Visualizing the Relationship Between Human Error and Organizational Failure

7/28/2019 Visualizing the Relationship Between Human Error and Organizational Failure

1/22

Visualizing the Relationship between Human Error and Organizational Failure

Chris Johnson

Department of Computing Science,

University of Glasgow, Glasgow G12 8QQ.

Fax: 0141 330 4913, Telephone: 0141 330 6053,

Email:[email protected], http://www.dcs.gla.ac.uk/~johnson

Managerial failure plays an important role in major accidents and

incidents. Operators have been authorized to deliberately remove safety

mechanisms. They have also been instructed to guide application

processes into dangerous operating environments. Given the consequences

of such intervention, it is surprising that so little attention is paid to therelationship between organizational failure and operator error. One

explanation for this is that tools and techniques, which have been

developed to analyze human and system failures, cannot easily be applied

to reason about organizational problems. This paper argues that Fault

Trees help to visualize the ways in which organizational failures create the

necessary preconditions for human failure. This approach is also used to

focus on the organizational problems that can exacerbate the consequences

of those errors in the aftermath of an accident. It is argued that too much

attention has been paid upon human errors in the causes of accidents and

not enough attention has been paid to organizational failure in post-accident events. A collision between a Maryland Commuter train and an

American National Railroad Passenger Corporation train on February 16th,

1996 is used to illustrate this argument.

Keywords: human error; organizational failure; fault trees; safety;

accidents.

1. Introduction

Many accident reports cite human failure as a primary cause (Johnson, 1998). The

workers at the Bhopal chemical plant pumped Methyl-isocyanate into a leaking tank(Morehouse and Subamaniam, 1986). The officers and crew of the Herald of Free

Enterprise set to sea with their bow doors open (Sheen, 1987). The pilot and co-pilot

throttled back their one working engine rather than the failed engine during the Kegworth

air crash (AAIB, 1990). The first line of fire-fighting operations was delayed by

communications failures between various operators during the Channel Tunnel Fire

(Department of the Environment, 1996). This paper explains why operator error is such a
mailto:[email protected]:[email protected]:[email protected]


2/22

prevalent cause of major accidents: insufficient attention is being paid to the managerial

weaknesses that make systems vulnerable to human failure.

There has been a considerable amount of research into the causes of human error. Much

of this has stressed the psychological and physiological influences that shape operator

performance. There has been a focus on the effects of high workload on a users ability torespond to warning messages (Woods, 1994). Other research has focussed on the impact

of noise and vibration on an operators decision making processes. There has also been a

focus on individual attitudes to risk taking (Stanton and Glendon, 1996). Unfortunately,

much of this work focuses on the symptoms of human error rather than its underlying

causes (van Vuuren, Shea, and van der Schaaf, 1997). Relatively little work

has focussed on the underlying organizational and regulatory weaknesses that lead to

high workload or noise in an operators environment (Hale, Wilpert and Freitag, 1997).

These less direct forms of human failure help to establish the working practices that result

in operator error (Reason, 1997). Unless we understand the managerial and regulatory

causes of human failure then there is little prospect that we will ever be able to reduce the

number of accidents and incidents that are being blamed on operator error.Unfortunately, there are few techniques that can be used to reason about the interaction

between organizational failure and human error. Cognitive models cannot easily be

extended to represent regulatory requirements. Conversely, it is difficult to reason about

individual responses to particular system failures using optimization models from

operations research (Johnson, 1995). This paper, therefore, shows how fault trees help to

visualize the relationship between organizational problems and human failure. This

notation is appropriate because it reveals that:

1. organizational failures create the necessary preconditions for human error;

2. organizational failures also exacerbate the consequences of those errors.

Fault trees can also be integrated into other analytical tools that support process

improvement, such as Management Oversight and Risk Trees (MORT). A further benefit

is that the fault tree notation is well understood by existing generations of engineers.

