Safety recommendations are the end point of an accident investigation (ICAO, 1994). There is no value in an investigation which gathers all the facts, and analyses them accurately, unless those who are in a position to take action to avert recurrence know what needs to be done. On superficial inspection, one might expect that the investigators, who are aware of the accident sequence and could be expected to know how to improve matters, should be empowered to issue directives, but nowhere in the world is this done, at least as far as aircraft accidents are concerned. The argument is that, while investigators know what outcome should be achieved, the way in which that outcome is achieved is best left to those familiar with the day-to-day operation of the system (Wood & Sweginnis, 1995). Also, it has been found useful to have a separation between the investigating and enforcement authorities, since those with information about an accident are less likely to be forthcoming about what might be perceived as their own shortcomings if they are speaking to an enforcement body. A further consideration is that, with present day emphasis on systemic failures, an investigating body which is part of the enforcement authority might find itself in the embarrassing position of having to report on the failings of its parent body.
If the purpose of safety recommendations is to improve the operation so that further accidents are averted, it follows that those recommendations must be
sufficiently persuasive that those in a position to act are persuaded of the need to do so. Any improvement is likely to have a cost, in time, money or effort, so it is likely that resistance to change will be encountered. Charles (1991), Taylor (1998), Miller (1999; 2000), and Maurino (1999) have discussed many cases where an apparent pressing need for change was not acted upon. If the investigation results in valid safety recommendations, but no actions are taken, then the failure to persuade could be looked on as an investigative failure. By this standard, many investigations have failed in their purpose.
The Windsor accident (NTSB, 1973), the precursor to the Orly disaster (AIB, 1976), was a spectacular demonstration of a failure of persuasion, but there have been many such failures.
A DC-10 airliner was climbing over Windsor, Ontario, when an explosive decompression caused part of the cabin floor to bulge downward, and a hole appeared in the floor. A flight attendant fell into the hole and was trapped by wreckage, but was ultimately able to release herself and climb out. The distortion of the floor affected the control runs to the tail, which passed beneath the floor. Only partial elevator control remained, but by applying power to the low-mounted under- wing engines, the crew were able to retain control. The aircraft landed safely. It was found that an outward-opening cargo door had been blown off by the difference between internal and external pressure as the aircraft climbed, because the door locks had not been closed correctly, and the resulting depressurisation of the hold had permitted cabin pressure to deform the floor. Recommendations included redesign of the cargo door, increased floor beam strength in wide-bodied aircraft, and blow-in ports which would equalise pressure between cabin and hold in the event of a depressurisation. These recommendations were resisted by the manufacturer on grounds of cost, and the Federal Aviation Agency accepted that improvements to the door latching system were all that was required. These improvements were not made mandatory.
18 months later, a DC-10 was climbing out from Orly near Paris, when a similar cargo door failure occurred. This time the crew were not able to operate the controls, and the aircraft flew into a forest near Orly in a shallow dive, with the loss of 346 lives. A Congressional Inquiry stated that "through regulatory non-feasances, thousands of lives were unjustifiably put at risk" (Congress, 1974). Legislation was subsequently introduced to strengthen the floors of all wide-bodied airliners.
There is a pressing need for better ways to devise and present safety recommendations so that the results of investigations can be put to work.
So far, a method of depicting and understanding the sequence of events in an accident process has been examined (MES), and WBA has been seen to provide a means of understanding why the accident occurred. However, as Charles (1991) and others have shown, this understanding may still leave the investigation far from achieving the stated goal, of preventing the recurrence of accidents (ICAO, 1994).
Hendrick and Benner's (1987) concept of an accident as a process may point the way forward. Processes and their control are commonplace in industry; perhaps methods used in industry may deal with problems sufficiently analogous to those of accident investigation, that they may be applicable. The object would be to modify the accident process so as to avert the undesirable outcomes, while interfering as little as possible with such desirable outcomes as operating profitably.
Mabin & Balderstone (1998) refer to the Theory of Constraints as a unique management philosophy. Goldratt's works are conceptually different from other books on business management, in that they are based on the methods and principles of logic used by the physical sciences. The emphasis on rigorous logic is in keeping with that of Hendrick and Benner (1987) and Ladkin and Loer (1998), and suggests the use of Goldratt's Theory of Constraints as one of a suite of related tools for accident
investigation. The Theory of Constraints is examined in the following section.
Theory of Constraints Overview
The Theory of Constraints is based on the idea that a system can be likened to a chain, or more generally a network of chains, of cause and effect. The strength of any chain is dependent on its weakest link: in a system, this weakest link is the constraint on overall performance. The aim of the TOC is therefore to identify such constraints, and make the necessary changes to eliminate them.
‘The Goal’ (Goldratt, 1984) is a novel based in an engineering plant. Goldratt himself appears in it as a Socratic professor, Jonah, who has given his name to Goldratt’s teaching system, the Jonah Programme. In the novel, Goldratt explains his ideas on managing constraints to improve the overall performance of the plant, rather
than seeking to make piecemeal local improvements. In a second novel (‘It’s Not Luck’, (Goldratt, 1994)) he introduces methods of logical thinking to make decisions, solve problems and resolve conflicts. Non-literary works include ‘The Race’
(Goldratt, 1986) on production scheduling.
