ML19308B832
| ML19308B832 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 11/30/1976 |
| From: | Eicher R, Knox N EG&G, INC. |
| To: | |
| References | |
| TASK-TF, TASK-TMR ERDA-76-45-004, ERDA-76-45-4, SSDC-4(REV-1), NUDOCS 8001170414 | |
| Download: ML19308B832 (68) | |
Text
. _ _ _ _ _ _ _ _ _
ERDA-76/45-4 SSDC-4 (Rev.1)
D MORT USER'S MANUAL l
FOR USE WITH THE MANAGEMENT OVERSIGHT AND RISK TREE ANALYTICAL LOGIC DIAGRAM SYSTEM SAFETY DEVELOPMENT CENTER T
EGsG ERDA 9
EG&G Idahn, Inc.
P.O. Bos 1625 hiaho Falls, Idaho 83401 NOVEMBER 1976 UNITED STATES ENERGY RESEARCH AND DEVELOPMENT ADMINISTRATION DIVISION OF SAFETY, STANDARDS, AND COMPLIANCE O
8001170 41%
DISCLAIMER This report was prepared as an account of work sponsored by the United States Government.
Neither the United States nor the United States Energy Research and Develop-ment Administration, nor any of their employees, nor any of their contractors, subcontractors, or their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, com-pleteness, or usefulness of any information, apparatus, product or process disclosed, or represents that its use would not infringe privately owned rights.
Available from:
National Technical Information Service,(NTIS)
U.S. Department of Commerce 5285 Port Royal Road Springfield, Virginia 22161 Price:
Printed Copy:
$ 4.50 Microfiche:
$ 3.00 0
i i
1 l
ERDA-76/45-4 J
SSDC-4 (Rev.1) l UC-41 1
I t
f MORT USER'S MANUAL FOR USE WITH THE MANAGEMENT OVERSIGHT i
i AND RISK TREE ANALYTICAL LOGIC DIAGRAM l
I Prepared By N. W. Knox R. W. Eicher M
i; Work Performed At EG&G IDAHO, INC.
i IDAHO OPERATIONS OFFICE Under Contract No. EY-76-C-07-1570 l
\\
e i
November 1976 (third printing - September 1977) l
i 4
1 I
i ACINOWLEDSMENT We gratefully acknowledge the many helpful suggestions we received from our colleagues of the System Safety Development Center during the preparation of this manual.
Special thanks go to Della T. Kellogg for her editorial dssistance.
The source document for this " condensation" was the MORT text, " MORT - The Management Oversight and Risk Tree" (SAN 821-2), authored by W. G. (Bill) Johnson.
b
s i
ABSTRACT 1
This report is the User's Manual for MORT, a logic diagram in the form of a " work sheet" that illustrates a long series of interrelated questions. MORT is a comprehensive analytical procedure that provides a disciplined method for determining the causes and contributing factors of major accidents. Alterna-tively, it serves as a tool to evaluate the quality of an existing safety system. While similar in many respects to fault tree analysis, MORT is more gener-F alized and presents over 1500 specific elements of an ideal " universal" management program' for optimizing occupational safety.
i i
l I
i i
~. - -..
i i
m CONTENTS Page PART I..............................
1 A.
PURPOSE.........................
1 B.
BACKGROUND.......................
1 C.
INTRODUCTION......................
4 D.
SYSTEM SAFETY ANALYSIS VERSUS THE SAFETY SYSTEM PROGRAM.........................
7 E.
THE ROLES OF CHANGE ANALYSIS AND THE ENERGY BARRIER CONCEPT.........................
7 PART II.............................
9 A.
GENERAL FEATURES OF THE MORT EVENT TREE.........
9 B.
WORKING WITH THE MORT ANALYSIS............
11 C.
PLAN OF THE USER' S MANUAL...............
12 QUESTIONS FOR THE MORT ANALYST...............
13 Y
APPENDIX - MORT DIAGRAM CONSTRUCTION RULES...........
53 j
FIGURES 1.
Schematic of the MORT Process..............
5 1
1 2.
MORT TOP Events....................
10 A-1 Schematic of a Faul t Tree...............
57 j
A-2 Examples of Good and Poor Logic............
58 i
A-3 MORT Logic Symbols..........
59 A-4 MORT Event Symbol s..................
60 MORT LOGIC DIAGRAM (inside back cover) k j
i i\\ v l
t l
,.--r__.,
4.
A collection of philosophical statements and general advice
N relative to the application of the MORT system safety con-F )
cepts and listed criteria by which to make an assessment of the effectivity of their application.
A major MORT premise is that the MORT safety system is congruous (i.e., harmonious) with a goal-oriented, high perform nce, complex management system.
Working under the direction of a Steering Committee composed of senior ANC line and staff managers, a MORT development team was formed con-sisting of Johnson and three ANC employees, Dr. Robert Nertney, Jack Clark, and Jack Ford.
During the next two years, MORT concepts were subjected to trial use under actual operational conditions.
Additional systems concepts were developed and tested.
In 1973, the second generation MORT text was published.
It included additional safety systems developed and refined by ANC and the Idaho l
Operations Office of the ERDA, and incorporated the result of an inten-sive effort of collecting and organizing the best safety elements from different programs throughout the world.
It should be emphasized that MORT does not represent new and untried methodology. MORT does represent the synthesis of those best safety program elements and concepts with the state-of-the-art techniques of safety program analysis and evaluation.
O Careful review of the results of numerous studies conducted over nearly four years, coupled with the ANC trial application results, led ERDA-SSC to embark upon a full scale orientation and training program of ERDA and ERDA contractor personnel throughout all of the ERDA.
In August of 1974 the System Safety Development Center (SSDC) was established at Aerojet under the joint sponsorship of ERDA-SSC and ANC.
In October 1976, EG&G Idaho was awarded the prime operating contract at the INEL, including the management role of the SSDC.
Staifing and responsibility for the MORT orientation and training program was assigned to the SSDC. The formal implementation plan adopted consisted of:
1.
MORT S1,-Day Training Seminars 2.
MORT Management Briefings 3.
Mini-MORT Seminars 4.
Safety Program Improvement Projects (SPIP's)
To date, 29 seminars have been conducted, 13 at the INEL and 16 at Wer ERDA facility locations. The continued activities of the SSDC are presently projected to a ten-year program of further MORT development. This includes presentation of MORT orientation and training seminars for ERDA and ERDA contractors, with seminar loca-tions spotted throughout the United States.
In addition, a MORT-based Accident / Incident Investigation Workshop has been developed.
These A
workshops are also being held throughout the country to certify
)
" trained investigators", as prescribed by ERDAM Chapter 0502.
l
\\
C.
INTRODUCTION l
The acronym MORT actually has two meanings:
1.
A total safety program concept (viewed as a specialized management subsystem) focused upon programmatic control of industrial safety hazards, and 2.
The actual logic diagram which displays the structured set of interrelated safety program elements and concepts comprising the ideal safety program model that is called MORT. This universal logic diagram becomes a master " work sheet" for use in analyzing a specific accident or alternatively for use in the evaluation and appraisal of an existing safety program for accident / incident potential.
As a safety management program, MORT has been designed to:
1.
Prevent safety-related oversights, errors, and omissions.
2.
Result in identification, assessment, and referral of residual risks to proper management levels for appropriate action.
3.
Optimize allocation of resources available to the safety i
program and to individual hazard control effort.
The many state-of-the-art safety system concepts and safety program elements syntheshed to produce "programatic MORT" are presented in considerable detail in the second generation MORT text.
Integrated into the MORT safety program model are the best features of current exemplary safety programs found in the United States, such as management implementa-tion, hazard analysis, human factors analysis, work processes, monitoring, information systems, and organization systems and services.
Innovative concepts, such as the sequential role of unwanted energy flow, barriers to energy transfer, error, change, and risk, are systematically related along with the most current concepts of the behavioral, organi-zational, and analytical sciences.
Translated to " analytical MORT" (the MORT logic diagram), these features of " programmatic MORT" accumulate to over 1500 " basic events" (i.e., causa-tive problems or preventive measures related to an ideal safety system).
These, in turn, underlie nearly 100 different generic problems identified in succesively broader areas of management and accident prevention.
Incor-porated into the above listed concepts are some 50 to 70 "new ideas".
(The actual number is highly subjective, depending upon a person's background and experience.) The way in which the MORT concept (programmatic MORT) is schematically represented by a logic diagram (analytical MORT) is shown in Figure 1.
9 _
~
MORT is simply a diagram which arranges safety program elements in an orderly and logical manner.
It presents a schematic representation of a dynamic, idealized (universal) safety system model using Fault Tree Analysis methodology.
MORT structures the largely unstructured safety literature and current best safety practices into three levels of relationships:
98 a.
Generic Events Generic (Problems)
Problems b.
Basic Events 1500 (Causes) l Possible i
Causes c.
Cri teria (Judgment rationale
{Criteriato])
(Thousands of from the MORT text)
' Judge Adequacy G
MORT makes explicit:
a.
The functions necessary t complete a process.
P o ess I
I b.
The steps to fulfill a Functions '
function.
c.
Judgment criteria (from the MORT text) by which to judge l Steps I
when a step is well done or Less Than Adequate (LTA).
It provides relatively simple decision points in an accident analysis or safety system evaluation ;.d enables an analyst or evaluator to detect omissions, oversights, or defects.
Figure 1.
Schematic of the MORT Process l
l 8
Fundamental to a successful accident investigation or safety program evalua-tion is the assignment by higher management of technically qualified, competent, safety-motivated personnel to participate in the investigation.
Even so, experien::e, to date, has shown that a well-qualified person (but novice Mortician), armed with only the MORT text and tne MORT " work sheet" with its collection of symbols and terse statements, will likely find initial encounter with the MORT proposition somewhat overwhelming.
This User's Manual or Handbook has been prepared to help that new Mortician develop a quick familiarity with the MORT process.
In the remaining sections of Part I, the reader is first introduced to the basic concepts of system analysis and the role of change.
Fault Tree Analysis (FTA), from which the more generalized MORT analytical procedure is derived, is briefly discussed in Appendix I.
In Part 11 the actual User's Manual plan is rresented.
The structured relationship of each generic causative pr6lem or preventive measure to the idealized safety system is exp1Mned and fitted into the event indexing scheme adopted for the MORT diagram. As each major branch and its principal sub-branches are lioted, occasionally commentary relative to the safety program concept or best practice safety program element involved is made. With this additional insight, more probing questions can now be asked by the MORT analyst.
With that enhanced understanding, the analyst is able to make a better judgment whether the specific safety program element being examined is
" adequate" or "less than adequate" (LTA). As previously mentioned, the analyst is encouraged to use the MORT diagram as a master " work sheet",
marking the individual program elements.
Suggestions for working with the MORT analysis are nade.
The cross reference tabulation to the index code used on the MORT diagram is presented in " indexed" fashion for easy location.
Page number refer-ences back to the MORT text are provided in the parentheses which follow the indexed event tabulation.
Once completed, the MORT analytical " work sheet" provides an all-important visibility to the accident investigation process or to the safety program evaluation. The analyst is able to review his findings, present them meaningfully to others, alter or revise the analysis as additional facts warrant, and conveniently document the total effect for later use.
In summary, the objective of the User's Manual (Part II in particular) is to provide the novice Mortician with quick-look additional insight to the " programmatic MORT" concepts behind the statement in the MORT diagram event symbol. With this insight, it is hoped that fe.ility in the use of the MORT diagram as an analytical work sheet to rnalyze a specific accident or safety program will be more quickly ob:ained.
O _ - - _ _ _ _ _ _ - _ _
l O.
SYSTEM SAFETY ANALYSIS VERSUS THE SAFETY SYSTEM PROGRAM We have said the MORT logic diagram is an idealized safety system model based upon the fault tree method of system safety analysis.
To understand what is meant by system safety analysis, we must first understand what is meant by system. Many words can be (and have been) written to explain the concept. We will simply state it is an orderly arrangement of inter-related components that act and interact to perform some task or function in a particular environment and within a particular time period. We must include people, who are the prime intelligence factor that initiates the system, and communication (i.e., information flow), which is the prime factor that makes the system function.
A system is a dynamic entity that c. anges with time.
In a " perfect" system, all components function in a manner that contributes to or complements the task achievement.
In an imperfect system, some " fault" exists. A fault then is any factor not complimentary to the task achievement.
(System effectiveness is a measure of the degree to which the end goal is accomplished without unplanned deviations from the planned course of tasks or functions.)
System analysis is a directed process for the orderly acquisition and review of specific information pertinent to a given system.
Its purpose is to provide the basis for informed management decision.
The goal of a safety system or program is to produce a safe system; V
i.e., a system in which the likelihood of occurrence of all identifiable hazardous events is maintained at an acceptable level.
A safety system or program is a formal approach to eliminate or control hazardous events through engineering, design, education, management policy, and supervisory control of conditions (environment) and practices.
System safety analysis _,
MORT style, is one method that can be used to evaluate the success of a safety program.
E.
THE ROLES OF CHANGE ANALYSIS AND THE ENERGY BARRIER CONCEPT Within the MORT system, an incident is defined as unwanted energy transfer (energy change). An accident is defined as an incident that produces injury to persons, damage to property, or degradation of an ongoing process.