There are, however, many reasons why the standard fault tree notation is not appropriate

for our purpose. These issues are discussed in more detail in a previous paper (Love and

Johnson, 1997). In contrast, the remainder of this paper demonstrates that the approach

can be used to analyze the complex, "messy" blend of operator errors and organizational

failures that characterize real world accidents. A collision between a Maryland Commuter

train and an American National Railroad Passenger Corporation train on February 16 th,1996 is used to illustrate this argument.

1.1 The MARC 286 Case Study

The National Transportation Safety Board (NTSB) report provides the following

executive summary of the collision that forms the case study for this paper:


3/22

"About 5:39 pm on February 16, 1996, Maryland Rail Commuter (MARC) train 286

collided with National Railroad Passenger Corporation (Amtrak) passenger train 29 near

Silver Spring, Maryland. En route from Brunswick Maryland to Union Station,

Washington DC, MARC train 286 was travelling under CSX Transportation Inc (CSXT)

operation and control on CSXT tracks. MARC train 286 passed an APPROACH signal

before making a station stop at Kensington, Maryland; proceeded as if the signal hadbeen CLEAR; and then, could not stop for the STOP signal at Georgetown Junction,

where it collided with Amtrak train 29. All 3 CSXT operating crew members and 8 of the

20 passengers on MARC train 286 were killed in the derailment and subsequent fire.

Eleven passengers on MARC train 286 and 15 of the 182 crewmembers and passengers

on AMTRAC train 29 were injured. Estimated damages exceeded $7.5 million" (page vii,

NTSB, 1997).

This accident provides an appropriate case study because at first sight it appears to have

been caused by a relatively simple instance of operator error. The engineer on-board

MARC train 286 forgot that the previous signal had been APPROACH instead of

CLEAR. They, therefore, reached the Georgetown Junction with a velocity that preventedthem from stopping in time to avoid AMTRAC train 29. Later sections will argue,

however, that such a superficial analysis ignores the managerial and regulatory factors

that contributed this accident. These organisational factors helped to create a system that

relied upon the crewmembers memory of a signal that they had seen minutes before an

unscheduled stop.

1.2 Using Fault Trees to Support Accident Analysis

This paper uses fault trees to represent and reason about the relationship between

organisational failure and human error. This notation provides a simple graphical syntaxbased around circuit diagrams. Figure 1 presents a brief overview of this approach.

Andrews and Moss (1993) provide a more detailed introduction.


4/22

Figure 1: Fault tree components

Fault trees are, typically, used pre hoc to analyse potential errors in a design. They have

not been widely used to support post hoc accident analysis. They do, however, offer

considerable benefits for this purpose. The leaves of the tree can be used to represent the

initial causes of the accident (Leplat, 1987). The gates in Figure 1 can be used to

represent the ways in which those causes combine. For example, the combination of

operator mistakes, hardware/software failures and managerial problems might be

represented using an AND gate. Conversely, a lack of evidence about user behaviour orsystem performance might be represented using an OR gate. Basic events can be used to

represent the underlying failures that lead to an accident (Hollnagel, 1993).

Figure 2 uses a fault tree to represent some of the findings in the NTSB report:

"The MARC train 286 engineer apparently forgot the signal aspect, which

required him to be prepared to stop at Georgetown Junction, due to interference

caused by various events, including performing an unscheduled station stop, that

occurred between the presentation of the APPROACH aspect at signal 1124-2 and

the STOP signal at Georgetown Junction." (NTSB, 1997, Conclusion 4, page 73)

"Neither the conductor nor the assistant conductor while in the cab control

compartment appeared to have effectively monitored the engineers operation of

MARC train 286 and taken action to ensure the safety of the train" (NTSB, 1997,

Conclusion 5, page 73)


5/22

Figure 2 also shows that there is no direct means of translating from natural language into

the structures of a fault tree. Analysts must identify key events from the prose. These

events must then be structured using the gates that were introduced in the previous

paragraph. Later sections will integrate the first three conclusions from the NTSB report

into the fault tree shown in Figure 2.

