You are on page 1of 19

Causal Factors Analysis (CFA) Process Improvement

DOE Facility Representative Conference

May 14, 2008 Richard S. Hartley, Ph.D., P.E.

Overview
What is an HRO How Organizational Accidents Happen Basis for Causal Factors Analysis (CFA) CFA to Understand the HRO

Framing Importance of Problem


A High Reliability Organization (HRO) is one in which in spite of the fact that it deals with hazardous, high consequence operations, does so successfully
Pantex by its mission must be an HRO

A key attribute of being a HRO is to learn from the organizations mistakes


Causal Factors Analysis (CFA) key tool to learn from events that occur when HRO efforts fall short

HRO Practices
Systems accidents can be avoided by proper organizational design and management

Manage the System, Not the Parts


Reduce Variability in HRO System Foster a Culture of Reliability

Learn and Adapt as an Organization

CFA
4

As-Is CFA Process

As-Is Points of Weakness


Understanding of theoretical fundamentals of HROs and CFA weak No documented CFA process flow expert-based

CFA tools inconsistently used and purpose not understood


CFA process did not consistently identify the actual event causal factors HPI treated as an add-on/afterthought to CFA investigations CFA process did not result in consistent quality* Judgments of Need CFA process did not result in consistent quality* Lessons to be Learned No feedback process from CFA to HRO programs No standardized CFA investigation report format No established CFA investigation report evaluation criteria Credibility of CFA investigation results not the most stellar
* Quality defined as explicitly tied to significant causal factors

Organizational Causes of Accidents


(when the HRO breaks down)

Event

Failed Defenses/Barriers Defenses/Barriers

Existence of fail, and knowledge If barriers unsafe of barriers important to HRO act could result in Event

Many unsafe acts


Active failures

Unsafe acts

As a result of stress, worker cuts corners As a result, stress in workplace Company commits to too much work

Local workplace factors


Latent Conditions

Organizational Factors

* Adopted from Reason, Managing the Risks of Organizational Accidents, Figure 1.6 7

Information Rich
People do what they have done before People do what they see others do Behavior is a function of consequence Behavior is a function of structure Reinforcement increases frequency Null consequences are reinforcement for dysfunctional behavior
Bill Corcoran

There is just as much information about organizational weaknesses in the event to the left as there is in the accident on the right.

There is no need to wait for the big one conduct a CFA investigation for information rich opportunities!

Causal Factors Analysis to Determine Organizational Weaknesses*


Causal Factor Analysis

Event

Causal Factors Analysis starts with the low consequence, information-rich event and separates WHAT happened from WHY it happened. This allows us to drill down to find the: 1) Flawed defenses

Failed Defenses/Barriers

2) Active failures (unsafe acts) 3) Human performance error precursors

What

Active failures

Unsafe acts

precursors

Local workplace factors


Latent Why Conditions

precursors

4) Latent conditions (local workplace factors & organizational factors).

Organizational Factors

precursors

* Adopted from Reason, Managing the Risks of Organizational Accidents, Figure 1.6 9

Causal Factors Analysis


(Focuses on separating distinct portions of the Operate/Err/Learn/Repeat Cycle)
Event Recognition Investigation

Analysis

Corrective Actions

OR

Repeat Event

Learn

Verify

10

Draw a Line Between the Event and the Analysis


Investigation Analysis

What happened.

Why we imagine it happened.*


i.e. finding factors that effect consequences

Analysis is always tainted by prior experiences and beliefs, building upon a faulty investigation assures the analysis will not be relevant to the workforce.
* Dekker, Ch 13, Rules From in the Rubble.
11

Pantex CFA Charting


Step 1 Initial Conditions what we were planning, expecting, assuming, or hoping Step 4

Causal Factors
Hundreds of things that werent perfect

Step 3

Key factors that matter

Step 2 Final Event & Consequence what actually happened

Distance

Routine Ops Event

Time
12

Causal Factors Analysis Chart

13

Initial Conditions
Need for Work Platform around CNC machine in Bldg. 12-68 to improve safety of worker Work Request submitted to Work Management Center to design, fabricate and install a work platform in Bldg. 12-68. Process in Place to Request Penetration Permits (WI 02.01.01.05.23) Penetration Process Required LO/TO of Identified/Known Energized Circuits within 6 inches of Penetration. (WI 02.01.01.05.23)

BWXT Pantex CFA Chart 12-68 Electrical Penetration Event


Lost sight of installation since focus was on the fabrication of the platform. Fabrication and installation combined into the same task (5 task steps for fabrication, 1 task step to install). Fabrication of platform overshadowed installation. Structural was the primary focus and no electrical disciplines were involved in the walk down.

Facility/utility electrical drawings were not used in the planning process. JON 4 Upon initial walk down, a thorough scope of the project was not recognized. Did not perceive the electrical hazard.