MORT suggests that an accident is usually multi-factorial in nature.
It occurs because of lack of adequate barriers and/or controls upon the unwanted energy transfer associated with t.he incident.
It is usually preceded by initia'ing sequences of planning errors and operational errors that produce failures to adjust to changes in human factors or environmental factors.
The failure to adjust satisfactorily leads directly to unsafe conditions and unsafe acts that arise out of the risk associated with that activity.
The unsafe conditions and unsafe acts, in turn, provoke the flow of unwanted energy. The occurrence of the unwanted energy is defined as an incident (as was stated above).
[ \\
\\v/
l l
e MORT has been designed for use as an investigative tool with which to focus upon the many factors contributing to an incident / accident.
It accomplishes this by means of a meticulous trace of the unwanted energy sources, along with consideration of the adequacy of the barriers provided.
As the analysis proceeds, MORT is ready to alert to any system changes, both planned and unplanned. When change is detected, NORT strongly suggests the need for detailed change analysis.
The practice of change analysis gives the analyst the ability to determine whether:
(1) changes are needed in a stable operational system or (2) a changing operational system requires safety-related counterchanges.
In the first instance, many examples can be found of systems where the commonly used indicators and guidelines (accidents / injuries per man-hour, etc.) give indication of an acceptable safety program; however, the application of quite simple risk projection techniques reveals a high probability of a severe consequence accident.
In the second instance, the need for safety counterchanges is related to the simple fact that any real-life operational system is constantly experiencing changes in personnel, procedure systems, and equipment.
Again, many examples can be found in accident investigation literature of such changes leading directly to accidents and incidents.
Implicit in consideration of change and its potential consequence is the concept of defined risk acceptance at the appropriate management level (without assumption of undefined risk because of oversights and omissions).
Application of elementary principles of good business management point to the need for formal change analysis and control methods.
These management practices will better define the risk, focus on needed safety counterchanges, and lead to informed decision by the cognizant manage < cat level on whether or not to accept new change-related risks.
MORT is, therefore, designed to investigate accidents and incidents and to evaluate safety programs for potential accident / incident situations. Two of the many basic MORT concepts are the analysis of change and the evalua-tion of the adequacy of energy barriers relative to persons or objects in the energy channel.
0
)
PART II A.
GENERAL FEATURES OF THE MORT EVENT TREE Figure 2 summarizes the logical arrangement adopted for depicting the generic events which comprise the TREE TOP of the NORT diagram.
Construction layout depicts three main " branches" ordered with Specific and Management (S/M), Oversights and Omissions on the left and Assumed Risks (R) on the right. The MORT technique requires events in the Assumed Risk branch to be events transferred there from the Oversights and Omissions branch. R factors are defined as only those risks that have been analyzed and accepted by the proper level of management; unanalyzed or unknown risks are not considered to be Assumed R'sks.
Development of the two main branches comprising Oversights and Omissions is ordered with Specific Control Factors (S) on the left and the more general Management System Factors (M) on the right.
M factors are shown separate from the process that produced the specific adverse event for two reasons:
(1) Depiction of the existing management systems will suggest G
related background aspects of the specific accident that should be closely examined, and (2) The specific event may, in turn, suggest certain aspects of the management systems which may truly be less than adequate (LTA).
In general, the further development of the S branch is keyed to time l
as well as process.
Left to right is earlier to later and bottom to top of the tree shows causal sequence progress from basic detailed causes to generic causes.
Specific rules of construction for extending the MORT diagram tree are given in Appendix I.
The key to understanding " programmatic" MORT is a close element-by-element examination of the MORT diagram. The diagram branches, in large part, are self-explanatory. Each element of the diagram branch presents a relatively simple question.
One starts at the diagram top with the actual losses resulting from an accident or the potential loss if the diagram is being used to evaluate an existing safety program.
Each of the three main factors (branches) is considered in turn.
Detailed consi-deration of the S branch is accomplished by reasoning backward in time through several sequences of contributing factors.
The analysis ends when the question posed by the circled statement is answered with a "yes" or "no".
m _ _ _ - - _ _ _ - _ _.
i What and liow large Were the Losses?
l Injuries, Damage, Other Costs, Performance Lost Future or Degraded Undesired Program /Public Impact Events?
T
________j T
Oversights gAssumed and Omissions Risks j S/M
(
What happened?
Why?
I I
Specific flanagement Control System Factors LTA Factors LTA S
M I
^
Impl en-R k feel a tion p
Accident LTA System LTA sal SA2 mal MA2 MA3 LTA - Less Than Adequate Figure 2.
MORT TOP Events _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _
Obviously, some factors (branches) will be more relevant than others.
On the other hand, the user should know there is some planned redundancy in the MORT diagram. A higher degree of hazard protection is attained when a hazard may be identified and connected at two or more places.
It is better to ask the right question twice than to fail to ask it at all.
B.
WORKING WITH THE MORT ANALYSIS Repeated practice and experience with the MORT diagram are necessary before good dexterity and skill in its application are acquired. What the novice must do is try the method out on an actual accident. While many subsections of the MORT diagram may not apply to a specific accident, the analyst probing the accident for its probable cause(s) will be surprised at the number of subsections (branches) that are helpful and that are (as indicated by the name of the method) overlooked by management.
As previously mentioned, the analyst is encouraged to use the MORT diagram as a master " work sheet", marking the individual program elements.
One effective way of learning the MORT technique is to analyze a serious accident and color the boxes and circles of the MORT diagram relative to it.
Those elements of the diagram that reveal a deficiency are colored red, those that appear adequate are colored green, and those that require more information before judgment can be made are colored blue.
If a section of the diagram truly does not apply, it can be "X'd" out with l ~
a black pen.
From experience with the MORT diagram, the following suggestions can be given:
1 1.
The MORT analytic diagram works best if it is used as a working paper. Pertinent facts about an accident or problem may be noted in margins at appropriate places.
Informality is a key - the diagram will take care of the discipline. MORT is a screening guide and a working tool, not the finished report.
Writing the report is a separate process.
MORT is structured to facilitate analysis.
It helps avoid personal hobbies, bias, or the tunnel vision that commonly results from pet theories of accident causation.
2.
Conmonly, the first reading of an accident report prepared by persons not using MORT leaves the impression that the documentation of what happened is complete.
But on second reading, if one uses the MORT diagram as a supplementary aid, the gaps in information about what happened are readily revealed.
Questions about why it could have happened begin to emerge.
3.
A slower, more disciplined trip through the diagram is then in order.
It is usually necessary to trace unwanted energy flow meticulously on a separate sheet, and then examine the nature of possible barriers s tep-by-step.
If a situation emerges that is not covered in any of the MORT elements, the analyst can draw in an additional section using the construction methods and symbols described in Appendix I.
m l
i 4.
The distinction between S factors and M factors should be kept in mind at all times. The specific event associated with the actual l
incident / accident sequence of the Specific Control Factors branch will of ten have its counterpart in the general Management System i
Factors branch. The analyst must focus his thinking upon the l
accident process when evaluating the S branch. When evaluating the M branch, he muct expand his thinking to the " global" or total management system concept.
C.
PLAN OF THE USER'S MANUAL The judgment used by the analyst to determine whether a specific event of a it0RT diagram is " satisfactory" or "less than adequate" (LTA) is partly subjective. The decision depends upon the selection, application, and evaluation of related criteria. A most important function of MORT is to greatly reduce subjective judgments, personal bias, etc.
The MORT text (SAN 821-2) has collected, organized, and comented upon the best concepts and practices found in the largely unstructured current safety literature.
In total, therefore, the MORT text contains the state-of-the-art criteria applicable for judging when an event is i
adequate or LTA.
l The obvious problem for the novice f10RTician is how to quickly relate the applicable criteria to the specific event being considered.
The MORT text is an invaluable reference document, but it is not the handy, quick-look, supportive reference source needed by the inexperienced f10RTician.
In the pages which follow, this User's Manual seeks to summarize, index, and cross reference to the ft0RT text the concepts and criteria applicable to each event of the MORT diagram.
An event-by-event review is made, using an indexed tabulation format keyed to the event identification scheme of the MORT diagram.
Basic event state-ments are usually converted to questions, as this is the form the analyst must use as he asks himself whether the particular event is adequate or LTA. The style and tense adopted for the Specific Control Factors branch are based upon the assumption a specific accident has occurred, with conse-quent injury or property damage. The style and tense used for the Manage-ment System Factors branch are based upon use of the MORT diagram for appraisa' of an existing safety system.
The questions are phrased in a positive manner so that if the answer is "LTA", the evaluated event is judged a " fault".
The format used is as follows:
1.
Statement of the MORT Indexed Event l
Each event listed on the MORT diagram is reviewed whether it be a
" generic" event or a " basic" event.
The event statement is posi-l tioned on the page in accordance with its indexed position in the l
MORT indexing scheme. The statement is usually paraphrased as a
}
question.
Incomplete sentence structure is sometimes used for brevity (particularly at the basic event level).
t I
t I L
T m
i 2.
Additional Questions J
In some instances, additional questions relative to the event are posed to the reader. The purpose is twofold:
(a) to probe how effectively the event fits the accident or safety system being analyzed and (b) to help the user determine whether sufficient information is available to answer the question implied by the event statement, or whether more detailed information is needed before judgment can be made.
3.
Commentary Additional explanation or caution based upon MORT seminar teaching experience is made where appropriate.
The nature of the comentary depends upon the specific event (i.e., whether an upper tier generic type event or a lower tier basic event).
In general, the amount of comentary has been limited to that required for the novice Mortician to grasp the thought associated with the event statement.
4.
MORT Text Cross Reference Should the user want a more detailed explanation of the safety program concept and criteria, a MORT text page number (s) is often provided in G
parentheses following the commentary of the indexed event statement.
F
)
Where more than one page number is given, the first number listed is P
the principal MORT text reference.
If an additional tree is available for more rigorous analysis, as in Independent Review, the reference is shown as Tree, page 5 of Exhibit 8 in the MORT text.
QUESTIONS FOR THE MORT ANALYST The following questions may be used in conjunction with the f10RT diagram.
The reader is reminded that the Specific Control Factors (S) branch questions presume an accident, whereas the General Management Factors (M) branch questions are phrased from the assumption of a safety system evaluation.
Whatever is the actual case, the user should have no great difficulty in making the mental adjustment.
l l
T.
Fundamental Questions (the TOP event):
l What happened?
Why?
What were the losses?
(Specify the number and type of injuries, the amount of property damage, production downtime, product degradation, reduction im employee morale, program impact, negative publicity, or any other type of loss.)
[The construction layout shows an alternative top event connected to the diagram by a dashed line. This unique method is employed to show the duality of MORT application.
When using it0RT as an appraisal tool, th; analyst views the TOP event statement as future potential losses that b
may result from an Assumed Risk or from an Oversight /0 mission existent-
_,/
in the safety system being evaluated.] _
S/M S
sal SA2-al-bl S/li. Oversights and Omissions:
{
[The tree structure depicts two fundamental causes of the adverse conse-quences listed by the TOP event:
(1) Management Oversights and Omissions or (2) Assumed Risks. All contributing factors in the accident sequence are seen as Epecific Oversights and Omissions until such time as they are transferred to Assumed Risks.
Further discussion of Assumed Risks is provided under its appropriate heading.
Input to the Oversights and Omissions event is through an AND logic symbol, because MORT experience, to date, shows the S and M branches to tse mutually inclusive.]
S.
Specific Control Factors:
What were the specific control factors of the management system that were overlooked or omitted? (139)
[ Detailed understanding of the incident / accident sequence leads naturally to:
(1) consideration of the Management System Factors and (2) judgment whether the fault (failure potential) was an Assumed Risk.]
sal. Accident:
Describe what happened.
(25)
[ MORT conceives the accident occurred when an unwanted energy transfer reached persons and/or objects. MORT combines this concept and others into a functional accident definition as follows: An unwanted transfer of energy because of lack of barriers and/or controls, producing injury to persons and/or damage to property or the process.]
SA2. Amelioration LTA:
Once an accident has occurred, was there adequate amelioration on the part of all concerned parties?
(140)
[ Amelioration can only be considered and evaluated after an accident, thus the " Accident Occurrence" constraint on the gate leading to lower branch elements. The intent of amelioration is to limit the consequences of what has immediately occurred and to reduce the sensitivity of those consequences whenever possible. When evaluating Amelioration from an ove.ll management system standpoint, consider the following:
(1) Are all of the amelioration functions preplanned (as opposed to the possi-l bility of having them occur fortuitously at the time of a particular i
acci 6nt)? (2) Does the plan adequately scope the types and severity l
of at.;idents which it intends to cover? (3) Are adequate resources allocated to properly execute the plan? and (4) Is management aware of l
any residual risk beyond the scope of the plan?]
al.
Prevention of Second Accident LTA:
Was prevention of a Second Accident adequate? Through the efforts of individuals at the accident scene and those who arrived later, were steps taken to prevent a second accident caused directly or indirectly as a consequence of the first?
bl.
