Appendix F
Causal Tree Analysis of December 3-5, 2000, Event at JACADS
A standard tool in reliability analysis, the causal tree or event tree is particularly useful in analyzing incidents to which operator actions contribute either positively or negatively. The committee recognizes that such trees are designed at the discretion of the analyst and should not be construed as reflecting scientific certainty. Therefore, Figure F-1, the causal tree for the December 3-5, 2000, event at JACADS, is provided for illustrative purposes. This analysis suggests that the incidents examined by the committee grew from normal activities into potentially dangerous events.
The activities charted can be categorized as ranging from normal operations through system response. In addition, some can extend back in time before the occurrence of the incident, e.g., latent failures.
-
Normal tasks—tasks that the system was attempting to accomplish before the adverse event occurred. Examples are maintenance and operations.
-
Latent failures—conditions present in the system for some time before the incident, but evident only when triggered by unusual states or events. Examples include equipment design deficiencies, unexpected configurations of munitions, or routine ignoring of standard operating procedures.
-
Active failures—events before which there were no adverse consequences and after which there were. Active failures are usually the result of personnel decisions or actions. These same actions may have resulted in safe outcomes on previous occasions, but in the incidents examined by the committee, such actions combined with latent failures to cause some adverse consequences. Examples of active failures include use of the wrong procedure, incorrect performance of an appropriate procedure, or failure to correctly and rapidly diagnose a problem.
-
Immediate outcome—the adverse state the system reached immediately after the active failure. Examples are release of agent, plant damage, or personal injury. Reporting and investigation flow charts supplied by the Army indicate that the severity of outcome often determines the incident’s prominence for managers, the workforce, or the local community, which in turn drives subsequent responses. Incidents with more salient outcomes naturally receive more scrutiny, which may bias the data set used for analysis.
-
System responses—actions taken to correct the effects and anticipate the aftereffects of an adverse outcome. Following each event, however, there is a system response that also needs to be analyzed. How did the system for incident response function? How did the management act to improve safety? Was an exposed worker properly treated? Were communities notified appropriately? How did the plant return to a normal state? How rapidly did it return? Finally, how was the system changed in light of the incident? This stage of analysis is considered in Chapter 4.