Focus on structural, therefore, did not consider electrical. Work Management Center verbally (PX-4776 not submitted) requested engineering to provide structural platform design only.

Electrical distribution in the floor was not considered or included in the engineerings design as part of the installation and potential interference. JON 2 Use of hazards analysis checklist is informal. Process for initial and updates prior to finalizing work plans is informal. JON 7 Planner Hazards Awareness Training does not include visual recognition of the presence of imbedded electrical. JON 6 Safety Gram was not Implemented in a timely manner into governing procedures or JSHA. NOTE: No formal read and sign for this Safety Gram.

Job Planned & Approved without Electrical Hazards Identified (A) 3/6/07 A complete hazards analysis was not included in the work package as per WI 02.06.04.02.03.

Pre-HA was only partially used as evidenced by lack of controls flowed down to the work package, (e.g., electric drill stop identified but not implemented)

For this project, a draft Pre-HA was used in lieu of the PX-5110, as required by Planners Handbook. It should be noted that the Planners Manual still requires form PX-4772, which is now completed by Craft Supervisor.

Requirements of Safety Gram dated 04/25/06, specifically for electric drill stop, not included in work package.

No formal policy governing Safety Grams and the requirement to incorporate into procedures/JSHAs within a set period of time. JON 9 The focus of the work package scope emphasized fabrication and did not identify electrical hazards. There is not a documented decision tree that would tell Safety which job to walk down. (Not a formally documented process) JON 5

Safetys approval of Work Order did not contribute to hazards identification. (Required per procedures) Work Authorized without Implementing Controls associated with Electrical Hazards (B) 3/12/07 Craft Supervisor did not identify and/or implement controls for electrical hazard.

Safety did not walk down project and did not complete a Pre-HA. (Not formally required per procedures)

Based upon electronic review of the work package, complexity of job did not require a walk down and Pre-HA. (Not formally required per procedures)

PX-4771 completed by Craft Supervisor did not identify the electrical hazard or penetration work.

Work Order Package did not identify the electrical hazard The PX-4771 was a pre-canned form, replicated from previous project.

Incomplete Hazard Analysis during planning (see planning) Convenient and common shop practice.

JON 4, 6 & 7

Walk-down prior to initial authorization not performed. JON #11 Didnt recognize electrical hazards (see above) Craft Supervisor did not implement controls for electrical hazard Mandatory control to use electric drill stop not included as a control per 4/25/06 Safety Gram. JON #9 Though aware of Safety Gram, understood battery powered drill to be double insulated and afforded protection. (Facilitative assumption) Use of electric drill stop not specified in Work Order Package. JON #5 Boiler Shop didnt have a electric drill stop readily available.

Penetration Permit Requested, Processed, and Issued - Utilities Misidentified (Utilities not Identified yet Penetration Permit Indicated No Utilities in Area (C) 3/26/07 Requested 4/3/07 Handed to Crafts
NDE Issued the Penetration Permit to the Crafts vs. the Utility Locators without Utilities being located. Contrary to WI 02.01.01.05.23.

Based on review of approved work package, and prior to penetration permit issued, work authorized. JON 11
NDE was unaware of WI 02.01.01.05.23 and their role/responsibility with regards to location of utilities was not proceduralized, consequently NDE checked for ferrous metals only, not utilities. JON 1 & 10

Presumed work package adequate - to identify hazards and required controls. Assumed based on past successes would assure future success. Presumed existing the penetration permit process would adequately identify utilities.

Past Practice since 1996, to perform ferrous metal (rebar) scan without procedures.

When NDE began locating rebar for lightning bonding in bays/cells.

In-process Feedback Concerning Electrical Hazard not Incorporated (D) 4/3/07

Shop Coordinator sent permit to NDE, contrary to WI 02.01.01.05.23.

Utility Locator sent the signed and numbered PX-2872C to Shop Coordinator, contrary to WI 02.01.01.05.23. Current process instituted by Utility Locator Group, gave verbal direction for Planner/ Coordinators to obtain Penetration Permit from NDE for Craft work.

To avoid potential grievance in 2006 acquiesced and allowed NDE to permit all Craft work plant-wide. Practice instituted for Craft work in Zone 12 South in MAA in 2001 was propagated for crafts Plantwide in 08/ 2006. Practice instituted for Craft work in 2001 in Zone 12 South MAA. Change in process was not formally evaluated, documented, and reviewed by all parties and approved by management. JON 1

Utility Locator and NDE Management were not aware of the process change instituted by the Utility Locator SME.

Management oversight and assessments from 2001 to present did not identify the inadequacies of the changes instituted in 2001. JON 8

Utility Locator Group believed that all imbedded utilities would be in ferrous metal, therefore, NDE was identifying everything they (Utility Locator group) could, and there was no need to duplicate effort.