Plan LTA:
If properly executed, was the plan adequate to accomplish the intended function? Was the plan provided to those who needed it?
b2. Execution LTA:
Was the plan executed as was intended? _ _ _ _ _ - _
SA2-a6-b8 SBl SB2-al
]
b8. Employee:
Did the relatives of the injured employee first hear about the accident from a responsible, tactful individual within the organization? Were the other employees in the organization notified firsthand about the accident with some assurance that significant corrective action would be taken?
b9. Officials:
Were the facts about the accident given accurately and in a timely manner to the proper officials of:
(1) the organization, (2) the customer, (3) the local municipality, (4) the state, and (5) other governmental agencies as appropriate?
bl0.
Public and bil. Media:
Were the news media (and thereby the public) given the accident facts and assurance that significant corrective actions were being taken? Was a specific point of contact within the organization provided as the source of additional information?
SBl. Incident:
What was the incident? Describe what happened.
(140)
[ Note that Incident is only one of three inputs to an AND gate.
This event denotes an unwanted energy; however, because of the AND gate, o
unwanted energy transfer does not necessarily result in an accident.
1 A "near-miss" incident is of ten worthy of analysis.]
rJ SB2. Barriers LTA:
Were there adequate barriers on the unwanted energy? What were the specific barriers?
(33,141)
[The twelve barriers listed on page 33 of the MORT text and their order of listing should be reviewed carefully. MORT treats the first five listed barriers as a function of concept and design.
The four " inter-mediate" barriers (i.e., source-target) are listed by MORT as specific inputs to this Barriers event.
The final three " target" barriers are treated elsewhere on the MORT diagram. The example of grinding wheel safety practices, Figures 2-3 on page 35 of the MORT text, is parti-cularly helpful in illustrating the barrier concept.]
al. Were there barriers on the energy source?
[ Note other lower tiF events included by transfer from a3.]
a2. Were there barriers between the energy source and the injured person / damaged equipment?
[ Note other lower tier events included by transfer from a3.]
a3. Were there barriers on persons and/or objects?
[ Note all lower tier development under this event also transfers to al., a2., and a4.]
Ov) i i l
SB2-a3-b3-c1 SB3-al-bl bl. None Possible:
I
[ Note use of the Diamond event symbol, indicating termination of fault sequence because of the lack of solution. Note also the event is flagged with R2 assumed risk symbol. Top manage-me,t must assume risk for design in which no barriers to unwanted energy flow were possible.]
b2. Barrier Failed:
Did the barrier prevent the transfer of energy as designed?
b3.
Di." Use:
Were barriers used?
cl. D/N Provide:
Were barriers provided where possible?
[No'.e the event is flagged with R3 assumed risk symbol.
Top management must assume risk for failure to provide barriers, e.g., failure to provide safety glasses.]
c2. Task Performance Errnes:
3 against the transfer of Were the provided bu 1
unwanted energy used properly?
(e.g., Why were available safety glases not used?)
[ Note that all the lower tier development under event SD5-b3 transfers to this event also.]
a4. Were there " barriers" of time or space which separated the energy and the person or object?
[The term " energy barrier" has the c.onnotation of physical inter-vention; however, the barrier may be a " paper barrier". Separation by time or space in particular may be accomplished by written 3rocedure or some other type of administrative control.]
l
[ Note other lower tier events included by transfer from a3.]
SB3, Persons and/or Objects in the Energy Channel:
Were " targets" for the unwanted energy transfer removed from the energy transfer channel?
[This part of the analysis is usually quite perfunctory.
If there was no recipient, then there was no accident but only a "near-miss" accident.
The investigator should, however, be sure the following questions of functional presence, administrative control, and evasive action are examined.]
al. Nonfunctional:
Was the person or object functional? Was the person or object supposed to be there?
bl. Was there adequate control of nonfunctional persons or objects?
b2. Was such control practicable?
[ Note the event is flagged with R4 assumed risk symbol. Top management assumes risk responsibility for the decision.] _ - _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _
SB3-a2-b4-c1 SCl SC2 q
\\
")
a2. Functional:
Consider the lower tier elements below this only if the person or object was supposed to be there.
[The event symbol used is for an expected event.
Note also the logic symbol assocf ated with the event is a Conditional OR gate.
For consideration of the several input events, barriers to the unwanted energy transfer (SB2) iust have failed; energy has therefore reached the person or object in its channel or flow path.]
b3. Were the administracive controls adequate to prevent persons or objects from being in the energy flow path?
b4.
Evasive Action LTA:
cl. Was there adequate planned control of functional persons or objects.
c2. Was functional control practical?
[ Note this event is flagged with R5 assumed risk symbol.
Top management assumes risk responsibility for the decision.]
SCl. Consequent Unwanted Energy Flow:
n What was the specific type of unwanted energy flow which led to the incident? (31,141)
Describe it and label it as the consequent energy (i.e., the energy flow which was the immediate cause of the incident occurrence).
[0ften incidents / accidents are the consequence of an unwanted energy flow in which the energy changes form. Sometimes different sources of the same type of energy interact. fieticulous tracing of the energy flow (s) sequence has proven to be a most productive analytical method for iden-tifying the unwanted energy flow, which was the root cause of the incident.
The " transfer out" symbol (SD8) is used to show that this same analysis procedure is repeated so as to trace and identify precedent energy in the energy flow sequence.]
SC2. precedent Unwanted Energy Flow (s):
What was (if any) the unwanted energy flow (s) that occurred earlier in l
time (i.e., precedec' the " consequent" unwanted energy flow that was the immediate cause of the incident)? Describe in terms that uniquely define the energy and identify the point in the time sequence of energy flow where the energy changed form or interacted with other energy.
[ Careful analysis of the events related to the incident may disclose a time sequence of unwanted energy flows.
Each should be analyzed, in turn, working backwards in time repeating this portion of the fiORT analysis as required. Note the constraint placed upon the AND logic gate is the i
prior occurrence of the Consequent Unwanted Energy Flow.
If a third energy transfer is analyzed, the logic gate constraint becomes the prior j
occurrence of the second unwanted energy transfer.]
L)
II...
SD7 SD8 SDl-al-bl-cl-dl SD7. Barriers LTA:
I Were the barriers to the " precedent" unwanted energy transfer adequate?
[The analysis of lower tier events shown under SB2 transfer to this event also. Note, however, the specific energy flow being considered here is the precedent ener It is not the consequent energy flow as that analyzed by SB2.] gy flow.
SD8. Unwanted Energy Flow (s):
What wr, the specific type of unwanted energy flow?
[Theanalysit, of lower tier events shown under SCl transfers to this event also.
Note, however, the specific energy being considered is the precedent anergy flow.
It is not the same energy as that analyzed by SCl.]
SDl. Technical Information Systems LTA:
Was the technical information system adequate (with respect to the unwanted energy flow)?
(349)
[ Complex work flow processes must be supported by complete technical infor-mation system:.
It is axiomatic that complex systems will depart from plans and procedures to some degree. Therefore, information systems need to detect deviations, determine rates and trends, initiate corrections, and, in general, assure that goals are attained. MORT conceives a tech-nical information system as consisting of "research" persons, " program" persons, and " action" persons obtaining, handling, and providing technical l
information relevant to the work flow process in a "conmunication" network.]
i al. Technical Information LTA:
Was there adequate technical information relevant to the work flow process?
[0ften relevant information exists but is not available to the
" action" persons associated with the process.
Possible reasons are investigated by the following series of questions.]
Knowledge LTA:
Wi2s knowledge of the work flow process adequate?
[The question is investigated by subdividing into known and unknown precedent.]
cl. Based upon known precedent (i.e., for the prevention of the unwanted energy flow):
dl. Was application of knowledge obtainable from codes and manuals adequate? (260) d2. Was the list of experts (to contact for knowledge) adequate?
d3. Was any existing but unwritten precedent relevant to the work flow process (i.e., part of the supervisor's regular practice) known to the " action" person?
d4. Were there studies directed to the solution of known work flow process problems? Was the effort being spent in the search for their solution reasonable and adequate? (265) ______. _ _ _ _ _ _ _._
SDl-al-bl-c2-d5
)
c2.
If there was no known precedent:
d5. Were there investigation and analysis (i.e., risk
~~
analysis) of prior similar accidents / incidents or the work flow process accident potential? Was the investigation adequate?
(95) d6. Was there research directed to the obtaining of knowledge about the work flow process? Was the research effort reasonable and adequate? (97) b2.
Comunication LTA:
Was the exchange or transmittal of knowledge adequate (relative to the potential unwanted energy transfer)?
c3. Was the internal communication adequate?
(391) d7. Was the definition of the internal communication network adequate?
d8. Was operation of the internal network adequate?
c4. Was the external communication adequate?
(411)
[The query relates to the interface between the in-house (internal) information system and national information m
systems, such as the National Safety Council, NASA, NSIC, U) and others.]
d9. Was the definition of the external communication network adequate?
d10. Was the operation of the external communication network adequate? Was the method of searching, retrieving, and processing relevant information adequate?
a2. Monitoring Systems LTA:
Was the monitoring system adequate? Were the principal elements of a good monitoring system present? (351) l
[ Highly complex work flow processes require a high order of excellence of the monitoring subsystem of the technical information system. The management Risk Assessment system must be closed-loop to maintain the process "in control".
Triggers for fast action fixes and data for achieving long-range hazard reduction goals are generated by the Monitoring System and transmitted by the Technical Information System to the Hazard Analysis Process (HAP) portion of the Risk Assessment System.]
b3. Was the safety observation plan (employed by work flow process supervision) adequate?
b4. Was there a planned independent searchout effort for high poten-tial hazards by a safety professional? Was the safety inspection searchout effort adequate?
l" 1
l SD1-a2-b5 j
b5. Was incident / accident information, relative to prior incidents /
{
accidents in similar processes, recorded and reviewed?
b6. Was there a planned RS0 system? Was it operative?
(116,361)
[RSO stands for Reported Significant Observation.
MORT uses this term for a special safety study rather than the better known " critical incident" for semantic reasons.
(" Critical" and " criticality" have very different and specific meaning in the nuclear energy field.) The RSO concept relates to the study of near-miss incidents observed and reported by line supervision and work level personnel.]
b7.
Error Sampling System LTA:
Was there an error sampling plan? Was it operating adequately?
(357)
[ Error sampling is a specific management plan whereby staff personrel systematically sample for operating errors, using prepared checklists and definitions.]
b8. Were the routine field safety work site inspections made?
Were they adequate.'
b9. Was the audit of " upstream" work flow processes conducted in an adequate manner?
(114)
[ MORT separates the general work flow process into:
(1) work-site operations and (2) upstream work flow processes such as design, construction, selection and training, etc.
Each segment must be examined relative to the three basic work ingredients -
hardware, procedures, and people.]
b10. Was the general health monitoring of work flow process personnel adequate?
(373) a3. Data Collection and Analysis LTA:
Were the data collection and analysis procedures adequate? Were there analyses (i.e., measurement techniques) made of the data?
Did the analyses provide the proper risk assessment information to the decision maker responsible for the risk assumption?
(415,372) bil. Was there a priority problem list? Had it been updated to be a current list? (375)
[ Management should, at all times, know what its most significant assumed risks are thought to be. Any delay in corrective action for budget reasons becomes an assumed risk for the present.]
I bl2. Were the available status and predictive statistics adequate? (415) bl3. Was the diagnostic statistics analysis adequate?
bl4. Was the risk projection analysis adequate?
bl5. Was the " War Room" status display of current problems, analyses, and results adequate? (439,97) -
SD4-al-b2-ci (flote: Due to a draf ting error on the March 1976 version of the MORT logic m./
diagram, items bl and b2 of this section were interchanged in the Maintenance branch.)
b2. D/N Specify:
Were maintainability (inspectability) requirements specified by the design or procurement documents? If not, are they provided adequately by operations plans?
(311 )
cl.
Maintainability (Inspectability) LTA:
Did the plan address methods for minimizing problems with equipment, processes, utilities, operations, etc., when they are undergoing maintenance (or being inspected)?
c2.
Schedule LTA:
Was there a schedule? Did the plan schedule maintenance (inspections) frequently enough to prevent or detect (as appropriate) undesired changes? Was the schedule readily available to the maintenance (inspection) personnel?
Was the schedule coordinated with operations to minimize conflicts?
(313) c3.
Competence LTA:
Did the plan specify minimum requirements for the compe-tence and training of individuals used in the program?
a2.
Execution LTA:
Was there adequate execution of the maintenance (or inspection) plan?
b3. Task Performance Errors:
Were the individual tasks (as set forth by the plan) performed properly?
[ Note other lower tier events included by transfer SD5-b3.]
b4. D/fl Maintain " Point-of-Operation" Log:
Was there a log of maintenance (inspections) kept at the point-of-operation on the piece of equipment, process, etc.?
(311)
[This is distinct from other logs that may be kept in a control room, back at the main office, or in someone's desk or file.
Familiar examples include the periodic inspection tags found on fire extinguishers and in elevators.]
b5.
Caused Failure:
Was maintenance (inspection) of the work flow process performed without the maintenance (inspection) activity itself causing a failure or degradation of the process?
b6. Time LTA:
Was the time specified in the plan's schedule sufficient to adequately perform the task at each station? Was the time budgeted for personnel adequate to fulfill the schedule? Was (oi the time actually provided?
w/
SD5-a4-bl-cl SDS. Supervision LTA:
Was the worksite supervision adequate? Were the necessary supportive services adequate?