Figure 2: An example of a fault tree representing part of the MARC accident

A number of important differences distinguish this use of fault trees from their more

conventional application. The output from an AND gate is true if and only if all of its

inputs are true. It is difficult to analyse an accident in this way. For example, Figure 2

shows that the collision was the result of four events. The derailment would have been

prevented if any one of these events had been prevented from happening. In accident

analysis, however, it is difficult to be certain that an event would actually have been

avoided in this way. The derailment may or may not have been avoided if the Conductor

had intervened. This potential conflict between the pre hoc use of fault trees to support

risk assessment and their post hoc use to support accident analysis can be resolved. In the

post hoc application of fault trees we are building our model upon a known set of events.

Any inferences that depend upon events that are not part of that set must be regarded as

speculation unless further evidence can be provided. In the previous example, this might

involve empirical or observational studies of the interaction between Conductors and

Engineers on MARC trains.

2.0 Immediate Causes

Figure 2 focussed on the immediate causes of the MARC collision as they were described

in the concluding section of the NTSB report. These findings focus upon the operator

errors that directly caused the derailment. This analysis can be extended to provide a

more complete overview of the events that led to the accident. Figure 3 provides an

overview of the findings in the NTSB report. It accurately reflects the direction and focus

of the argument in the concluding section. Most of the findings relate to the Engineers

error rather than to the monitoring activities of the Conductor or their assistant. This is


6/22

shown by the way in which the left-hand branch of the tree is developed from the

intermediate event in which MARC 286 approaches Georgetown Junction as if signal

1124-2 was set to CLEAR. The lack of intervention by the Conductor and Assistant

Conductor is less of a focus than the Engineers error.

Figure 3: An Extended Fault Tree Showing Events Leading to the MARC Collision


7/22

The previous fault tree provides a graphical representation of the focus in the NTSB

report. This offers a number of important benefits:

1. Fault trees provide an overview of the events that an analyst believes contributed

to an accident. This is important because many reports are lengthy and detailed.

The NTSB account is approximately 150 pages in length. The analysts findingsare, typically, summarised in the concluding section of an accident report.

However, it can often be difficult to piece together individual conclusions into a

coherent account of human error and systems failure;

2. Fault trees also suggest alternative hypotheses and questions about the analysis

that is presented in an accident report. Readers can further develop the

intermediate events in a tree to explore alternative conclusions. For example, the

relative lack of attention that was paid to the Conductor and the Assistant

Conductor can be contrasted with similar reports in the aviation industry that

focus on cockpit communications rather than individual errors (AAIB, 1990).

Figure 4 focuses on part of the fault tree presented in Figure 3. In particular, it representsome of the non-contributory factors that were mentioned in the previous section:

"Neither the three MARC train 286 crewmembers nor the two Amtrak train 29

locomotive crewmembers were impaired by alcohol or drugs. All train

crewmembers were in good health, had no evidence of fatigue, and were

experienced in and qualified for their duties." (NTSB, 1997, Conclusion 1, page

73)

These non-contributory factors are represented as house events. They can either be

"turned" on or off during the analysis of a fault tree. The NTSB report indicated thatneither drugs nor illness affected the Engineer in the MARC collision. Technically, this

can be represented by assigning a probability of 1 to the two house events in Figure 4.

However, the ability to switch events on and off also provides analysts with means of

exploring alternative hypotheses about the course of an accident. For instance, a house

event can be turned off if it is assigned a probability of 0. This can be used to explore

what might have happened if the Engineers performance had been impaired by drugs or

by alcohol. The OR gate would then indicate that the Engineer could forget the

APPROACH aspect of signal 1124-2 even if their memory were not impaired by the

unscheduled stop. This specific example illustrates how the non-contributory factors in

the NTSB report help readers to identify alternative scenarios or hypotheses about the

events that might have led to the accident. The level of analysis presented in Figure 4might seem simplistic. However, it is important to point out that this is the level at which

the NTSB report was written. Fault trees simply help to reason about the consequences of

the alternative scenarios that were implicit in the conclusions of the report.


8/22

Figure 4: Using House Events to Represent Alternative Scenarios

Inhibit gates provide an extension to the approach discussed in the previous paragraph.

Rather than assigning Boolean probabilities to house events, these gates can be associated

with a wider range of probabilities. Figure 5 exploits inhibit gates as a means of

describing further hypotheses about the potential impact of non-contributory factors in

future accidents and incidents. In this case the hypotheses relate to the effects of bad

weather and signal failure on the course of the collision:

"The weather conditions did not impair the ability of the MARC train 286

crewmembers to distinguish the indication of the Kensington signal 1124-2."

(NTSB, 1997, Conclusion 2, page 73)

"The signal system functioned as designed." (NTSB, 1997, Conclusion 3, page

73)

Figure 5 uses probabilistic inhibit gates because the Engineers ability to view signal

1124-2 need not be impaired every time that there was bad weather. Similarly, a

signalling failure need not always lead to an incorrect indication for 1124-2. This ability

to assign probabilities to representations of human error should not be underestimated. It

provides the opportunity for Monte Carlo simulation techniques in which analysts can

investigate probable and improbable, frequent or infrequent, traces of interaction. Theobvious pitfall is that there must be some means of validating the statistics that are used

to prime models such as that shown in Figure 5. The most appropriate means of obtaining

these figures after an accident is through reconstruction and empirical tests with other

operators. Of course, these studies are inevitably biased by the individuals knowledge

that their performance is being monitored in the aftermath of an accident. These studies

have, however, been widely used in previous accident reports (AAIB, 1990).


9/22

Figure 5: Using Inhibit Gates to Represent Alternative Scenarios

The previous paragraphs have argued that fault trees can be used to provide an overview

of the immediate human errors that contribute to accidents. House events and inhibit

gates can also be used to analyse the non-contributory factors that did not play a part in

past failures but which might lead to similar errors during the future operation of thesystem. The following section builds on this analysis and shows how our fault tree model

can be extended to capture the managerial and regulatory factors that created the potential

for the direct human error in Figures 3 to 5.

3.0 The Organisational Origins of Direct Human Error

The first five findings in the NTSB report focused on non-contributory factors and the

interaction between the Engineer, the Conductor and the Assistant Conductor. The

remaining twenty-two findings centred on the organisational factors that contributed to

the accident. These organisational problems involve both managerial and regulatory

failure. Many of them stemmed from a failure to review the human factors implicationsof increasing the capacity on the Brunswick line. Increasing the capacity implied

reducing the train headway to 15 minutes during dense scheduling periods. This, in turn,

implied changes to the signalling system. In consequence, the Engineer had to remember

the aspect of signal 1124-2 both before and after any stop at Kensington station:

"Additionally, signal 100 was less than the 11,000 feet minimum braking

requirement from the EAS-2 signals at CP Georgetown Junction. As a result of


10/22

the signal modifications, signal 100 was replaced by signal 1124-2, which was

now the last automatic wayside signal before EAS-2 for Georgetown Junction and

was west of the Kensington station platform" (NTSB, 1997, page 43).

The NTSB report summarised the managerial and regulatory failures that created this

situation in the following conclusions from their accident report:

"Had the Federal railroad Administration and the Federal Transit Administration

required the CSX Transportation Inc. to perform a total signal system review of

the proposed signal changes that included a human factors analysis with

comprehensive failure modes and effects analyses, this accident may have been

prevented". (NTSB, 1997, Conclusion 7, page 73)

"Federal funds granted for the signal modifications on the CSXT Brunswick Line

to accommodate an increase in the number of Maryland Rail Commuter trains did

not ensure that the safety of the public was adequately addressed" (NTSB, 1997,


"The Federal Railroad Administration relied on the need for increased vigilance

of wayside signals and special actions in operating rules, such as the crew

communication rule of emergency order 20, does not adequately safeguard the

public" (NTSB, 1997, Conclusion 10, page 73)

"Had a train control system that could utilise the cab signal equipment on the

Maryland Rail Commuter cab control car been a part of the signal system on the

Brunswick Line, this accident may not have occurred." (NTSB, 1997, Conclusion

11, page 73)

Figure 6 illustrates how these findings can be integrated into the fault tree model. A

cursory inspection reveals the additional complexity that is introduced when investigators

consider the deeper sources of organisational failure that contribute to major accidents

and incidents.


11/22


12/22

Figure 6: Using Fault Trees to Represent the Organisational Precursors to Human Error

Previous sections have introduced non-contributory causes into our fault tree model of

human error and organisational failure. Drugs and illness were rules out as influences on

the operators behaviour. By considering these causes, analysts can identify alternative

scenarios that might lead to similar accidents in the future. Conversely, accident reportsoften speculate about events that might prevent similar accidents in the future:

"A fully implemented positive train separation control system might have

prevented this accident by recognising that MARC train 286 was not being

operated within allowable parameters, based on other authorised train operations,

and would have stopped the train before it could enter into the unauthorised track

area" (NTSB, 1997, Conclusion 12, page 73)

Figure 7 captures this finding. The diagram again illustrates the relationship between the

natural language comments of the NTSB report and the formal analysis techniques that

can be applied to fault tree diagrams. In this case, the house events are assigned a

probability of 1 to simulate the events leading to the collision. The Federal Railroad

Administration and the Federal Transit Administration allowed the proposed signal

changes without a comprehensive failure modes and effects analysis. According to figure

7, if the house events had been false and an analysis had been conducted then a positive

train separation control system would have been introduced. In consequence, the highest

level conjunction would not have been true. The derailment would not have taken place.


13/22

Figure 7: Using Fault Trees to Represent the Organisational Precursors to Human Error

The previous analysis raises many questions about the role of organisational failure in

major accidents. It is not certain that a failure modes and effects analysis would have led

to the introduction of a positive train separation system, as suggested in Figure 7. This

objection can be represented by replacing the house events with an inhibit gate. Analysts

could then assign a probability to the introduction of a train separation system given thata failure modes and effects analysis had been conducted. This approach, in turn, raises

further questions about quantified approaches to group decision making. It is unclear how

reliable data might be obtained and validated for such an analysis. What figure would an

accident investigator be justified in assigning to a particular outcome of the failure modes

and effects analysis? Such questions point towards a need to explore the relationship

between economics or management theory and cognitive science (Johnson, 1995). The


14/22

former approaches provide accounts of group decision making under uncertainty. The

latter provides more qualitative insights into individual instances of human error.

4.0 The Aftermath

Previous sections have shown that fault trees provide one means of integratingobservations about organisational failure into an analysis of more direct forms of human

error. Previous diagrams have, however, suffered from a weakness that is common in

many human factors investigations. There is a preoccupation with the causes rather than

the consequences of an incident. This is a significant limitation because most lives are

lost in the aftermath of an accident than are lost through its immediate effects. In the

MARC case study, at least eight of the eleven fatalities were caused by events that

occurred after the immediate collision. Figure 8 alters the perspective of previous fault

trees by focussing on the immediate aftermath of the collision. It represents the following

conclusions from the NTSB report:

"The emergency egress of passengers was impeded because the passenger cars

lacked readily accessible and identifiable quick-release mechanisms for the

exterior doors, removable windows or kick panels in the side doors, and adequate

emergency instruction signage." (NTSB, 1997, Conclusion 13, page 73)

"The catastrophic rupture of the Amtrak unit 255 fuel tank in the collision with

the MARC cab control car 7752 released fuel, which sprayed into the interior of

the cab control car, and resulted in the fire and at least 8 of the 11 fatalities."


"Even though the Montgomery County Fire and Rescue Service personnelresponded promptly to the emergency, they could do nothing to save the lives of

the accident victims because passenger coach cab control car 7752 was already

completely engulfed in flames when the fire fighters arrived on the scene."



15/22

Figure 8: Fault Tree Showing Events Following the MARC Collision

As can be seen, there is an even greater emphasis on organisational problems in the

aftermath of an accident than in its immediate causes. This analysis highlights an

important distinction between two different forms of organisational failure:

1. Managerial failure. This relates to the ways in which companies organise and

manage their working practices.


16/22

2. Regulatory failure. This relates to the ways in which governments and other

statutory bodies govern and monitor the working practices of companies and

industries.

