Component interaction accidents

The Mars Polar Lander loss is a component interaction accident. Such acddents arise in the interactions among system components (electromechanical, digital, human, and social) rather than in the failure of individual components. In contrast, the other main type of accident, a component failure accident, results from component failures, including the possibility of multiple and cascading failures. In component failure accidents, the failures are usually treated as random phenomena. In component interaction accidents, there may be no failures and the system design errors giving rise to unsafe behavior are not random events. 

Consider another example of a component interaction accident that occurred in a batch chemical reactor in England [103]. The design of this system is shown in figure 2.1. The computer was responsible for controlling the flow of catalyst into the reactor and also the flow of water into the reflux condenser to cool off the reaction. Additionally, sensor inputs to the computer were supposed to warn of any problems in various parts of the plant. The programmers were told that if a fault occurred in the plant, they were to leave all controlled variables as they were and to sound an alarm. 

This systems approach treats safety as an emergent property that arises when the system components interact within an environment. Emergent properties like safety are controlled or enforced by a set of constraints (control laws) related to the behavior of the system components. For example, the spacecraft descent engines must remain on until the spacecraft reaches the surface of the planet and the car deck doors on the ferry must be closed before leaving port. Accidents result from interactions among components that violate these constraints—in other words, from a lack of appropriate constraints on the interactions. Component interaction accidents, as well as component failure accidents, can be explained using these concepts. 

In the traditional causality models, accidents are considered to be caused by chains of failure events, each failure directly causing the next one in the chain. Part I explained why these simple models are no longer adequate for the more complex sociotechnical systems we are attempting to build today. The definition of accident causation needs to be expanded beyond failure events so that it includes component interaction accidents and indirect or systemic causal mechanisms. 

Component interaction accidents can usually be explained in terms of incorrect process models. For example, the Mars Polar Lander software thought the spacecraft had landed and issued a control instruction to shut down the descent engines. The captain of the Herald of Free Enterprise thought the ferry doors were closed and ordered the ship to leave the mooring. The pilots in the Cali Colombia B757 crash thought R was the symbol denoting the radio beacon near Cali. 

In general, accidents often occur, particularly component interaction accidents and accidents involving complex digital technology or human error, when the process model used by the controller (automated or human) does not match the process and, as a result ... 

Section 4.3 stated that effective control is based on a model of the process state. Accidents, particularly component interaction accidents, most often result from inconsistencies between the models of the process used by the controllers (both... 

In chapter 2, it was stated that many accidents, particularly component interaction accidents, stem from incomplete requirements specifications. Examples were... 

The increasing use of software in most complex systems complicates the situation further. Much or even most of the software in the system will be new and have no historical usage information. In addition, statistical techniques that assume randomness are not applicable to software design flaws. Software and digital systems also introduce new ways for hazards to occur, including new types of component interaction accidents. Safety is a system property, and, as argued in part I, combining the probability of failure of the system components to be used has little or no relationship to the safety of the system as a whole. 

As in other component interaction accidents, there were no physical failures involved. It as in figure C.2, we draw the boundary of the physical system around the wells, the public water system, and public health, then one can describe the cause of the accident at the physical system level as the inability of the physical design to enforce the physical safety constraint in the face of an environmental disturbance, in this case the unusually heavy rains that resulted in the transport of contaminants from the fields to the water supply. The safety constraint being enforced at this level is that water must be free from unacceptable levels of contaminants. 

For analyses of component interactions see John Hoehn. The Benefit-Cost Evaluation of Multi-Part Public Policy A Theoretical Framework and Critique of Estimation Methods. Ph.D. Dissertation, University of Kentucky (1983) and William F. McFarland, IJndsay I. Griffen, John B. Rollins, William R. Stockton, Don T. Phillips, and Conrad L. Dudek. Assessment of Techniques for Cost-Effectiveness of Highway Accident Countermeasures. Federal Hi way Administration Report FHWA-RD-79-53. January 1979. 

The addition of trichloro- ortetrachloroethylene to aluminium components in dry cleaning equipments is responsible for many accidents. The effect of the carbon tetrachloride/methanol mixture in the 1/9 proportion of aluminium, magnesium or zinc causes the dissolution of these metals, whose exothermicity makes the interaction dangerous. There is a period of induction with zinc, which is cancelled out when copper dichloride, mercury dichloride or chromium tribromide is present. 

Accidents in chemical plants are usually the result of a complicated interaction of a number of process components. The overall process failure probability is computed from the individual component probabilities. 

This safety audit is used for identifying inputs and material flows, processes and intermediates, and final products - but with special attention paid to human-material/process/equipment interactions that could result in (a) sudden and accidental releases/spills, (b) mechanical failure-based injuries, and (c) physical injuries - cuts, abrasions, and so on, as well as ergonomic hazards. Additional sources of adverse effects/safety problem areas are records/ knowledge of in-plant accidents/near misses, equipment failures, customer complaints, inadequate secondary prevention/safety procedures and equipment (including components that can be rendered non-operable upon unanticipated events), and inadequacies in suppliers of material and equipment or maintenance services. 

Regular, systematic inspections coupled with an adequate maintenance program enhance the safety of all operations. However, only trained personnel who are aware of the hazards associated with malfunctions of the equipment should be permitted to work on low-temperature and related systems. Numerous accidents have occurred as a result of repairs made by personnel who are not familiar with hazards associated with the cryogenic fluids and the interactions of these fluids with their surroundings. A safe plant or test facility can be completely destroyed by the replacement of one component incorrectly. 

The fuel consists of a series of UN pellets that are total of 52 cm in length and 0.91 cm in diameter. These are capped by 5 cm of BeO to act as an axial reflector. There is a gas plenum on the top of the pin to allow for fission product gas build up. A layer of rhenium acts as a liner for the fuel pin to prevent interaction between the NblZr cladding and the UN pellets and also acts as a thermal neutron absorber in accident cases as discussed later. The NblZr end caps appear large in this Figure but their purpose is to simulate other components like the connectors that attach the fuel pin to a grid plate. 

Accidents hke the Mars Polar Lander or the British batch chemical reactor losses, where the cause lies in dysfunctional interactions of non-failing, reliable components—i.e., the problem is in the overaU system design—illustrate reliable components in an unsafe system. There can also be safe systems with unreliable components if the system is designed and operated so that component failures do not create hazardous system states. Design techniques to prevent accidents are described in chapter 16 of Safeware. One obvious example is systems that are fail-safe, that is, they are designed to fail into a safe state. 

The new model of accidents introduced in part II of this book incorporates the basic systems theory idea of hierarchical levels, where constraints or lack of constraints at the higher levels control or allow lower-level behavior. Safety is treated as an emergent property at each of these levels. Safety depends on the enforcement of constraints on the behavior of the components in the system, including constraints on their potential interactions. Safety in the batch chemical reactor in the previous chapter, for example, depends on the enforcement of a constraint on the relationship between the state of the catalyst valve and the water valve. 

---