(297)
[ MORT identifies the first line supervisor as a " key man" in worksite safety, as he unquestionably is.
However, if the supervisor is to adequately fulfill his responsibilities, he must have competent and useful advice and support from several kinds of supportive services.
The adequacy of site supervision is, therefore, examined by MORT in this broader context.
In particular, MORT tries to assess management's role in support and service to the supervisor. The emphasis throughout is to discuss what in the management system failed - not who.]
al.
Help and Training LTA:
Were the help and assistance given to supervisors adequate to enable them to fulfill their roles? Was the feedback of information to the supervisor adequate? Was it furnished in a form usable by the supervi sor? What training had the supervisor been given in general supervision? What training had the supervisor been given in safety?
Has the supervisor training program been evaluated?
(300) a2. Time LTA:
Did the supervisor have sufficient time to thoroughly examine the job?
l a3. Supervisor Transfer Plan LTA:
Were there any gaps or overlaps in the supervisory assignm?nts related to the event? If the supervisor was recently transferred to the job, was there protocol for orderly transfer of safety informatian_ from l
the old to the new supervisor?
(303) a4.
D/N Detect / Correct Hazards:
Were the supervisor efforts adequate in detection and correction of hazards?
[ Knowledge of hazards is often available from the work force.
The supervisor must be receptive and accessible and must display vigor in acting on suggestions, if he is to gain access to that knowledge.]
bl.
D/N Detect Hazards:
When did the supervisor last make an inspection of the area?
Was any unsafe condition present in this accident / incident also present at the time of inspection? Was the condition detected?
(303)
[ Note that if the condition was detected but not corrected, the analysis shifts to D/N Correct Hazards.]
cl.
Knowledge (Checklists) LTA:
Was a checklist specific to the process available? Was it used? Was the supervisor considered generally compe-tent to assess safety aspects of his area of work?
c2. Detection Plan LTA:
Was there an overall detection plan for uncovering hazardous conditions? _ - _ _ _ _ _ _
SD5-a5-b3-c9-d8-el b3.
Task Performance Errors:
/
Was the task-related work activity free of hazards cr.used by m-performance error?
c8. Task Assignment LTA:
Was the task assignment properly scoped with steps and objectives clearly defined? Was the task assignment one the supervisor should have made? (332) c9. Task Safety Analysis (e.g., JSA) Not Performed:
Was any form of task safety analysis performed as part of the work process?
(316)
[ Effort directed to task Safety Analysis should be scaled to fit the magnitude of the safety hazard posed by the work task. The safety analysis effort applied to work processes having high energy potential or high hazard potential is usually highly forma'ized.
The analysis results are implemented by a written procedure developed by the task supervisor and a small group of his most skilled craftsmen, and will usually be subjected to independent review. An example of this kind of task safety analysis is Job Safety Analysis (JSA), a process used by many large industrial companies. At the other end of the spectrum of Task Safety Analysis is the informal, oral review of task safety measures by the task supervisor, before work level 9
personnel start to work the task. This latter level of safety analysis is applied to tasks having relatively low energy or low hazard potential.
It is used most often with tasks related to routine maintenance and repair activity and will usually not have been independently reviewed.
The task safety analysis level of effort actually applied will range somewhere between the extremes described. MORT uses the concept of Pre-Job Analysis by which is meant that nearly every task must be surveyed step-by-step to determine the level of effort of Task Safety Analysis that should be applied to the work task to be performed.
The MORT diagram analysis proceeds with the premise a Pre-Job Analysis should always be made for tasks assessed as having significantly high hazard potential.]
d8.
High Potential:
Was an analysis performed for a work task involving a high potential fur error, injury, damage, o-for encountering an unwanted energy flow?
el.
Pre-Job Analysis Not Required:
Did the operations management require a pre-job analysis to scale the magnitude of task safety analysis to be performed?
{
e2.
If required, was the pre-job analysis, as per-j formed, adequate to scale the magnitude of task safety analysis to be performed? - _ _ _ _
SD5-a5-b3-c9-d8-e3-fl e3.
Pre-Job Analysis Not Made:
I Was a pre-job analysis required but not made?
fl. Was it not made because of lack of authority?
f2. Was it because of budget reasons?
f3. Was it because of schedules?
f4. Was it because of a decision by the line supervisor?
d9.
Low Potential:
Was the work task ansessed as one involving low potential? Was this a reasonable assessment? Was the decision to not perform a task safety analysis properly deleaated to the supervisor?
[ Note the eved is flagged with R6 assumed risk symbol.
If the criteria for risk identification and assessment were properl met, this event transfers to the Assumed Risk branch.
cl0. Pre-Task Briefing LTA:
Was the work force given a pre-task briefing (prior to task performance)? Was it adequate? Did the pre-task briefing adequately consider the net effect of recent changes, me.in-tenance, new hazards, etc.?
cll. Task Safety Analysis (e.g., JSA) LTA:
.Was the task safei.y analysis adequate? Was the task safety analysis scaled properly for the hazards involved?
d10. Preparation LTA:
Was the preparation (and content) of the task safety analysis adequate?
e4. Selection LTA:
Were the safety hazards associated with the work task adequately identified and selected? (318) f5. Were the criteria used adequate?
f6. Were the methods used in prioritizing the identified hazards adequate?
e5.
Knowledge LTA:
Was the knowledge input to the task safety analysis adequate?
f7.
Employee Suggestions and Inputs LTA:
Was consideration of employee-developed sugges-tions and inputs adequate?...
SD5-a5-b3-cll-d10-e5-f7-gl gl.
JSA Program LTA:
Was a JSA program used to obtain work level employee participation? Was the process of accomplishing the JSA piogram adequately defined and staffed?
g2.
General System LTA:
Was the general management system for collecting and utilizing other employee suggestions and inputs adequate?
g3.
RS0 Study LTA:
Were " Reported Significant Observation" (RS0) studies used to gather employee inputs? Were these RS0's readily accessed?
(116) g4.
D/N Use Suggestion:
Were employee suggestions and inputs (made through JSA, RSO, and other processes) used in the task safety analysis?
f8. Technical Information LTA:
Was the technical information (with respect 9
to the preparation of the task safety analysis) adequate?
[ Technical information relevant to safety asper:
the work process often exists but.
i available to the " action" persons associated with the process.
Possible reasons are investigated by a series of lower tier questions.
Analysis of these lower tier events is shown under SDl-al.
Note the analysis trans-fers to this event also.]
e6.
Development LTA:
Was the develorment of the specific task safety analysis by the first line supervisor adequate?
If judged to have been inadequate, what were the true underlying causes for the inadequacy?
[An honest assessment should be made of what could r_easonably be expected of the supervisor, taking into account existing time and budget restrictions placed upon him by higher supervision.]
f9. Time LTA:
Was there time for an adequate development of task safety analysis?
fl0. Budget LTA:
)
Was there sufficient departmental budget?
l SD5-a5-b3-c11-d10-e6-f11 i
fil. Scope LTA:
Were the scope and depth of the task safety analysis development sufficient to cover all related hazards?
f12. professional Skill LTA:
Were the experience and skill of the super-visor and other participants adequate to accomplish the required work task safety l
analysis?
dil. Safety Analysis Recommended Controls LTA:
Were adequate worksite controls placed on the work process, facility, equipment, and personnel by the l
task safety analysis?
e7. Organization and Clarity LTA:
l Were the organization and clarity of presentation I
of the task safety analysis recommendations ade-quate to permit their easy use and understanding?
l e8. Programmatic Conflict:
Were the recommended controls free of conflict with the overall project goals and requirements?
e9.
Control Testing LTA:
Were recommended controls tested at the worksite for feasibility before beina directed for use?
e10. Directive For Use LTA:
Was the management directive for use of the task safety analysis recommended controls adequate?
Was it explicit and not subject to possible misunderstanding?
ell. Availability LTA:
Did the management information system make know-ledge of the recommended controls available to the worksite personnel?
el2. Adaptability LTA:
Were the recommended safety controls made in a form which allowed them to be adequately adapted to the varying situations?
cl2. D/N Use Safety Analysis Recommended Controls:
Were the safety controls recommended by the tark safety analysis used?
O _ - _ _ _ _ _
SD5-a5-b3-cl2-dl2
/
9 dl2. Use Not Mandatory:
Was use of the recommended safety controls mandatory?
[If use of the recommended safety controls was not l
mandatory, failure to use them is either an Astumed l
Risk or a management system failure.]
dl3. Deviant Performance:
If use of the recer:W cafety controls was mandatory, were thy actually used?
[lf use gas mandatory, failure to use them is a deviant performance on the part of the line supervisor.]
c13. Task Procedure D/N Agree With Functional Situation:
Did the work task completion procedure, as directed by oral or written instruction, agree with the actual requirements 4
of the work task?
[ Direction or requirements, as defined by specifications, operating procedures, equipment manuals, etc., may conflict with actual work task requirements.]
c14. Person.ul Perfonnance Discrepancy:
Did the individuals assigned to the work task perform their individual task assignments properly?
o
[Possible causes of performance discrepancy should be V) considered for each individual whose performance was judged to be discrepant.]
d14. Personnel Seiection LTA:
Were the methods of personnel selection adequate? (325) el3. Criteria LTA:
Wore the safety-related job requirements adequately dafined so as to select an individual with desired characteristics?
el4. Testing LTA:
Did the individual meet the standards established for the task? Had the assigned individual been recently re-examined to the standards established for the task?
dl5. Training LTA:
Was the training of personnel adequate? (327) el5. None:
Was the individual trained for the task he or she performed?
e16. Criteria LTA:
C Were the criteria used to establish the training j
program adequate in scope, depth, and detail?. - _ _ - _ _ _ - _ - _ _ _
SD5-a5-b3-c14-dl5-e17 i
l e17. Methods LTA:
Were the methods used in training adequate to the training requirements?
[ Consider methods such as realistic simulation, programmed self-instruction, and other special training in addition to basic indoctrination, plantfamiliarization,etc.]
el8. Professional Skills LTA:
l Was the basic professional skill of the trainers adequate to implement the prescribed training program?
l e19. Verification LTA:
Was the verification of t'ie person's current trained status adequate? Were retraining and requalification requireme nts of the task defined and enforced?
dl6. Consideration of Deviations LTA:
Was adequate consideration shown by the supervisor for the need to observe deviant personnel performance?
(334)
[The analysis shows contributions to Deviations from both Normal Variability and Changes.
Normal personnel performance variability is viewed as manageable through appropriate equipment design, good planning, training, and application of human factors.
Change is more the characteristics of illness, fatigue, personal problems, etc., which results in individual performance outside the normal range of variability.]
e20. Normal Variability:
Was the deviation in personnel performance within the range of normal variability?
[The Scroll event symbol is used to show that some degree of variability is normal and expected.]
e21. Changes:
Was the deviation in personnel performance significantly different than the performance standard needed for the task?
[The Scroll event symbol is used to show that some degree of change is normally expected to occur.]
e22. D/N Observe:
Was the deviation (i.e., extreme variability or significant change) observed by the line supervisor? _ _ _ _ _ _ _ _ _ _ _ _ -
I SD5-a5-b3-c14-dl7-e31-fl9 r
)
a fl9. Deviant (Cont.)
[ Note that if the organization has maximized its contribution in the areas of management I
concern, safeguarded environment, good job safety procedures, good job training, sound human relations, etc., the use of an indivi-dual with known deviant performance charac-teristics in a high potential energy task becomes an assumed risk.]
e32. General Motivation Program LTA:
Was there a general motivation program on safety, employed by management, to adequately motivate employees to perform correctly and safely?
[ Slogans, posters, leaflets, and contests are a highly visible part of many safety programs.
Their true value is difficult to ascertain.
These programs do play a supporting role, how-ever, and the adequacy of the safety program in these regards should be evaluated.]
b4. Non-Task Performance Errors:
Was the performance of non-task work free of performance errors?
Q
[A "non-task" is one not assigned by a supervisor.]
)
U c15. Peripheral:
Was the work peripheral to the principle task performed error-free?
[ Examples are going tr or from work on the premises, authorized work break, etc. The activity was not in conflict with the rules.]
c16. Unrelated:
Were all activities unrelated to the authorized work activity performed error-free?
[ Examples are going to lunch, recreational programs.]
cl7. Prohibited:
Were all performed activities permitted? If not, were the prohibited activities performed error-free?
[ Activity in violation of rules, horseplay, etc., is defined as prohibited activity.]
b5. Emergency Shutoff Errors:
If there was an emergency shutdown of some activity from its normal operating mode, was it done error-free?
[ Emergency situations usually are a time of rapid change and high stress. The emergency ma (an in-process work activity) y evolve from a planned task or from a non-task activity.
f3
(
T Note the use of the Constraint event symbol requires an off-
'n,)
normal initiating anomaly to have occurred.]
SD5-a5-b5-cl8 SD6-a4-bl cl8. Task Performance Errors:
Was there am emergency shutoff? Was the execution of I
a planned shutdown sequence accomplished error-free?
[The entire MORT analysis accomplished under SDS-b3 transfers into this event.]
c19. Non-Task Performance Errors:
If there was an emergency situation arising with a non-task activity (i.e., one not assigned by a super-visor), was it free of performance errors?