The previous diagram focussed on managerial failure. The train operators failed to

provide adequate emergency instructions or escape mechanisms in their passenger car.However, the NTSB report also found regulatory problems that exacerbated the

consequences of this accident:

"The absence of comprehensive Federal passenger car safety standards resulted in

the inadequate emergency egress conditions." (NTSB, 1997, Conclusion 14, page

73).

"A need exists for Federal standards requiring passenger cars be equipped with

reliable emergency lighting fixtures with a self-contained independent power

source when the main power supply has been disrupted to ensure passengers can

safely egress." (NTSB, 1997, Conclusion 15, page 74)

"Prescribed inspection and maintenance test cycles are needed to ensure the

reliable operation of emergency windows in all long-distance and commuter rail

passenger cars." (NTSB, 1997, Conclusion 16, page 74)

Figure 9 shows how these regulatory weaknesses contributed to the managerial failures

shown in Figure 8. Such an integrated approach is critical if readers are to gain an

overview of the relationship between operational practices and the regulatory structures

that guide those practices.


17/22


18/22

Figure 9: Representing Regulatory Problems in an Extended Fault Tree

The previous fault tree illustrates how the lack of Federal standards for reliable

emergency lighting combined with the lack of suitable signs in the MARC car to prevent

passengers from finding the emergency exits. Similarly, the lack of more general Federal

safety standards combined with the inadequate maintenance cycles of the MARCoperators to prevent passengers from using the exits once they had located them. Even

this level of analysis simplifies the organisational problems that were uncovered by the

NTSB:

"Because other commuter passenger cars may also have interior materials that

may not meet specified performance criteria for flammability and smoke emission

characteristics, the safety of passengers in those cars could be at risk." (NTSB,

1997, Conclusion 19, page 74).

"The Federal guidelines on the flammability and smoke emission characteristics

and the testing of interior materials do not provide for the integrated use of

passenger car interior materials and, as a result, are not useful in predicting the

safety of the interior environment of a passenger car in a fire." (NTSB, 1997,


Each stage of this analysis takes us further and further away from the Engineers initial

error. It also moves us further and further away from most of the analysis techniques that

are being developed by human factors and systems engineering. The NTSB alsoidentified a range of further management problems:

"The CSX Transportation Inc. personnel operating Maryland Rail Commuter

passenger trains are not adequately trained to understand and, therefore, execute

their responsibilities for passengers in emergencies." (NTSB, 1997, Conclusion

24, page 74)

Figure 10 extends the previous diagrams to introduce these additional findings. This fault

tree provides graphic evidence both of the complexity and diversity of organisational

factors that exacerbate the effects of an accident and can frustrate a co-ordinated response

to any incident.


19/22


20/22

Figure 10: Fault Tree Showing Organisational Failures and Direct Operator Error.

5.0 Conclusion

This paper has extended the application of fault trees beyond their normal use in systems

engineering. This notation provides important visualisation properties that enable readers

to gain an overview of complex, interconnected events. For example, the previous

diagram shows how the lack of Federal guidelines contributed to the passengers

difficulties in escaping during the fire. Our use of fault trees also provides visual support

for the argument that post accident events are just as important, if not more important,

than the more immediate human errors that lead to many accidents. Most of the fatalities

in the MARC collision could have been avoided if managerial and regulatory structures

had ensured the provision of effective escape mechanisms.

The previous argument introduces the second focus of this paper. It has been argued that

too little attention has been paid to the role of organisational failure in major accidents.

The role of managerial and regulatory practices as pre-conditions for human error has

been particularly neglected. There are some exceptions to this criticism (Reason 1997,

Hale, Wilpert and Freitag 1997, van Vuuren, Shea and van der Schaaf, 1997). However,

most human factors and systems engineering has focused on the immediate causes of

operator error and system failure rather than on the organisational context of those errors.

