as unveiling precursors is recognizing the generic implications of events (if this happened [or existed], what else could one expect?). Organizations must prioritize precursors. Addressing precursors that are departures from regulatory requirements must be a high priority. Precursors that constitute immediate threats to life or health must also be attended to promptly. Precursors that may be ingredients of complex accident recipes whose outcomes are not fully understood are harder to prioritize. Suffice it to say that prioritizing precursors is not a trivial task. Clearly, it would be helpful if adverse events were reported transparently so the fragility of a situation implied by cumulative precursors could be understood. TMI, Challenger, Concorde, Columbia, Davis-Besse 2002, the Millstone regulatory shutdown, and other events may well have been averted if the fragility of the situations that led to them had been known to accountable individuals. REFERENCES Corcoran, W.R., ed. 2002. Firebird Forum 5(7). Available online at http://groups.yahoo.com/group/Root_Cause_State_of_the_Practice/.

OCR for page 79
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Corcoran, W.R. 2003a. The Phoenix Handbook. Windsor, Conn.: Nuclear Safety Review Concepts Corporation . Corcoran, W.R. 2003b. Firebird Forum 6(1). Available online at http://groups.yahoo.com/group/Root_Cause_State_of_the_Practice/.