[See the classification and explanation of non-task performance errors provided under SD5-b4.]
SD6. Higher Supervision Services LTA:
Did upper level management provide the type of supportive services and guidance needed at lower organization levels for adequate control of unwanted work process energy flow?
al.
Research and Fact Finding LTA:
Was necessary information, which was not otherwise readily available, sought out through established research and fact finding techniques?
a2.
Information Exchange LTA:
Was there an accessible, open line of communications which permitted transmittal of needed information in both directions between upper and lower levels? Was study of a problem a shared responsibility? Were results provided to users?
a3.
Standards and Directives LTA:
In cases where the organization and external sources of codes, standards, and regulations did not cover a particular situation, did management develop (or have developed) adequate standards and issue appropriate directives?
a4. Resources LTA:
Did management have the resources derived from standards and directives it needed to perform the supportive services?
bl. Training LTA:
Was there sufficient training to update and improve needed supervisory skills?
b2. Technical Assistance LTA:
l Did supervisors have their own technical staff or access to such individuals? Was technical support of the right i
discipline (s) sufficient for the needs of supervisory programs and review functions?
l b3.
Program Aids LTA:
Did management have available, for support of its programs, such aids as: useful analytic forms, training materials, l
reproduction services, audio-visuals, capable speakers, meeting time and rooms, technical information, monographs, etc.? I L
SD6-a4-b4
^
M MA1 m
)
MA2 i
v b4. Measure of Performance LTA:
Were there established methods for measuring performance which permitted the effectiveness of supervisory programs to be evaluated?
b5. Coordination LTA:
Were other managenent programs and activities coordinated with the groups tnd individuals who interfaced with the program participants? Did this coordination eliminate conflicts which could have reduced program effectiveness?
a5.
Deployment of Resou"ces LTA:
Were the available resources used effectively and to the greatest advantage of superi.isory efforts?
a6.
Referred Risk Response LTA:
Was management responsive to risks referred from lower levels?
Was there an established system for analyzing and acting upon such risks in a timely manner? Was there a fast action cycle to process imminent hazard /high risks?
d M.
Management System Factors LTA:
Are all the factors of the managem.nt system necessary, sufficient, and organized in such a manner as to assure that the overall program will be "as advertised" to the customer, to the public, to the organi-zation itself, and to other groups as appropriate?
[In the event-by-event review which follows, the questions are phrased in the present tense. Assume the diagram is being used for evaluation of an existing safety system.
For accident investigatiJn, rephrase questions to past tense.]
mal. Policy LTA:
Is there a written, up-to-date policy with a broad enough
- ope to address major problems likely to be encountered? Is it also suffi-ciently comprehensive to include the major motivations (e.g., humane, cost, efficiency, le al compliance)? Can it be implemented without conflict?
(175, 183 MA2. Implementation LTA:
Does the overall program represent the intended fulfillment of the policy statement?
If there are problems encountered in carrying out the policy, are these relayed back to the policy makers?
Is the imple-mentation a continuous, balanced effort designed to correct systemic
(^J failures, and generaly pre-active rather than re_-active?
(185)
L MA2-al al. Methods, Criteria, Analyses LTA:
Are selective methods used for management implementation and for improving human performance?
Is there a comprehensive set of criteria used for assessing the short-and long-term ;mpact of the methods on safety for the desired results? Does management demand that adequate analyses be performed and alternative countermeasures examined, or are criteria simplistic and there-fore LTA?
(185) a2.
Line Responsibility LTA:
Is there a clear, written statement of safety responsibility of the line organization, from the top individual through the first line foreman to the individual employee?
Is this statement dis-tributed and understood throughout the organization?
Is it implemented? (190) a3. Staff Responsibility LTA:
Are there provisions for assigning and im, iementing specific safety functions to staff departments (e.g., safety, personnel and training, engineering, maintenance, purchasing, transportation, etc.)?
a4.
Information Flow LTA:
Has manao^ ment specified the types of information it needs and estab1'on, d efficient methods by which such information is to be kansm1tted up through the organization? Has management, in turn, supported this process by providing the information needed in lower organization levels?
(198) a5.
Directives LTA:
Is safety policy implemented by directives which emphasize methods and functions of hazard review, monitoring, etc., rather than specific rules for kinds of hazards? Are directives published in a style conducive to understanding and without interface gaps? (193) a6. Management Services LTA:
Has management provided the type of supportive services and guidance l
needed at the lower organization levels?
Is there a formal training l
program for all management personnel which addresses:
(1) general aspects of management and supervision, (2) specific technologies.
(3) human relations / communications, and (4) safety?
(195)
[ Note the transfer in of all the lower tier event analysis fr om SD6.]
a7.
Budgets LTA:
Is the budget adequate not only for the safety group but also for related safety program aspects for which other groups in the organi-zation have responsibility?
(189) j a8.
Delays:
Are safety program elements implemented in a timely manner? Are solutions to safety problems introduced early in the life cycle phases of projects?
(189)
[ Delays can and should be made known to management.
If this is done and delay is a practical need, the delay becomes an assumed risk.] _ _ _ _
MA2-a9 MB2 MA3 MB3-al-bl-ci MB1
)
a9. Accountability LTA:
Is line management held accountable for safety functions under their jurisdiction? If so, are there methods for measuring their performance?
(198) a10. Vigor and Example LTA:
Have top management individuals demonstrated an interest in lower level program activities through personal involvement?
Is their concern known, respected, and reflected at all management and employee levels? (200)
[Do people tell stories of a manager's vigor in support of safety?
If not, the manager's example may be LTA.]
MA3 Risk Assessment System LTA:
Does the risk assessment system provide management with the information it needs to assess residual risk and to take appropriate action, if the residual risk is found unacceptable? Does the system also provide:
(1) comparative evaluation of two or more systems and (2) development and evaluation of methods supporting the hazard analysis process? (205)
MBl. Goals LTA:
Are there high goals for policy and implementation criteria as well as specific goals for projects? Are the goals nonconflicting, sufficiently challenging, and consistent with policy and the customer's goals? (206)
MB2. Technical Information System LTA:
j Is the technical information system adequate to support the needs of the risk assessment system?
[ Note other lower tier events included by transfer from SDl.
Refer to SDI section of this outline for write-up.]
MB3. Haza-d Analysis Process LTA:
Is the hazard analysis process properly conceptualized, defined, and executed? (225,215,234) al. Concepts and Requirements LTA:
Are the concepts and requirements of the HAP adequately defined? (237) bl.
Definition of Goals and Tolerable Risks LTA:
Have goals and tolerable risk; been definea for both safaty and i
performance and any conflicts between the two resolved?
(237) cl. Safety Goals and Risks Not Defined:
Do the goals state what degree of safety excellence should be attained and when?,Are tolerable direct and indirect safety risks defined and actual risks quantified?
c2.
Performance Goals and Risks Not Defined:
Have goals been set for performance efficiency and productivity? ilave tolerable risks for lost efficiency and productivity been established and actual risks quantified?
[Such goals complement safety goals by requiring greater assurance of error-free performance.]
MB3-al-b2-c3 9
b2. Safety Analysis Criteria LTA:
Have the necessary criteria been specified and elements defined t0 adequately support the safety analysis program?
c3. Plan LTA:
Has a system safety plan been developed which describes "who does what and when" in analysis, study, and development?
(238) c4.
Change Analysis LTA:
l Has a specific change-based analytic method been established to review form, fit, or function of components and subsystems (including interfaces) upwards in a review process until _no change is demonstrated?
(59) c5. Other Analytical Methods LTA:
Are other appropriate analytical skills available in the organization (or from a consultant) and are they used (e.g., Hazard Identification, Failure Modes and Effects, Fault Tree, MORT, Nertney Wheel, Failure Analysis, Human Factors Review, etc.)? (223,228,248) c6.
Scaling Mechanism LTA:
Has some reasonably clear-cut mechanism been established for scaling the seriousness / severity of prior eve its.
Is there a mechanism to project past events to a icaled effort to evaluate current processes?
(238) c7.
Required Alternatives LTA:
Does management require confrontation between alternative solutions in its bases for choices and decisions? (186,208) c8. Safety Precedence Sequence LTA:
Is the preference for safety solutions prioritized as:
(1) Design, (2) Safety Devices, (3) Warning Devices, (4) Human Factors Review, (5) Procedures, (6) Personnel, and (7) Acceptance of Residual Risks (after consideration of the preceding six items)? (98,225) b3.
Procedures Criteria LTA:
Are engineers and designers made aware of their limitations in writing procedures for operating personnel, and of the need fer selection and training criteria for operators, and of supervisory problems?
(315,AppendixF) b4.
Specification of Safety Requirements LTA:
Have all applicable and appropriate safety requirements been specified, made available, and used?
(260)
Consider whether the following documents have been adequately called out to the extent they are applicable: ___
MB3-al-b4-c9 c9.
ERDA (customer) requirements developed in-house.
/
cl0. OSHA regulations which are law, cil. Other Federal and National Codes by agencies other than the customer and OSHA.
cl2. State and Local Codes applicable to the geographical area where the work is to be performed.
cl3. Internal Standards developed within the organization to cover situations not addressed by outside requirements.
b5.
Information Search LTA:
Is an adequate information search required?
(262) c14. Nature of Search LTA:
Does the nature of the search include incident files; codes, standards, and regulations; change and counter-change data; related previous analyses; and other comments and suggestions?
c15. Scope of Search LTA:
Is the search scoped in a manner that would seek information on problems from conceptual design, through construction and use, to final disposal?
~/
b6.
Life Cycle Analysis LTA:
Is there an adequate safety analysis which starts with planning and continues through design, purchasing, fabrication, construc-tion, operation, maintenance, and disposal?
(263,225) cl6. Scope LTA:
Does the scope include not only the prime mission equipmenc, but also checkout and test equipment and procedures, faci-lities and operations, procedures for operation, selectian of personnel, training equipment and procedures, maintenance facilities, equipment.ind procedures, and support equipment?
c17. Analysis of Environmantal Impact LTA:
Is the life cycle analysis scoped to include an analysis of environmental impact which complies with all applicable requirements?
(259) cl8. Requirement for Life Cycle Analysis LTA:
Is the requirement for Life Cycle Analyses (LCA) rigid enough to assure that a thorough LCA will be initiated during the planning stage?
c19. Extended Use Factors LTA:
Has sufficient consideration been given to special require-c ments, new problems, and other factors to be encountered j
if the facility / operation is extended beyond its original intended life?
MB3-a2-b7-c20 a2. Design and Development Plan LTA:
Does the developinent phase provide for the use of the major safety results of the Concepts and Requirements Phase (al of MB3)?
Is the design a true representation of the developed criteria, definitions, specifications, and requirements? (267)
[ Note that barriers and amelioration, analyzed separately in accident investigation, are part of the design process.]
b7.
Energy Control Procedures LTA:
Is there an attempt, whether by design or procedure, to control energy to only that which is needed for the operation and to contain its interactions to the intended function?
c20. D/N Substitute Safer Energy:
Does the design use the safest form of energy that will l
perform the desired function?
c21. D/N Limit Energy:
Is the amount of available energy limited to that which will perform the operation without any unnecessary excess energy?
l c22. Automatic Control LTA:
Are there devices to automaticallv control the flow of energy and to maintain it in its ( oerating mode? Is use of redundant design adequately emp toyed? (267) l c23. Warnings LT A:
Are there clear, concise warnings for all situations where persons or objects might unintentionally interface I
with an energy flow? (268) c24. Manual Controls LTA:
Are there manually-operated controls to maintain the proper energy flow during the normal mode or as a manual override of automatic controls?
c25. Safe Energy Release LTA:
In the event that the energy containment fails through normal flow channels, is there a designed-in route through which the energy can be safely released?
c26. Barriers LTA:
Are there adequate barriers included as part of the design, plan, or procedure? Do they separate energies and/or protect people and objects?
(33,268)
[ Note other lower tier events included by transfer from SB2.]
b8. Human Factors Review LTA:
Has consideration been given in design,,lan, and procedures to human characteristics as they compete and interface with machine and environmental characteristics?
(273)
MB3-a2-b8-c30-dl o}
rd c27. Professional Skills LTA:
Is the minimum level of human factors capability, needed for an operation, available and will it be used? (275) c28. D/N Describe Tasks:
For each step of a task, is the operator told: When to act? What to do? When the step is finished? What to do next? (276) c29. Allocation Man-fiachine Tasks LTA:
Has a determination been made (and applied) of tasks at which humans excel versus those tasks at which machines excel?
c30. D/N Establish flan-Task Requirements:
Does the review determine special characteristics or capabilities required of operators and machines?
dl.
D/N Define Users:
Is available knowledge about would-be users defined and incorporated in design?
d2. Use of Stereotypes LTA:
Are checklists of stereotypes (typical, normal, O
expected behavior) used in design?
(e.g., Is a lV control turned right to move a device to the right?)
Are controls coded by size, color, or shape?
d3. Displays LTA:
Are displays usec. which can be interpreted in short time with high reliability?
d4. Mediation LTA:
Is consideration given to delays and reliability of Interpretation / action cycles?
l d5. Controls LTA:
l Are controls used which can be operated in short i
times with high reliability?
l c31. D/N Predict Errors:
Is there an attempt made to predict all the ways and fre-quencies with which human errors may occur, and thereby determine corrective action to reduce the overall error rate?
d6.
