The contribution to design to accidents

This explored the proportion of accidents that have design as a primary causal factor in aviation, nuclear and rail. Namely, this study sought to confirm whether the claim that 60% of accident causes arise from design stages.

Note that it’s not a systematic analysis, nor the latest data, but interesting nonetheless.

For methodology, when the report mentioned design was a “root cause” this was taken as adequate evidence. When the report didn’t give root causes or didn’t directly mention design, a judgement was made based on the data.

Giving background they discuss issues of assigning cause and of root causes. For their definition, a root cause is “a condition which is necessary for an accident [and] if it had not been represent, the precise accident would not have happened” (p33).

Deciding which factors are “causes” or contributing factors requires a lot of judgement since these things are “rarely clearcut”. It is further difficult to draw clear lines between design issues and non-design issues with regard to operational procedures; e.g. the design of an aircraft is considered to include operating procedure manuals but not all investigations will make this link.

They discuss a report published by the UK HSE, which concluded from a range of accidents that 44% of accidents involved inadequate specifications and a further 15% via inadequate design and implication. The current authors question this distinction and rather argue that these would both count as design, since specifications involved various design assumptions.

Hence, the HSE report supports the ~60% of accidents involving design.

Then they discuss a Boeing report which analysed a range of aviation events. This report highlighted that Boeing only considered design of the aircraft and not operating manuals (at 20% contribution of design). If considered holistically, the Boeing report also supports a summed contribution of design to all aviation systems at close to 56%.

Then they talk about investigation stop rules. Inferring design factors can be challenging since some reports don’t mention design, and in others the aim of the investigation has more of a legal/culpability lens to allocate blame.

Stop rules “determines when to stop further analysis, since no-one has unlimited resources for such analysis” (p36). This can often occur when blame has been found at a person. They further note that blame may also be more pronounced “particularly in a ‘mature’ operational system where the system as designed has appeared to work safely for some time” (p35); that is, the system is inherently safe and it’s those pesky people that push it over the edge.

Results

Key findings are that design had a primary basis in the accident genesis in 51% of aviation cases and 46% in nuclear – similar to the 60% claim. Rail was more difficult to lock down.

Aviation

Data here was based on analysis of 35 fatal aviation accidents. They chose fatal accidents for the depth of knowledge but noting that there’s little reason to believe that design wouldn’t also play a significant or similar role in non-fatal.

The aviation system included design of the aircraft, design of ATM systems or design of the airport.

In 15 cases aircraft design was implicated, 2 cases airport design was implicated and in 1 case was ATM implicated.

Nuclear

In 13 incidents, design was implicated in 6 (46%) of cases. They note “Similar to aviation, in most cases nuclear incidents cannot be attributed to a single cause” (p39).

Rail

Their sample of data couldn’t establish statistically valid conclusions about design (as far as proportion) in rail accidents. However, they note that data does show a link between design and some major rail accidents.

Discussion

Next they discuss the findings. The current data supports the HSE report and also the data from Boeing on the proportion of accidents having a strong or primary basis in design factors.

They discuss key findings from the HSE report. A whole range of design factors were implicated, including:

Design didn’t use accepted standards
Plant operating outside of the design envelope
Misconceptions between designers and operators
Unexpected failure mechanisms
Incorrect functioning
Failure of backup measures
+ lots more.

No conclusions could be drawn about the design stage or type of oversight relating to accidents in the current data nor the HSE report.

They discuss some issues around design in accidents. One being how opaque they can be and investigations will often implement short-term solutions aimed at operational performance, like training or procedures rather than redesign.

Further, even if design is identified it can be a long, expensive and challenging fix.

They provide the key designer misconceptions from the UK HSE report, shown below: