Safety and disaster control

Torrey Canyon. On March 18, 1967, owing to a navigational error, the Torrey Canyon supertanker struck a reef near England. This was the first major oil spill (http://en.wikipedia.org/wiki/Torrey_Canyon). The accident was due to a combination of several exceptional events, the result of which was that the supertanker was heading directly to the rocks. At that point, the captain failed to change the course because the steering control lever had inadvertently been set to the Control position, which disconnected the rudder from the wheel at the helm. When the captain realized that the ship did not respond to the wheel, it was too late (Casey, 1998 – A Memento of your Service).

The inadvertent setting of the control stick to the undesired position could have been avoided, had the ship's navigation control been designed according to usability guidelines for scenario-based mode control in operational procedure design.

Air France Flight 296 was a chartered flight of a newly-delivered fly-by-wire Airbus A320 operated by Air France. On June 26, 1988, as part of an air show it was scheduled to fly over Mulhouse-Habsheim Airport at a low speed with landing gear down at an altitude of 100 feet, but instead slowly descended to 30 feet before crashing into the tops of trees beyond the runway. Three passengers were killed  (http://en.wikipedia.org/wiki/Air_France_Flight_296 ). The accident was due to an interaction fault, in which the captain unknonwingly set the airplane to an exceptional state, in which the airplane engines did not respond immediately to acceleration commands (Casey, 1998 – Leap of Faith).

This is an example of an human-machine interaction fault due to state mismatch, in which the user was not aware of system being in an exceptional state. This kind of interaction faults can be avoided by implementing standards for assuring the user awareness of changes in system states.

Because the committee that examined the Air France Flight 296 accident found the captain responsible and guilty, they did not examine the defects in the airplane design. Consequently, in 1990, another A320 crashed in Bangalore, India, for the same design mistake (http://en.wikipedia.org/wiki/Indian_Airlines_Flight_605)

Three Miles Island. (http://en.wikipedia.org/wiki/Three_Mile_Island_accident). The Three Mile Island nuclear power station accident was the most significant in the history of the American commercial nuclear power generating industry. The accident was exacerbated by wrong decisions made because the operators were overwhelmed with information, much of it irrelevant, misleading or incorrect. The scope of the accident became clear over the course of five days, as a number of agencies at the local, state and federal levels tried to diagnose the problem and decide whether the on-going accident required a full emergency evacuation of the local community, or the entire area . In the end, the reactor was brought under control, but the operational failure motivated the effort for usability standards.

There is consensus that the accident was exacerbated by wrong decisions made because the operators were overwhelmed with information, much of it irrelevant, misleading or incorrect. This mishap could have been avoided, had the design of the control room usability guidelines included the bidirectional mapping between failure situations and alarms.

Therac-25 was a radiation therapy machine. It was involved with at least six known accidents between 1985 and 1987, in which patients were given massive overdoses of radiation, which were in some cases on the order of hundreds of grays. At least five patients died of the overdoses (http://en.wikipedia.org/wiki/Therac-25). The accidents were due to an interaction fault in a particular operational pattern, in which the system responded too slowly to the operator’s commands (Casey, 1998 - Set Phasers on Stun). Consequently, the system activated the radiation beam when in the exceptional state, resulting in the overdoses (Leveson, 1985).

This is an example of an interaction fault due to state mismatch between two simple system units. Each of the units could work perfectly, according to the specifications, but they were not synchronized. This kind of interaction faults can be avoided by implementing standards for assuring state synchronization.