Management oversight and risk tree mort analysis

CHAPTER10

Tree Analysis Fault Trees and Analytic Trees

In tree analysis, investigators use a graphic display of information to deductively analyze a human, equipment, or environmental system and determine paths to failure or success. Tree analysis identifies the interrelationships that led to the accident and helps to develop causal factors (Department of Energy 1999). Trees have been used in industry and government for many years in many different capacities. Two basic types of trees are used for accident investigations-fault trees and anafytic (developed) trees. Fault trees show the actual events of the accident, and they grow as events leading up to the accident are discovered. Analytic trees are used to compare the accident situation to a tree developed before the accident happened-usually one based on an ideal situation. Examples of analytic trees include Management Oversight and Risk Tree (MORT), Project Evaluation Tree (PET), and system flowcharts.

Trees can be used in a variety of ways-as planning tools, in accident investigation analysis, in causal analysis, in project evaluation, and in quantitative analysis. In all of these applications, trees use deductive reasoning-they start witb a general "top" event and continue down to specific causes. (Stephenson 1991)-Exhibit 10.l illustrates the tree structure.

103

, ::;rut>£ 'i:fi CT - z

Part Ill: Anol;•tzral Tecb111q11es

104

Exhibit 10.1 TREE STRUCTURE

General

Specific

About Tree Analysis

Three categories of trees are used to analyze various types of problems:

• fault (negative) trees

• positive trees

• analytic (developed) trees.

These categories are illustrated in Exhibit 10.2.

Fault (Negative) Trees Fault tree analysis was developed for the U.S. Air Force in 1962. Faulr trees

' ' i•to are used qualitatively to determine failures in a system and quanutaave l

bl I t S)'Srems, for determine failure rates. They are generally used to trou es 100

h d • . . • · · (St phenson 199!). azar (nsk) analysis, and for accident mvest1gat10ns e

Positive Trees I . formation to

Positive trees display a system graphically-from genera rn ,s tern; • , , I vay to map S) · specific information. Creating an positive tree ts a use u ' ' . . . ccs cin

. I · Posrttve lf components or provide information with a quick grap ,re.

i

I •

This is O classic fault tree.1d\ .1 manual alarm clock cou . a, in three ways-the clock ,s faulty. the owner forgot to wind it or the owner forgot to set it. II any one of thes1; faults occurs, the clock w,11 far/.

IES OF ANALY11CAL TREES

POSITIVE TREE

Run a marathon

This example of a positive tree shows that in order for on overoge person to run a marathon, he or she must troln and be injury-free. Training means running long and short runs each week; staying Injury-free means stretching and eating healthy food,

ANALYTIC TREE (MORT)

Supervision less than adequate

(LTA)

Did not detect/correct

hazards Performance

errors

This Is an example of a portion of a topic for "supervision less than adequate• (LTA), Questions are asked to determine whether eoc/J circle or rectangle Is LTA. For each rectangle, more ques tions are asked, --------------------

IO!i

P,,rt Ill: A na/yhral Ttchniq11es

106

be developed early in the planning and d • es,gn Sta

an accident occurs, and then used as anal . ges of a S)• yuc trees if Stelll

accident occurs later by comparing the fai!u . and \Vhe • b,r0 r e or acc1d n a fail r, (Stephenson 1991). ent to the 1 lire 0, P •nn,d Analytic (Developed) Trees

tr,, MORT, PET, and systems flowcharts are ex 1 . amp es of ana] ti

MORT is a safety system approach devel d y c trees. ope by Bil]

Department of Energy in the 1970s and used . J 0 hns0 , extensive! • n •or th 1980s. It was developed as a proactive system safe t Y 10 the 1970 ' 'd . . . wn..:i . . ty oolandw I 'and aca ent tnvesnganon. w ,we 1t 1s still a viabl .d as ater . e acc1 ent in . l!sed; tool, there 1s a shortage of individuals who kn h Vest,gati0 n a 0' ow ow to use . naiys~ an excellent tool to use after o ther analysis te h . It Proper! , 1 . . c ruques have b ). t IS to venfy that all areas have been properly m · . een compJ

vesugated 0ohn " '

orce as a approach that was simpler to learn and use th MO structured tt

an RT (Stephenson ,, Other types of structured trees such as !JSfe fl h 1991).

, - , ms owe arts, can be us a syseem s structure graphically. For accident • . . ed to sho,,

mvesugauons an i . uses the tree to trace back through the system d find ' nvesngaror

an faults .

The Fault Tree Approach

The fuse seep in constructing a fault tree is to determ· h . . _ . 1ne t e top evem.

For acadent mvesnganons, the top event is the accident · · d , tnJury, or amage that occurred (Hammer 1993) . Events that had to happen in order for the accident to happen are listed on the next tier of the tree. Causal factors- fixable siruations or correctable areas-are on the bottom tier of the tree. The corrective actions the accident investigator recommends will be geared to fixing these problems.