Incorrect Act:
Han all the potential incorrect acts associated with a task been considered and appropriate changes made?
)O V
l - - -
MB3-a2-b8-c31-d7 d7. Act Out of Sequence:
Has the consequence of performing steps of a task in the wrong order been considered, and has appropriate corrective measures been made?
I d8.
F/T Act:
Is there an attempt to reduce the likelihood of opera-l tors omitting steps or acts which are required by procedure?
d9.
Act Not Required:
Are all the steps that are needed to accomplish a task l
required in the procedures? Are only those steps in the procedure?
d10. Malevolence:
Are deliberate errors and other acts of malevolence anticipated and steps taken to prevent them or reduce their effect?
b9.
Maintenance Plan LTA:
Is maintenance of an operation /fe911ty given consideration during the conceptual phase and on through the rest of the life cycle? Is there an adequate maintenance plan?
(311 )
[ Note other lower tier events included by transfer from SD3-al.]
bl0. Inspection Plan LTA:
Is inspection of an operation / facility given consideration during the conceptual phase and on through the rest of the life cycle? Is there an adequate inspection plan?
(312)
[ Note other lower tier events included by transfer from SD4-al.]
bil. Arrangement LTA:
Does the design conrider problems associated with space, proxi-mity, crowding, convecien:e, order, freedom from interruption, enclosures, work flow, storage, etc.?
bl2. Environment LTA:
Are people and objects free from physical stresses caused by:
l (1) facility physical conditions, (2) conditions generated by the operation, or (3) interactions of one operation with another?
I b13. Operational Specifications LTA:
l Are there adequate operational specifications for all phases of the system operation? (269) c32. Test and Qualification LTA:
l Is there a " dry run" or demonstration to prove out all l
associated hardware and procedures and to check for oversights, adjust for the final arrangement, and provide for some first " hands-on" participation?..
MB3-a2-bl3-c34-d11 1
J c33. Supervision LTA:
Are there guidelines for:
the amount of supervision required, minimum supervisory capabilities needed, and responsibilities of operating supervisors?
c34. Task Procedures D/N Meet Criteria:
Do the procedures for each task meet selection and training criteria and applicable operating criteria? Are the proce-dures responsive to supervisory problems that can be addressed in written procedures?
(315,269, Appendix F) dll. D/N Fit With Hardware Change:
Are procedures revised, if necessary, to agree with changes in plant or equipment?
dl2. Clarity and Adequacy LTA:
Does the writing style of the procedures give considera-tion to variations in reading skills and intelligence of intended users? Are procedures sufficiently scoped to cover all steps of a task, and is enough information given about each step?
'm dl3. D/N Verify Accuracy:
C)'
Are procedures rechecked with applicable criteria and tested for correctness under " dry run" operating conditions?
d14. Emergency Provisions LTA:
Do procedures give users clear instructions for all anti-cipated emergency conditions? Are instructions easy to perform under the stress of an emergency?
dl5. Cautions and Warnings LTA:
Are dynamic and static warnings used when appropriate?
Are they located at point-of-operatie as well as in procedures? Is their meaning unambiguous?
dl6. Event Sequence LTA:
Do procedures have steps performed in a sequence:
(1) according to criteria, (2) which is safe, and (3) which is sufficient?
dl7. Lockouts LTA:
iire lockouts called for where hazardous situations are encountered or created through use of procedures?
dl8. Communication Interfaces LTA:
Do the procedures adequately convey their intended message?
If procedures call for contact between users
(~,
and other individuals, are these interfaces clear?
(v) -
MB3-a2-b13-c34-d19 j
d19. D/N Specify Personnel Environment:
Do procedures specify maximum permissible levels of physical stresses imposed on the users?
c35. Personnel Selection LTA:
Are personnel selected on the basis of the capability (both physical and mental) which is necessary and sufficient to perform the operation?
(327) c36. Personnel Training and Qualification LTA:
Are personnel given all the training they need for the equipment and procedures they will be using? Do they l
demonstrate through " hands-on" use that they know how I
to apply the training properly? (327)
I
[ Personnel training and qualification factors are consi-dered in detail under SD5-dl5.]
c37. Personnel Motivation LTA:
Do personnel want to perform their assigned work task operations correctly?
(337)
[ Personnel motivation factors are considered in detail underSDS-dl7.]
c38. Monitor Points LTA:
Are there sufficient checkpoints in written procedures during an operation to assure that steps are being done correctly?
(351 )
bl4. Emergency Provisions LTA:
Does the design of plant and equipment provide for safe shutdown and safety of persons and objects during all anti-cipated emergencies?
(306) bl5. Disposal Plan LTA:
Is the design such that disposal problems and hazards are minimized when the facility or operation has served its useful life?
(270) bl6. Independent Review Method and Content LTA:
Is provision made for thorough and independent safety review at preestablished points (e.g., milestones) in the life cycle process? Are the risk-reduction trade-offs documented?
Is the technical competence of Review Board members properly scaled to the level of technology involved? (283, Tree of Exhibit 8) bl7. Configuration Control LTA:
Is there a formal program to assure adequate configuration control throughout the entire life cycle of the facility?
Does the program allow for easy access for review of modified procedures, drawings, and other documentation?
(270, Tree of Exhibit 3) bl8. Documentation LTA:
Are all types of documentation complete, up-to-date, and accessible to users?
(271) _ _ - _ _ _ _ _
MB4-a5-b6 R
a5. Block Function and Work Schematics LTA:
Are charts and drawings of the full array of safety-related processes and functions adequate and reviewable?
[This may include provision of safety equipment, delivery of other safety reviews to point of need, and other safety-related functions, plus the schematics of various " upstream processes" that are to be audited or monitored.]
b6. Not Up-To-Date:
Are charts and drawings kept up-to-date?
b7.
Incomplete:
Are all items that are needed for review included in the charts and drawings?
b8. Completion Criteria LTA:
Are criteria clear and specific as to what should be included in drawings and when they should be finished and revised?
a6. Safety Program Services LTA:
Does management provide the supportive services and guidance needed l
at the lower organizational levels for an adequate safety program review?
[ Note the transfer in of all lower tier event analysis from S06.]
~'
_/
R.
Assumed Risk:
l What are the assumed risks? Are they specific, named events? Are they analyzed and, where possible, calculated (quantified)? Was there a specific decision to assume each risk? Was it made by a person who had management delegated authority to assume the risk?
[The specific risk may be:
(1) tolerably low (minor) in frequency or consequence, (2) high in consequence but impossible to eliminate, (i.e., hurricane), or (3) simply too expensive to correct when weighed against the risk consequences.
The assumed risk events are shown elsewhere on the MORT diagram and flagged with a numbered "R" symbol.]
~
_g--' f
a.mm w.m.wammw-i t
4 i
9 l
i I
i APPENDIX i
f l
MORT DIAGRN1 CONSTRUCTION RULES l
j I
I O
i t l l
1 f
l System failure or accident (the top event)
The fault tree consists of sequences of events that lead to the system failure or accident.
The sequences of events are built by AND gates and OR gates.
O OR gate: The event above the gate occurs if one or more of the inputs a
occur.
O AND gate: Th event above the gate occurs if all the input events occur.
The events above the gates and all events that have a more basic cause are denoted by rectangles with l
I the event described in the rectangle.
The sequences, finally lead to the primary causes for which there is failure rate data available. The primary causes are denoted by circles and represent the limit of resolution of the fault tree v
Figure A-1 Schematic of a Fault Tree _,
The following are examples of good and poor logic relating to the level of detail on one tier.
Human Senses i
Sight Touch Smell Hearing Taste The above example represents good Icgic because all of the recog-nized senses are listed, but no extraneous detail is included on the same tier.
Human Senses A
I I
I I
I Sight Smell Sweet Salt Touch Hearing Sour Bitter In this second example, poor logic has been used by listing the l
detail constituents of taste on the same tier as the other four senses.
If this level of detail is desired, the constituents would be better listed on a third tier under the appropriate sense.
Figure A-2 Examples of Good and Poor Logic l
m Output AND-Gate Symbol Coexistence of all inputs required to prcduce output.
I i
l Inputs Output OR-Gate Symbol (Nor: exclusive)
Output will exist if at least one input is present.
^
I I
Inputs Output Event CONDITIONAL AND-Gate Symbol (Can (Effect) also be OR)
Input produces output provided conQonal input is gatisfied.
A Condition Description of condition is Aj Input written in the oval.
(Sometimes called a CONSTRAINED-Gate or an INHIBIT-Gate.)
(Causes)
CONSTRAINT Symbol Applies conditions or constraints to basic logic gate or output event. When applied to basic AND-gate or OR-gate, creates special conditional gate such as Inhibit, Priority And, Exclusive Or, etc.
RISK Symbol OR Indicates transfer to " Assumed Risk" branch of tree. Used for problems with no known or prac-tical countermeasure.
iy Figure A-3 MORT Logic Symbols -
i RECTANGLE An event resulting from the combi-i nation of more basic events acting through logic gates.
CIRCLE An event described by a basic
{
j component or part failure. The event is independent of other l
events.
DIAMOND An event not developed to its cause. Sequence is terminated for lack of information or lack of consequences.
In TRIANGLE Out A connecting or transfer symbol.
Transfer All tree construction below the "out" triangle is transferred in at "in" triangle location (s).
r SCROLL An event that is normally expected i
to occur.
r i
I STRETCHED CIRCLE j
~
An event that is satisfactory.
(
U..ed to show completion of logical analysis.
Figure A-4 MORT Event Symbols v
The TRIANGLE shown in Figure A-4 is not a true event symbol, strictly speaking.
Two triangles are used to accomplish a transfer of one part of the fault tree construction to another location. A line to the side of the triangle denotes all the tree construction below and including the event transfers out (in addi-tion to its progresion up the tree). A line from the triangle apex denotes an event is transferred into the section of the tree as input to the associated logic gate. The transfer-in and transfer-out triangles are uniquely identified to prevent possible confusion betweem transferred segments.
The technique is used to reduce tree construction time and space.
Construction Rules The methodology of fault tree construction can be succinctly stated in nine specific rules of construction. Their careful application by a fault tree analyst to a specific hardware-oriented system insures the resulting tree (logic diagram) will be orderly, properly time sequenced, logically correct, and suitable for evaluation, using quantitative, probabilistic analytical techniques. While not precisely applicable to the MORT diagram, they should l
be generally followed if an expanded depth of MORT analysis is needed.
l Rule 1: State the fault event as a fault, including the description and timing r
l of a fault condition at some particular time.
Include:
b)
What the fault state of that system or component is.
a.
3\\)
b.
When that system or component is in the fault state.
Test the fault event by asking:
c.
Is it a fault?
d.
Is the what-and-when portion included in the fault statement?
Rule 2: There are two basic types of fault statements, state-of-system and state-of-component.
To continue the tree:
a.
If the fault statement is a state-of-system statement, use Rule 3.
l b.
If the fault statement is a state-of-component statement, use Rule 4.
Rule 3_: A state-of-system fault may use an AND, OR, CONDITIONAL-gate, or no gate at all. To determine which gate to use, the input faults must be the:
a.
Minimum necessary and sufficient fault events, b.
Inunediate fault events.
To continue, state the fault events input into the appropriate gate.
'V _ _
Rule 4: A state-of-component fault always uses an OR-gate.
To continue, look for the primary, secondary, and command failure fault events.
Then state those fault events:
a.
Primary failure is failure of that component within the design envelope or environment.
b.
Secondary failures are failures of that component due to excessive environments exceeding the design environment.
c.
Connand faults are inadvertent operation of the component because of a failure of a control element.
(Note the distinction between fault and failure. An inadvertent conmand fault is correct system response to the gate input and is not a failure.)
Rule 5: No gate-to-gate relationships.
Rule 6:
Expect no miracles; those tnings that would normally occur as a result of a fault will occur, and only those things. Also, normal system operation may be expected to occur when faults occur.
Rule 7:
In an OR-gate, the input does not cause output.
If any input exists, the output exists.
Fault events under the gate may be restatement of the output events.
Rule 8: An AND-gate defines a causal relationship.
If the input events coexist, the output is produced.
Rule 9:
A CONDITIONAL-gate describes a causal relationship between one fault and another, but the indicated condition must be present.
The fault is the direct and sole cause of the output when that specified condition is present.
Inhibit conditions may be faults or situations (which is why AND-and CONDI-4 TIONAL-gates differ).
The Mortician expanding upon the MORT diagram does not have the same degree of concern with precise time sequencing as does the fault tree analyst.
Lower tier expansion of the " universal" generalized MORT logic diagram is directed to obtaining a qualitative (not quantitative) evaluation of the MORT elements as " adequate" or "less than adequate" (LTA). Nonetheless, the Mortician who follows these nine rules can be sure his MORT event tree expansion is correct.
- U. E GO)ERNMENT PRINTING OFnCE : 1977 - 720 130/51 0
s I
- j Introduction In the MORT seminars, due note has been taken of the tendency of the person not previously familiar with analytical logic diagrams (trees) to be over-whelmed by the apparent complexity of the MORT diagram.