The TOC comprises separate but related processes: • Performance measures
• Focussing steps
• Logical thinking processes • Logistics
Performance measures should be those applicable to the system as a whole, not to components of it. Goldratt advocates ‘throughput’, the rate at which the system generates money through sales, rather than the building of inventory, as being the principle measure. This suggests that conventional accounting practices, which treat inventory as an asset lead to unsatisfactory decision-making: there was an incentive to build inventory and keep machines busy. This view has, to some degree, been
accepted by the accounting profession (Noreen, Smith et al., 1995).
Anything that prevents a company from reaching its goal of making more money, now and in the future, is termed a constraint. Examples are lack of capacity, market demand, behaviour and management policies. The focussing steps are an aide memoir to locate and deal with constraints in the system’s performance:
• Identify the system’s constraint
• Decide how to exploit the constraint, i.e. make the best of what is there • Subordinate every other improvement activity to Step 2
• Try to break the constraint
• If the constraint is broken, go back to Step 1 and look for the problem which has now become the constraint
(Goldratt, 1984).
The iterative nature of this process is along the lines advocated by Deming (1993) in seeking continuous improvement.
Identifying and eliminating constraints has proved of value in production. Dettmer (1998) cites the case of improvement in custom-building cars at General Motors. The improvement was so great that this became the primary means of car
experience of various management systems (Callender, 2004). They had had little success with such methods as ‘Just-in-time’ and TQM, and decided to adopt a single business theory, influenced by The Goal (Goldratt, 1984). They trained not only management, but the entire workforce. Over-production and waste were eliminated, and among other results lead-time reduced from 5-6 weeks to 3-4 days.
Ford Electronics recognised the transferability of TOC principles from heavy engineering, and greatly reduced cycle-time thereby. Likewise, the principles have been found to be transferable to the problem of reducing waiting times and congestion in medical treatment (Garner and Bailey, 1992; Retstein et al., 2002) while drug companies reported favourable results by focussing their efforts on promising candidates for production (Heard, 2004). In banking, identification of constraints in the form of obsolete policies and procedures was reported to have significantly improved operational performance (Bramorski et al., 1997).
The logical thinking processes developed in ‘It’s Not Luck’ (Goldratt 1994) use a series of cause and effect diagrams to analyse the problems and their solutions. They are directed to finding the one or a few core problems from which all the other undesirable effects in a system spring: these are the system constraints.
As with the search for constraints, the application of the Logical Thinking Processes has been found not to be restricted to production manufacturing. For example, Hunnink (2001) used one of the logical tools (the Conflict Resolution Diagram, discussed later) to enable clinicians to discuss underlying assumptions, search for the best available evidence, and make well-founded decisions.
The Thinking Process tools were used by the British infrastructure group, Network Rail, who applied them to modelling the flow and capacity of the rail network (Network Rail, 2005).
The Logistics tools have received wide acceptance in the US military. For example, Air Logistics Command adopted the TOC principles officially, under the name ‘Lean Logistics’ (Hinnenburg et al., 1996).
Dettmer (1998) gives two illustrations of the possible use of the Thinking Process tools in aircraft accident investigation. First he illustrates the need for
profound knowledge of a system being analysed, and then goes on to examine the use of a Current Reality tree to organise the information in an accident report.
Deming (1993) said that effective transformation of a system is not possible without profound knowledge of that system. (This is in line with the view of O’Hare (1994) that the investigation of accidents is the application of expert knowledge). Deming advocated, as part of that ‘profound knowledge, a ‘Theory of Knowledge’: knowing what is known about the system, whether guesswork, or from observation, or from generalising observations into hypotheses. Confidence in knowledge about the system comes from the source, structure and reliability of that knowledge (p. 45).
Dettmer relates this need for profound knowledge to the need for
understanding cause and effect, as in the Thinking Process logic trees. He illustrates the need for a profound depth of knowledge of how the system is supposed to work by reference to the mechanics of a take-off accident involving a B 52 bomber. It would not be possible to comprehend this accident without understanding of the fuel system, the flight control system, propulsion and aerodynamics. The CRT which he produces to display the known information is exactly analogous to a MES graph, but since the participants are not separately identified as in MES, visualisation is more difficult. This description of the detail of the accident sequence would probably be a nested element of a CRT showing underlying causation, but has no advantages over MES, and the drawback of more difficult visualisation.
The use of a CRT to organise the information from an accident investigation is illustrated using the Challenger report (Presidential Commission 1986). The purpose here is similar to that used by the present author to organise the complex information to assist the Skyferry Inquiry (Zotov 1996). While the demonstration is successful, the lack of specific relative timing, and of clear lines showing the various participants, again makes visualisation more difficult. Such a presentation could be a precursor to a search for core problems, and the construction of a FRT, but Dettmer does not pursue these developments.
information from accidents may be able to be displayed in a Current Reality Tree. That being so, it should be possible, in principle, to isolate underlying core problems behind the ‘undesirable effect’ of an aircraft striking the ground.
While Throughput Accounting and the logistics methods are not applicable to safety analysis, the concept of core problems is analogous to the ‘silver bullet’ approach to system safety. In arguing against attempts at piecemeal improvement, Goldratt (1984) is in effect arguing that the ‘creeping tide’ approach to improvement is ineffectual. The Logical Thinking Process will be examined in detail in the next section.