Facilitative assumption by Utility Locating Group concerning NDEs capabilities and their role. JON 10

NDE does not update Part B of PX-2872C and they do not check for utilities. Part B defaults to 0 per database. PX-2872C, Part B, indicated 0 for all utilities, which lead the Craft Workers to assume there was no electrical hazard. JON 1 Permit was signed by NDE and Utility Locator, which at prima facie reads concurred by and issued respectively. NDE Supervisor signature based on past practice (not proceduralized) to represent no radiological hazard and authorization to scan Utility Locator informal practice was to generate the form, assign permit number, sign, and return to requester (coordinator). This is contrary to WI 02.01.01.05.23.

Crafts drilled into 12-68 concrete floor 4/17/07

Initiating Event

Utility Locators issued the Penetration Permit using computer generated form indicating no utilities were in the area (with no research on utilities or utility survey as required by WI 02.01.01.05.23).

Consequence

Final Event
Safetys recommendations to Planner (after 04/03/07) to use electrical drill stop and de-energize circuit from subsequent walk down was not included in the work package, via PX-3170, initially issued 3/12/07. Safety did not document as part of their hazards analysis for incorporation into the work package. (Not a formally documented process.) JON 5 Misunderstanding of project status thus, verbal/informal information was lost. Because Safety assumed project was in the initial planning and their comments would be included in the final work package. Planner verbally communicated to the Craft Supervisor rather than update the PX-3170 or work package. (Per WI 02.06.04.02.04) JON 3 The Craft Supervisor did not document because he did not recall the discussion after the fact.
File: K/12-68 Investigation/CFA Report/12-68 CFA Chart.vsd

Craft Workers contacted an uncontrolled energized circuit

Circuit damaged, breaker tripped.

Hit energized circuit

Direct Cause

Verbal communication between Planner and Craft Supervisor was informal and neither updated the PX-3170.

14

Using Causal Factors Analysis to Evaluate the Effectiveness of the HRO*


Causal Factor analysis

Event
Finally, as part of the lessons-learned the Use the organizational necessary changes in HRO causal factors to (HPI) initiatives are made to determine which HRO improve the organizational attributes need response or behaviors. improvement
Factor Factor HRO HRO Normal Normal Org Org

Failed Defenses/Barriers
Active failures

Unsafe acts

precursors

Manage Manage System, System, Not Not Parts Parts Reduce Reduce Variability Variability Culture Culture of of Reliability Reliability

XX

Local workplace factors


Latent Conditions

precursors

X
X XX

X X

Organizational Factors

precursors

Org. Org. Learning Learning

* Adopted from Reason, Managing the Risks of Organizational Accidents, 15 Figure 1.6

Timeline
Jul Joint Px- AWE HRO Mtg. Sep Joint Px-AWE Safety Culture Mtg. Feb Px HRO-CFA Seminar Kick Off Nov B&W Px HRO/CFA presented at B&W Corporate Safety Summit. Mar - Jun Px HRO-CFA Seminars Nov ISM Workshop presented Px CFA & Safety Culture

Feb 1/1/2007 Jan LOTO CFA Prather

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

Jul 7/31/2008

Apr TSR Fire System CFA Bivens

Jun 12-68 Electrical Penetration CFA Kennedy

Aug 12-41 Hydrostatic Testing CFA Mairson

Dec 16-12 Shoring Box CFA Ailes

Jan 12-44 Loss of Zone Coverage CFA Meyer & Ailes Mar Published HRO & CFA Texts Rev #3 Jun B&W Publish HRO Guide & CFA Manual

Jul Published CFA Internal Manual Rev #1

Nov Published HRO & CFA Texts Rev #2

16

Control
Rev 3 Rev 2

Practical guide to implement high reliability concepts. Provides foundation for B&W Pantex CFA process. Contains: High Reliability Theory

Normal Accident Theory


Systems knowledge and organizational learning

HRO Text Vol 1 Theoretical Foundation

How organizational accidents occur and how to investigate them Ties CFA as feedback to HRO

17

Control
Rev 3 Rev 2

CFA Guide Vol 2

Guide to conduct high quality & consistent CFA investigations to obtain root causes and understand organizational contributors. Contains: Tools with explanation of why needed Step-by-step process for each tool Explanation of how to use tools with examples & templates to ensure consistency of use Method to interpret results and provide feedback to HRO Provides outline for report & criteria for evaluating quality

18

Conclusion
Stronger understanding of theoretical fundamentals of HROs and CFA Documented and validated CFA process flow

CFA tools consistently used and understood


CFA process consistently identifies event causal factors HPI fully integrated into to CFA investigations CFA process results in consistent quality* Judgments of Need CFA process results in consistent quality* Lessons to be Learned CFA provides feedback to HRO programs Standardized CFA investigation report format Established formal CFA investigation report evaluation criteria Increased credibility of CFA investigations
* Quality as defined by meeting expectations of Plant Mgt and Customer
19