Inadequate failure modes analysis

Software systemfailures were considered in Chapter 5, and also were a significant factor in the Whatcom Park pipeline accident described in Chapter 12. These are an important area of risk as software-based control systems and protection systems have become ubiquitous. The Qantas 72 incident - which by good fortune killed no one - is an excellent example of inadequate failure modes analysis. Software systems can become so complex that it is very difficult to foresee all possible failure modes. Qantas 72 is also an excellent example of the challenges posed by using smart devices where the software has been produced by a third party. Finally, Qantas 72 is also an example of the additional difficulties that arise when there is not absolute separation between control and protection systans - as becomes necessary in aircraft systems, although this separation should always be maintained in hazardous process plants. 

Process Hazards Analysis. Analysis of processes for unrecogni2ed or inadequately controUed ha2ards (see Hazard analysis and risk assessment) is required by OSHA (36). The principal methods of analysis, in an approximate ascending order of intensity, are what-if checklist failure modes and effects ha2ard and operabiHty (HAZOP) and fault-tree analysis. Other complementary methods include human error prediction and cost/benefit analysis. The HAZOP method is the most popular as of 1995 because it can be used to identify ha2ards, pinpoint their causes and consequences, and disclose the need for protective systems. Fault-tree analysis is the method to be used if a quantitative evaluation of operational safety is needed to justify the implementation of process improvements. 

This diagram presents a much-simplified version of the A330 s Electronic Flight Control System, showing its control and protection systems architecture. Because of inadequate design analysis, a particular spike" failure mode in one single air data inertial reference unit (ADIRU) was able to lead to sudden pitch down of the aircraft when in level high-altitude cruise. 

Important endpoints of ICD therapy are all-cause or total mortality (22). Surrogate endpoints such as ICD shock or sudden death are inadequate. Changing one form of death into another has little advantage. ICD shocks cannot be equated to survival benefit for an arrhythmia that may stop spontaneously or not even be life-threatening. The ICD may change the mode of death from sudden to not so sudden heart failure deaths. In any case, it can be difficult to determine the cause of death even with careful analysis of all available information. 

The analysis suggests fliat most control system failures may have their root cause in an inadequate specification. In some cases this was because insufficient hazard analysis of the equipment under control had been carried out in others it was because the impact on the specification of a critical failine mode of the control system had not been assessed. 

Other accident analysis and investigation approaches that make explicit reference to supervision as a potential causal factor include AcciMaps (Svedung and Rasmussen, 2002), which diagrams company management and technical, operational, and management failure levels, and the Incident Cause Analysis Method (ICAM) (BHP Billiton, 2001), which addresses inadequate supervision and poor supervisor or worker ratio error modes. 

Pinhole mode of polyolefin pipe failure in water distribution systems is commonly assumed to result from a sharp object impingement and attributed to inadequate installation practice. The cases of this mode of failure are investigated by direct observations of field failure combined with review of installation, service condition and stress analysis of the problem in question. 

---