Actually, each element in a MORT diagram is largely self-explanatory and need not be any more complex than the subject being analyzed.
The complete diagram should be recognized as a tool to assist the investigator in performing a task rather than a burden or additional work load.
MORT is a " universal tree" developed for an entire safety system discipline.
When used as a kind of a " master checklist" to analyze a specific accident or evaluate an existing system, the user will usually see immediately that certain sections are or are not applicable to the particular situation being analyzed.
Even in the branches that are used, there will usually be details at the lower levels that will not apply.
On the other hand, the user may find it helpful to further develop some branches of the more complex concepts of the diagram, so as to better isolate and evaluate an important aspect of the situation being analyzed.
The MORT diagram helps, in this case, by visually showing the elements present and serving to call the analyst's attention to any missing elements.
Consi-S deration of all significant elements required to evaluate the aspect is thus assured. The principle objective of this Appendix is to list the basic fault tree construction methods and rules used in construction of the MORT diagram, so the novice Mortician can continue the MORT tree branch to a greater level of detail, if needed, by adding on another " lower tier" in an orderly and logically correct manner.
l General The concept of fault tree analysis (FTA) was originated by Bell Telephone Laboratories in 1962 as a technique with which to perform a safety evalua-tion of the Minutemen Intercontinental Ballistic Missile Launch Control System. At the 1965 Safety Symposium, sponsored by the Boeing Company and the University of Washington, several papers were presented that expounded upon the techniques of FTA and its virtues as a method of system safety analysis.
Presentation of these papers marked the first recognition that FTA could be successfully extended from the aerospace safety technology to nuclear reactor reliability, availability, and safety technology and to various other commercial operations.
As previously noted, fault tree construction is the logical development of the TOP event, using the technique of deductive reasoning (e.g., reasoning from the general to the specific) to progressively isolate the contributing factors to the fault event being considered.
As the construction proceeds, each fault event is developed until a system component is identified for which a failure is considered primary or basic (i.e., no further breakdown m
(
of contributing factors to the failure is necessary for the fault tree
/
construction).
O A " fault event" then is the result of the logical interaction of other contri-butory factors or events.
The graphical construction, which shows that fault event and its more basic factors, is termed a " branch" of the fault tree. A schematic representation of a typical fault tree is shown as Figure A-1.
Going from top to bottom on the diagram, events proceed from general to specific. Related events and constituents on one tier are joined by a line before being processed through one of the gates.
A vertical line joins a general event at one level or tier, with its more detailed elements at the adjacent tier below.
In its strictest form, all events on the same tier (even those n connected by a coninon line) should all be at the same level of logic or detail.
Occasionally, elements on one tier will be listed ladder-style one under the other, due to space limitations. This arrangement should be (.onsidered at the same level of logic as if the elements were listed on a single horizontal tier. Examples of good and poor logic are shown in Figure A-2.
Use of Graphic Symbols Graphic symbols used in fault tree construction are of two general categories:
logic symbols and event symbols. For the most part, NORT uses the logic symbols, event symbols, and tree construction techniqn s that have been developed by the Fault Tree Analysis technology.
Two basic logic symbols (logic gates) are used to interconnect the events that contribute to the specified main event (the TOP event).
They are adequate for diagraming any fault tree, although several additional specialized logic symbols have been developed to reduce the time and effort required for analysis. The AND-gate provides an output event only if all input events occur simultaneously.
The OR-gate provides an output event if one or more of the input events are present.
(The OR-gate used is more precisely termed a nonexclusive OR-gate, distinct from an exclusive OR-gate which provides an output if one, and only one, input event is present.) MORT uses only one specialized gate, the CONDITIONAL-gate, shown in Figure A-3.
The three event symbols most frequently used are the RECTANGLE, CIRCLE, and DIAMOND. Additional specialized event symbols have been developed.
MORT has developed several that are unique to MORT, such as the RISK symbol and the SCROLL symbol. They are shown in Figures A-3 and A-4.
The RECTANGLE represents a fault event resulting from the combination of contri-butory fault events acting through a logic gate.
The CIRCLE designates a basic system component failure or input fault event independent of all other events.
The DIAMOND symbol is used to depict an input fault event that is considered basic to the specific fault tree being constructed, however, the event des-cribed is not basic in the sense that laboratory or field failure rate data are available.
Rather, the fault tree is simply not developed further either because:
(1) the event is of insufficient consequence or (2) the necessary information to extend the development is not available to the analyst.
Events that appear on the tree as circles or diamonds are treated as primary events.
9 1
SD5-a5-b3-c14-dl6-e23-fl3 m
i v/
e23. D/N Correct:
Did the supervisor act to correct the observed personnel performance deviations?
fl3. D/N Reinstruct:
Did the supervisor reinstruct the person observed as to the correct performance?
f14. D/N Enforce:
Did the supervisor enforce established cor-rect rules and procedures? Wert disciplinary measures taken against personnel who willfully and habitually disregarded rules ar.i procedures?
dl7. Employee Motivation LTA:
Were the employee motivation, participation, and acceptance adequate?
(337)
[ Employee motivation plays a significant role in personnel performance in accomplishment of the work task. Various aspects of employee motivation are analyzed by lower tierevents.]
e24. Management Concern, Vigor, and Example LTA:
Was management concern for safety displayed by direct vigorous personal action on the part of n) top executives? (200)
%j e25. Schedule Pressure:
Were task schedule pressures (as experienced by the individual) held to an acceptable level?
e26. Performance Is Punishing:
Was the employee fairly treated for performing as supervision desired?
[From the viewpoint of the employee, sometimes there is an undesirable co.. sequence to him for doing a good job.]
e27. Non-Performance Is Rewarding:
Did the employee find the consequence of doing the job incorrectly more favorable than -doing the job as directed?
[0bstructive behavior may be more rewarding to the individual than facilitating behavior.]
e28. Job Interest Building LTA:
Does performing the task well really matter to the individual performing it?
[Perhaps the performing individual believes the consequence is the same to him whether he does ID the task right or some other way.
Good perfor-
'(' ')
mance should be followed at least periodically by an event considered favorable by the individual.] _ _ _ _ _.
SD5-a5-b3-cle-d17-e29-f15 e29. Group Norms Conflict:
Are the actions and attitudes of the individual's peer groups in harmony with the task requirements and the goals of the larger organization?
fl5. Worker Participation LTA:
Was there adequate opportunity for the worker to participate in analysis, training, or monitoring systems (e.g., JSA and RS0 studies)?
f16. Innovation Diffusion LTA:
Was there adequate use of management motiva-tional programs to develop desired behavioral change in individuals (i.e., application of innovation diffusion techniques)?
[ Appendix H of the MORT text.]
e30. Obstacles Prevent Performance:
Were obstacles which might prevent task perfor-mance reduced to an acceptable level?
[0ften a task would get done more efficiently if conditions were changed.
li performance discrepancies appear not to be due to lack of skill or motivation, one thing to look for is an obstacle.]
e31. Personal Conflict:
Are individual personal conflicts, which may have a negative relationship to task safety, adequately resolved in the individual? Does the individual have good standards of judgment?
fl7. W/ Supervisor:
Were employee and supervisor personalities compatible in the work environment?
l fl8. With Others:
l Was the employee's personality compatible l
with other workers in the work environment?
fl9. Deviant:
Were the psychological traits exhibited by the individual judged acceptable when rated against the task safety requirements?
[ Individuals exhibiting abnormally high levels of social maladjustment, emotional instability, and conflict with authority produce more than their share of accidents.
The decision to employ an individual in a given task ultimately rests with the line supervisor.] _ _ _ _ _ _ _ _ _ _ _ _.
MB3-a2-b20-c39 bl9. Fast Action Expedient Cycle LTA:
V Is there an existing method to bypass the usual delays in order to get an immediate correction for an imminent hazard or problem of significant consequences?
b20. General Design Process LTA:
Are comonly recognized good engineering practices, including safety, reliability, and quality engineering practices, ade-quately incorporated into the general design process? (281)
I c39. Code Compliance Procedures LTA:
Are there written procedures to assure complian a with applicable engineering and design codes?
I c40. Engineering Studies LTA:
Where codes, standards, regulations, and state-of-the-art knowledge cannot furnish required design data, are engineering i
studies conducted to obtain the needed information?
c41. Standardization of Parts LTA:
Is there an attempt to use proven existing standardized parts where possible, or to design so as to encourage their use?
c42. Design Description LTA:
Q Does the design description provide all the information needed by its users in a clear and concise manner?
a j
lw c43. Acceptance Criteria L'A:
Are acceptance criteric stringent enough to assure opera-l bility/ maintainability ird compliance with original design?
l c44. Development and Qualific ttion Testing LTA:
Is there adequate testin; during development of a new design
" to demonstrate that it vill serve its intended function?
Does qualification test.ng assure that nonstandard components satisfy the acceptance criteria?
c45. Change Review Procedure LTA:
Does change review cover form, fit, and function on up the part-component-subsystem chain to a point where no change is demonstrated? Are there change dockets on drawings and at points-of-operation?
c46. Reliability and Quality Assurance (R&QA) LTA:
Is there an adequate reliability and quality assurance program integrated into the general design process?
(282)
[In some organizations, the reliability and quality assurance functions are very specifically separated; other organiza-I tions combine them. Whether combined or separated, R&QA jn is a strong complement to safety.
Close mutual support between safety and R&QA should be evident throughout the llV}
general design process.]
l I i
MB4-a4-bl MB4. Safety Program Review LTA:
Does the safety program review assure a planned and measured program, with low cost /high volume services, professional growth, and use of modern methods?
(445) a.
Definition of Ideals and Policy LTA:
Is there an adequate safety policy statement and are the ideals of the safety program articulated? Do these summarize what management should know (and require) of a safety process? Do the ideals provide a base from which to measure the program and to project improvements?
a2.
Description and Schematics LTA:
Are program ideals documented in operating manuals and schematics?
Are program operating data available and evaluated? Are there outlines, steps, and criteria which substantially describe the safety program?
a3. Monitoring, Audit, and Comparison LTA:
Is there a formal measurement system which compares actual perfor-mance with safety program ideals and objectives?
(446) a4.
Safety Program Organization LTA:
Is the program organized with the necessary and adequate elements?
(449) 01 bl. Professional Staff LTA:
Do safety personnel rate well by both safety and management criteria? Are they effective in both technical and behavioral aspects? Do they have good organizationai status and are they educated, experienced, and promotable?
(454) b2. Management Peer Committees LTA:
Are special-purpose and ongoing committees and boards used to improve safety understanding and attitudes within scien-tific and engineering groups? Do these ongoing groups have a positive, action orientation toward real-life problems?
b3. Scope LTA:
Does the safety program scope address all forms of hazards, including anticipated hazards associated with advanced technological development and research?
b4.
Integration LTA:
Is the staff support for safety integrated in one major unit rather than scattered in several places?
b5. Organization for Improvement LTA:
Is the safety program organized adequately to achieve the desired pace of safety improvement?
(119,209,457)
[ Achievement of a breakthrough goal in accident reduction by a safety program requires clear goal definition and distinc-tive organizational effort, particularly by staff personnel.]
SDS-a4-bl-c2-dl i
)
s./
dl. Logs / Schematic LTA:
Was the point-of-operation posting of warnings, emer-gency orocedures, etc., provided for in a general detection plan? Were maintenance and inspection logs at the point-of-operation adequate? Were work schema-tics adequate? Were equipment change tags used?
(304) d2. Supervisor Monitor Plan LTA:
What guidance was given to the supervisor relative to inspecting and monitoring status of the process ingre-dients (i.e., equipment, procedures, and personnel)?
Did he use the guidance? Was he given cuidance on detection of individual personnel problems, such as alcoholism, drua use, personal problems?
d3. D/N Review Changes:
Was guidance given on review methods and change detection? Were the changes involved known to the supervisor? What counterchanges were made for the known changes?
d4.
D/N Relate to Prior Errors:
If there were any known prior errors afflicting the process, was the supervisor told they might correlate G
with safety errors? Had he made an effort to corre-late them? Was he aware of other signs or warnings that the process was moving out of control?
c3. lime:
Did the supervisor have adequate time to detect the hazards?
b2.
D/N Correct Hazards:
Was an effort made to correct the detected hazard?
(305)
[Some facts about noncorrection of hazards were dealt with under nondetection. There are some basic factors of noncor-rection still to be examined.]
c4.
Interdepartment Coordination LTA:
If the accident / incident involved two or more departments, was there sufficient and unambiguous coordination of interdepartment activities?
[Interdepartment coordination is a key responsibility of the first line supervisor.
It should not be left to work level personnel.]
c5. Delayed:
Was the decision to delay correction of the hazard assumed by the supervisor on behalf of management? Was the level of risk one the supervisor had authority to assume? Was there precedent for the supervisor assuring this level
[m of risk (as then understood by him)?
}
O _ _ _ _ _ _ _ _ _ _ _ _ _
SD5-a4-b2-c5 c5.
(Cont.)
[ Note a decision to delay correction of the hazard may or may not transfer to the Assumed Risk branch.