Distributed cognition, situation awareness, high-workload and mode confusion have

become part of a mantra that is being repeated with an increasing frequency in accident

reports. Their prominence as causal factors in these documents often obscures widerissues to do with workplace organisation and industrial regulation. The NTSB case study

is an exception to this general criticism. It is rare to find an official report that is so

candid in its analysis of managerial and regulatory practice. This is a result of the

NTSBs position outside the Federal regulatory mechanisms that protect the railroads.

Many other reporting agencies lack this independence. This reduces the likelihood that

they will examine the managerial and regulatory practices that create the context for

individual human errors.

Acknowledgements

Thanks go to the members of the Glasgow Interactive Systems Group (GIST) and to theGlasgow Accident Analysis Group. This work is supported by the UK Engineering and

Physical Sciences Research Council, grants GR/JO7686, GR/K69148 and GR/K55040.

References


21/22

Air Accidents Investigations Branch, Department of Transport. Report On The Accident

To Boeing 737-400 G-OBME Near Kegworth, Leicestershire on 8th January 1989,

number 4/90, Her Majesty's Stationery Office. London, United Kingdom, 1990

J.D. Andrews and T.R. Moss, Reliability and Risk Assessment, Longman Scientific and

Technical, Harlow, United Kingdom, 1993.

Department of the Environment, Transport and the Regions, Inquiry into the Fire on a

Heavy Goods Vehicle Shuttle 7539 on 18 November 1996.

D. Busse and C.W. Johnson, Modelling Human Error within a Cognitive Theoretical

Framework. In F.E. Ritter and R.M. Young (eds.) The Second European Conference on

Cognitive Modelling, Nottingham University Press, 90-97, 1998.

A. Hale, B. Wilpert and M. Freitag, After the Event: From Accident to Organisational

Learning, Pergamon Press, New York, United States of America, 1997.

E. Hollnagel, The Phenotype Of Erroneous Actions, International Journal Of Man-

Machine Studies, 39:1-32, 1993.

C.W. Johnson, Decision Theory And Safety-Critical Interfaces. In K. Nordby, P.H.

Helmersen, D. Gilmore and S. A. Arnesen (eds.), Interact '95, Chapman and Hall,

London, United Kingdom, 127-132, 1995.

J. Leplat. Accidents and Incidents Production: Methods of Analysis. In J. Rasmussen, K.

Duncan and J. Leplat (eds.), New Technology and Human Error. John Wiley and Sons

Ltd, 1987.

L. Love and C.W. Johnson, Using Diagrams to Support the Analysis of System 'Failure'

and Operator 'Error'. In H. Thimbleby, B. O'Conaill and P. Thomas (eds.), People and

Computers XII: Proceedings of HCI'97, Springer Verlag, London, United Kingdom, 245-

262, 1997.

W. Morehouse and M.A. Subamaniam, The Bhopal Tragedy. Technical Report. Council

for International and Public Affairs, New York, United States of America, 1986.

National Transportation Safety Board, Collision and Derailment of Maryland Rail

Commuter MARC Train 286 and National Railroad Passenger Corporation AMTRAKTrain 29, Near Silver Spring, Maryland on February 16, 1996. NTSB Report RAR-97/02.

Washington, United States of America, 1997.

J. Reason,Managing the Risks of Organisational Accidents, Ashgate, Aldershot, United

Kingdom, 1997.


22/22

Sheen, Formal Investigation into the Sinking of the mv Herald of Free Enterprise, UK

Department of Transport, Report of court 8074, Her Majestys Stationery Office, 1987.

N. Stanton and I. Glendon, Risk Homeostasis and Risk Assessment, In the Journal of

Safety Science (22)1-3:1-13, 1996.

W. van Vuuren, C.E. Shea, T.W. van der Schaaf, The Development of an Incident

Analysis Tool for the Medical Field, Technical Report EUT/BDK/85, Eindhoven

University of Technology, Faculty of Technology Management, 1997.

D. Woods, Cognitive Demands and Activities in Dynamic Fault Management, In N.Stanton (ed.), Human Factors of Alarm Design, Taylor and Francis, London, United

Kingdom, 1994.

Documents

Visualizing the Relationship Between Human Error and Organizational Failure