Symbols and gates are part of the fault-tree diagram. The mosr common tree symbols and gates are illustrated in Exhibit 10.3. Since the purpose of this chapter is to describe how trees can be used in accident investigations co

Chapter 10: Tree A nalysis

fault tree analysis methodologies and symbols that al factors, di d . e ,nos, _ - vestigation are not scusse .

t1ettf111u1 ' to ncCident 1Il . - 0, ,ppl) . ediate" events m fault-tree termmology. Failures Jo fl re "1nterm . .

,vents a . all diagramed under tntermediate events. Under each fop are logic, Y . . .

,,esses h e may be other intermediate events (intermediate J- . ~mt~ ... 11edcace . be discovered as the mvesngauon goes on), basic iitrt'fl conunue to . cs n1'Y that stop the chatn), undeveloped events (events that ,.-en al factors . .

. 0cs (caus .al bout which not enough 1s known to conunue the tree), ,,t enn or a ;0coosequ ( nts that are normally expected to occur). For example aJt _ 1 events eve ,

,0,1er<1"' din a hole and broke his leg, the broken leg is the top o 1 yee steppe ;rane01P0 , 5

next tier of events includes the intermediate events "hole 'fhe rree . · "G · c __ L ereoc. " d "employee not paying attenuon. omg a step uu mer leads

[10,guarded an the answers to questions like "Why was the employee not b ic " 'eots-- d d," Th · · co as • ;, Why was the hole not guar e . e mvestrgator must . attenuon.

p,png f the accident scenarios in order to structure an accurate, fully ,oaly1e all 0 dereloped analytical tree. . ..

· a fault tree are logically directed through gates (see Exhibit 10.3). Alleveots 10 d" means that all outputs must occur. For example, if the top event lee "an gate

'. ding an e-mail, then to make that top event occur, the computer must be ': 00 AND it must be connected to a phone line. Other things may have to cum fth dfircil An"" th 1,,ppen as well, but both o ese must e te y occur. or gate means at if anv one of the events on the second tier happens, the top event will happen. Foe ~,ample, if the top event is making a million dollars, then to make it occur )1lU could be a professional athlete OR win the lottery.

Once you determine the top event, the next step is to start tree construction. The uee construction steps for an accident are:

I. Define the top event (accident, injury, or damage).

2 Investigate the accident. (Learn about the system, the management structure, the accident, etc.)

3. Construct the tree. (Work from the top down asking why the top event occurred.)

l. Develop causal factors. (The basic events-the boetom tier of the tree- are causal factors.)

Pa11 Ill: A•alJliral T«bRiqm

The Analytic Tree Process (Using MORT for Validation)

It is probably better to use MORT as a method of valid . . . . . th . . •ling •noth

im·esnganon techruque an to use It as your pnmary techni ue er t}'Pe of to ensure that you did not nuss an area that should have b! ·. It can help and that the proper causal factors were determined If yo n 1nvestiga1'1J . . u consult th ' chart and find that some areas were nussed, the investigati e »!OR1 . . . . on can con . your invesnganon has been thorough, It will not take you Ion t tlnue. lf the MORT chart. g o cornple,,

Example Scenario

Once again using the forklift-ladder accident, part of a tree that al thi .d . ill d . could be used to an yze s aca. ent 1s . ustrate m Exhibit 10.7. The top event

is the warehouse supervtsor falling off the ladder. The next level is the forklift hitting the ladder, and the next is three ways that a forklift could hit a Ladder. The investigator asks questions about these three reasons to arri,..c at the bonom tier-basic events or causal factors: "Why did the warehouse supenisor not communicate what he was about to do to the supervisor of the night shift? Was his failure to communicate a training issue, or did he just decide to disregard the procedures? Why was the forklift traveling ,ith an obstructed view?" If the accident investigator docs not know the answers to these questions, he or she must interview witnesses, obtain documents, or perform tests to find the answers.

\14

Chapter 1 O: Tree Analysis

. 7 E PROCESS FOR SCENARIO EXAMPLE

Part l/l: A nalytical Ttchniq11es

Summary

Many techniques are used in tree analysis . Each techni que works b for some rypes of investigation than for others, and some tech . etter

. r f . . . mques ar inappropnate ,or some rypes o mvest1gat1ons. The ma1·or b fi e ene u of us· tree analysis is that trees are, for the most part, structured eas t mg . , Y o create and easy to understand. You will be able to use one or more of thes h .' e tee mques to investigate almost every accident you encounter. (Please see th A . e ppenclix for a sample Analyncal Tree Flowcharr.)

REVIEW QUESTIONS

1. Which type of gate requires that all outputs must occur?

2. What are the three categories of tree analysis? Briefly describe each.

3. What Is MORT?

4. What are the steps of tree construction? s. Continue the analytic tree process for the example scenario (Exhibit 10.7),