It was an assumed risk only if it was a specific named event, analyzed, calculated where possible, evaluated, and subsequently accepted by the supervisor who was properly exercising management-delegated, decision-making authority.]
d5. Was the decision to delay hazard correction made on the basis of limited authority to stop the process?
d6. Was the decision made because of budget considerations?
d7. Was the decisien made because of time considerations?
c6.
Program Housekeeping LTA:
Was the housekeeping of i:.a ongoing program adequate?
Was the storage p an for unused equipment adequate?
[The true role of housekteping in the accident experience is usually unclear.]
l c7. Supervisory Judgmtnt:
Was the judgment exercised by the supervisor to not correct the detected hazard adequate considering the level of risk involved?
If there were previously established supervisor authority limitations, were the supervisor's actions generally in accord with those limitations?
[ Evaluation of the performance of a supervisor in a given situation is, of course, retrospective and must be fairly considered.
If the authority limitations of the supervisor have been defined (as they should be,, then the adequacy of his performance is more easily measured.]
a5.
Performance Errors:
Was the work activity at the worksite free of performance errors by work level personnel? (331)
[The MORT analysis separates performance errors nto task, nontask, and emergency shutoff errors. Worksite activity can be viewed as usually proceeding in a normal manner to attainment of performance goals.
If the ongoing activity enters a non-normal phase requiring work process shutoff, it is described as an emergency, and is analyzed in the light of the additional stress associated with emergency action.
The analysis proceeds more easily with these considerations.
It should be pointed out that the kinds of questions raised by MORT are directed at systemic and procedural problems. The experience, to date, shows there are few " unsafe acts" in the sense of blameful work level employee failures. Assignment of " unsafe act" responsibility to a work level em loyee should not be made unless or until the preventive steps of:
(1 hazard analysis, (2) management or supervisory detection, and (3) procedures safety review have been shown to be adequate.]
SDl-a4-bl6 SD2-al
)
a4. HAP Triggers (Fix Control Initiators) LTA:
Were triggers (stimuli) for the initiation of the Hazard Analysis Process (HAP) adequate? Were they utilized to obtain early safety participation and review in planned or unplanned changes? (233)
[ MORT postulates HAP triggers as part of the HAP portion of the Risk Assessment System, but originating from the Monitoring Subsystem of the Technical Information System.]
bl6. One-On-One Fixes LTA:
Was the information from the technical information system adequate to trigger the HAP preventive action plan for individual problems?
(397) bl7. Priority Problem Fixes LTA:
Was the information from the technical information system adequate to provide continuous trigger to the HAP Priority Problem Lists?
(234) bl8. Planned Change Controls LTA:
{
Were HAP triggers from planned changes in the work process t
adequately recognized? Were they used?
(233) bl9. Unplanned Change Controls LTA:
Were HAP triggers from unplanned changes in the work process adequately recognized? Were they used?
(233) b20. New Information Use LTA:
Were HAP triggers from research, new standards, etc., detected and used?
(234) a5.
Independent Audit and Appraisal LTA:
Was there a recent appraisal of the total safety system (or audits of parts thereof)? Were the audits and appraisals conducted in a truly independent manner? Was the appraisal plan adequate? (371,399)
SD2, Facility Functional Operability LTA:
Was the facility and process operationally ready? Were the necessary supplementary operations supportive to the main process ready? (293)
[This branch probes the status of " upstream processes" (design, training, etc.) which supports the ingredients of the work process (hardware, pro-cedures, and people).
The ingredients used at the worksite are obtained from two major upstream subprocesses:
(1) the original design, construc-tion, test, and qualification plus documents defining oper:cing limits and performance specification and (2) modification orejects to the facility. All " upstream processes", including the Hazard Analysis Process, are susceptible to constructive analysis as " work processes" in themselves. Each upstream process can be analyzed as to hardware, procedures, and personnel.]
al.
Verification of Occupancy-Use Readiness LTA:
73 Was verification of the facility and/or work process adequate?
[A recent publication of the System Safety Development Center, SSDC-1, " Occupancy-Use Readiness flanual", September 1975, provides detailed criteria for this major functional branch.]
SD2-al-b1 SD3 SD4-al-bl bl. Was the conduct of an operational readiness review specified?
b2. Were the criteria used for determining the facility or process readiness adequate?
b3. Was the required procedure for determining occupancy-use readiness followed?
b4. Were the personnel who made the decision on occupancy-use readiness adequately skilled and experienced?
b5. Was the followup of action items from occupancy-use readiness review adequate? Were all outstanding action items resolved prior to startup of the work flow process?
a2. Organizational and Functional Relations LTA:
Was there adequate technical support furnished to the work flow process, particularly at the worksite? Were the organizational versus functional relationships adequate to assure the required level of operability?
[ Highly complex processes need close field liaison by scientific and engineering persennel.]
a3.
Interface Between Operations and Maintenance and Testing Activities LTA:
Was the interface between operations personnel and testing and maintenance personnel adequate? Were administrative procedures well-planned to preclude misunderstanding of operational status due to a breakdown of communication?
a4.
General Design Process LTA:
Was the actual physical arrangement or configuration identical with that required by latest drawings, specifications, and procedures?
Were the configuration and documentation of modification to the facility or process adequately controlled? Was the general design process adequate to assure functional operability?
SD3. Maintenance LTA:
(Basic logic same as SD4, Inspection LTA)
SD4. Inspection LTA:
Was there adequate maintenance (or inspection) of equipment, processes, utilities, operations, etc?
al.
Plan LTA:
Was the plan scope broad enough to include all ti.' areas that should be maintained (or inspected)? Was management aware of those areas not included in the plan?
bl. D/N Analyze Failure for Cause:
Did the plan require that any failed item be analyzed for cause of failure? Were the analysis results required to be acted upon by an appropriate individual or group? t
/
SA2-al-b2-c2-dl
)
cl.
Practice LTA:
Was there sufficient practice of various plan assignments?
Was the practice realistic?
c2.
Personnel and/or Equipment Changes:
Was there personnel or equipment changes that caused the execution of the plan to be LTA? Were trained personnel free of any recent physical or mental changes? Was the equipment familiar to the users and free of defects or modifications?
dl.
D/N Counterchange:
Had appropriate counterchanges been considered and introduced where applicable for changes in personnel or equipment?
c3. Task Performance Errors:
Was the plan executed properly through successful comple-tion of all steps?
[ Note the transfer in of other lower tier v ents from SD5-b3.]
a2.
Emergency Action (Fire Fighting, Etc.) LTA:
Was the emergency action prompt and adequate to the emergency?
l Which emergency response teams were required? Were they notified and did they respond?
j']
[ Include local facility fire brigade, health physics team, fire
/
department, bomb squad, and other speciality teams.
Be sure to consider delays or problems in both notification and response.]
l
[ Note other lower tier events included by transfer from al.]
a3. Rescue LTA:
Were trapped or immobilized victims satisfactorily removed to a safe area? Before entering a hazardous area, did rescuers consider the risk of injury to themselves versus the ability to lessen the severity of injuries to victims? Include the evacuation of employees or the public from potentially hazardous areas.
[ Note other lower tier events included by transfer from al.]
a4. Medical Services LTA:
Was adequate medical service available?
b3.
First Aid LTA:
Was adequate first aid immediately available at the scene?
Was it used properly to prevent immediate injuries from becoming more severe?
b4. Transport LTA:
Was mobile service available to transport medical personnel and equipment-to the accident scene and/or to transport injured to medical facilities? Was transport executed properly?
- /^N 4 -
SA2-a4-b4-c4 l
c4.
Plan:
l Was there a medical service p ?n? Was it distributed to appropriate personnel?
[ Consider such things as:
(1) how to make a notification, (2) training of medical personnel and drivers and when they are available, and (3) who and what equipment will respond.]
c5. Notice:
Was notification made in an adequate time and manner?
Were employees instructed on how to notify medical services?
[Ccasider whether notification process was easy to do, especially during the stress of an emergency.]
c6.
Personnel and Equipment:
Did the personnel use the equipment correctly? Did the equipment function properly? Did the medical and transport personnel have all the equipment necessary to properly perform the jobs expected of them? Were the personnel adequately trained relative to the postulated needs?
[ Consider whether equipment could be operated easily during the stress of an emergency.]
c7.
Distance:
Was there a significant distance between medical services and area to which service responded?
[If the distance is great, response time is increased.]
[ Note the event is flagged with R1 assumed risks.
Top management must assume distance / time response risk.]
b5. Medical Treatment LTA:
Was there adequate medical treatment enroute and at the medical facilities?
l 7
a5. Rehabilitation LTA:
j Was rehabilitation of persons and objects made af ter the accident?
l b6.
Persons:
If the injury was disabling, could its overall disabling eff2ct have been reduced and/or the individual made more functional?
If such rehabilitating activity was possible, was it done?
b7. Objects:
Was damaged equipment, buildings, or other property expeditiously repaired, salvaged, or replaced?
a6. Relations LTA:
Was there a management plan outlining the protocol to be followed and steps to be taken subsequent to a significant accident? Was the accident news disseminated to all concerned parties in a proper and timely manner? _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
PART I
)
s A.
PURPOSE This document us been prepared with a two-fold purpose:
1.
Primari.'y, it is intended to be a practical working tool.
It is derigned to help the novice MORT practioneer achieve quicker, sieeper insight and understanding of the MORT safety program concepts by:
(a) providing a brief explanation of the related rationale supporting the word statement given in a specific event " box" of the MORT logic diagram and (b) listing page references to the detailed explanations of the basic MORT text, " MORT - The Management Oversight and Risk Tree", published in 1973 as ERDA publication SAN 821-2.
2.
Additionally, it is intended to serve as an information document directed to system safety professionals, program managers, and higher level management with responsibility for accident investigation or safety program evaluation.
It seeks to explain simply the MORT " programmatic" concepts and " analytical" methodology, and to inform those persons that MORT is available now for immediate use:
(a) in investigating the elements of management oversight and risk relative to an accident that has happened or (b) in 9
the evaluation of an existing safety program to determine the likelihood that a significant accident is about to happen.
While this document is generally applicable to any issue of the MORT logic diagram, it is keyed or indexed specifically to the MORT logic diagram revision dated November 1976, B.
BACKGROUND Prior to 1970, the Energy Research and Development Administration (ERDA) had no system safety program as such.
During 1970 the ERDA (at that time the now defunct Atomic Energy Conmission) Division of Safety Standards, and Compliance (SSC), formerly DOS, funded a study prepared by W. G. (Bill) Johnson, who had recently retired as General Manager of the National Safety Council.
The argument for the study and the planned objectives, paraphrasing the words of the original proposal, was as follows:
"... Emerging concepts of systems analysis, accident causation, human factors, error reduction, and measurement of safety performance strongly suggest the practicality of developing a higher order of control over hazards (than now exists)."
"..The formulation of an ideal system appears to be a valuable F1 preconditior for knowing what information to seek after an
)
accident and what aspects of performance (of the accident-related safety system) to seek to measure." -
Johnson advanced the idea that application of controls and resources made by managements of occupational safety programs could be categorized into five levels:
1.
Less than minimal compliance with regulations and codes.
2.
Minimal compliance with regulations and codes.
3.
Application of manuals and standards.
4.
Advanced safety programs exemplified by those currently found in leading industrial companies and in ERDA.
5.
An as-yet-nonexi~ stent, superlative safety program synthesized by combining the " system safety" concepts pioneered by the military and aerospace industry with the best occupational safety practices and factoring in the newer concepts of the behavioral, organizational, and analytical sciences.
In Johnson's view there were sufficient data to suggest that progression from one level of safety program to the next better level might result in an order of magnitude reduction in the annual rate of disastrous accidents experienced by a specific enterprise.
Accordingly, the goal set for the conceptualized fif th level system, to be developed by the ERDA study, was an order of magnitude improvement in the already exemplary ERDA safety record.
The study was titled " Development of Systems Criteria for Accident Reporting and Analysis and for the Measurement of Safety Performance".
In 1971 the first generation MORT text was published and the study moved to the next logical phase of pilot use at an actual ERDA contret activi ty.
The Idaho National Engineering Laboratory (INEL), then known as the National Reactor Testing Station, was chosen primarily because the prime operating contractor, Aerojet Nuclear Company (ANC), then known as the Idaho Nuclear Corporation, had a well-established safety program and additionally was developing and using " system safety" techniques patterned after methodologies pioneered by NASA and D00.
The first generation MORT text introduced four key innovative features basic to the MORT program:
1.
An analytical " logic tree" or diagram from which MORT derives its name " Management Oversight and Risk Tree". This diagram arranges safety program elements in an orderly, coherent, and logical manner.
2.
Schematic representation of a dynamic idealized or " universal" safety system model by using Fault Tree Analysis methodology.
3.
Methodology for analyzing a specific safety program through a process of evaluating the adequacy of implementation of the individual safety system elements.
'tu.
I i
f 1
I t
l l
l
(
Other SSDC Publications in This Series L
SSDC-1 Occupancy-Use Readiness Manual SSDC-2 Human Factors in Design SSDC-3 A Contractor Guide to Advance Preparation for Accident Investigation SSDC-4 MORT User's Manual SSDC-5 Reported Significant Observation (RS0) Studies SSDC-6 Training as Related to Behavioral Change i
SSDC-7 ERDA Guide to the Classification of Occupational i
Injuries and Illnesses i
l l
l
..- - -. - -,