STAMP-Based HRA Considering Causality Within a Sociotechnical System

Abstract

Objective:

The study contributes to human reliability analysis (HRA) by proposing a method that focuses more on human error causality within a sociotechnical system, illustrating its rationality and feasibility by using a case of the Minuteman (MM) III missile accident.

Background:

Due to the complexity and dynamics within a sociotechnical system, previous analyses of accidents involving human and organizational factors clearly demonstrated that the methods using a sequential accident model are inadequate to analyze human error within a sociotechnical system.

Methods:

System-theoretic accident model and processes (STAMP) was used to develop a universal framework of human error causal analysis. To elaborate the causal relationships and demonstrate the dynamics of human error, system dynamics (SD) modeling was conducted based on the framework.

Results:

A total of 41 contributing factors, categorized into four types of human error, were identified through the STAMP-based analysis. All factors are related to a broad view of sociotechnical systems, and more comprehensive than the causation presented in the accident investigation report issued officially. Recommendations regarding both technical and managerial improvement for a lower risk of the accident are proposed.

Conclusion:

The interests of an interdisciplinary approach provide complementary support between system safety and human factors. The integrated method based on STAMP and SD model contributes to HRA effectively.

Application:

The proposed method will be beneficial to HRA, risk assessment, and control of the MM III operating process, as well as other sociotechnical systems.

Keywords

human error causal relationship sociotechnical system STAMP system dynamics

In the operating process of sociotechnical systems (such as aviation, marine, military, and nuclear industry), a large proportion of accidents are human-related. Griffith and Mahadevan (2011) stated that human error has been implicated in 30% to 90% of all industrial accidents. Human reliability analysis (HRA) deals with evaluating the risks caused by human error (Boring & Bye, 2008; Boring, Oxstrand, & Hildebrandt, 2009; Ung & Shen, 2011). In general, HRA has three fundamental functions (Ung & Shen, 2011): the identification of human error (Antonovsky, Pollock, & Straker, 2010; O’Connor, O’Dea, & Melton, 2007), the prediction of the likelihood associated (Gertman, Blackman, Marble, Byers, & Smith, 2005; van de Merwe, Øie, & Gould, 2012), and the reduction of the likelihood if required (Boring, 2009; Sheridan, 2008). There are numerous HRA methods that provide procedures for these fundamental functions, such as technique for human error rate prediction (Vaurio, 2001), human error assessment and reduction technique (Williams, 1988), and others. Although these HRA methods have solved a large number of problems in some areas, there are some limitations when analyzing causality within a sociotechnical system (Paletz, Bearman, Orasanu, & Holbrook, 2009; Strauch, 2010). One of the major limitations is that few existing models attempt to provide a causal picture of human errors (Groth & Mosleh, 2012). Another major limitation is that most HRA methods are static analyses, and the calculated likelihood of human error (LHE) is constant under the given conditions. However, when considering the dynamic behaviors within a sociotechnical system, the LHE is not necessarily stable but may vary enormously with social and technical factors such as management, personal moral state, and so on.

To gain a good or better understanding and a comprehensive awareness of human error in sociotechnical systems, it is significant to use a systemic approach to consider all the aspects that may lead to hazardous events. Systems-theoretic accident model and processes (STAMP; Leveson, 2011) is one of the typical systemic models. STAMP provides an approach to analyzing human error, equipment failure, and other components that may cause accidents, and it is appropriate particularly to complex sociotechnical systems.

System Dynamics (SD) deals with the time-dependent behavior of managed systems, with the aim of describing the system and understanding, through qualitative and quantitative models, how information feedback governs its behavior, and designing robust information feedback structures and control policies through simulation and optimization. (Coyle, 1996, p. 10)

When analyzing human factors in accidents, SD can be taken as a means to depict the system behaviors, including the interactions among human error and other contributing factors, whereas the mechanism within the system behaviors is modeled with STAMP.

This paper aims to propose a HRA method by highlighting causality within a sociotechnical system. This method will be capable of accommodating modeling of all the factors that contribute to human-related accidents, including performance shaping factors (PSFs) that should be considered in a sociotechnical system. First, STAMP approach is used to form a generic framework of human error causal analysis. Next, to model and analyze the behavior dynamics of human error, the SD model is established based on STAMP-based analysis results. Furthermore, the recommendations on risk mitigation are proposed to support effective control of human error.

Method

STAMP was proposed based on the cybernetics of systems theory (Leveson, 2011). In STAMP, the most basic concept is not “event,” but “constraint,” which means that safety becomes a control problem where the goal of the control is to effectively enforce the safety constraints. The cause of an accident, instead of being understood as a series of events in the sequential accident models (e.g., domino [Darbra, Palacios, & Casal, 2010], Swiss cheese [Reason, Hollnagel, & Paries, 2006], etc.), is viewed as the result of inadequate control or enforcement of the safety-related constraints during system development and operation (Leveson, 2011). The sociotechnical system is accordingly viewed as a hierarchical control structure, where the controllers at each level impose constraints on the activities at the lower level(s).

To depict the dynamic processes responsible for the changes in the system, and to build the safety control structure with STAMP, the SD modeling is adopted as an effective tool. Causal loop diagram (CLD) and stock and flow diagram (SFD; Dangelicon et al., 2010) are commonly used in SD modeling to illustrate the interacting structure within the system to be investigated. Causal loop diagramming, as an inherent feature of SD, is a qualitative technique used to model the real world (Sterman, 2000). A CLD seeks to highlight complex interactions and feedbacks between variables, where causes and effects are often indiscernible (Goh, Love, Stagbouer, & Annesley, 2012). If quantitative SD analysis is required, the CLD can then be converted into the SFD provided that the underlying mathematical correlations between the variables are set. It is important to note that the data collection should be sufficient to validate the SFD model and verify its output.

Based on STAMP and SD, a formalized framework is developed, as shown in Figure 1, to conduct HRA with an accident taken as a case. The framework consists of the following six components, which are cascaded to demonstrate how the data extracted from real world end up contributing to actions that can backward make the real world safer, through the efforts in regard to STAMP-based HRA thinking.

Figure 1.

The STAMP-based HRA framework.

Component A: Description of the Human-Related Accident Timeline and Background

For the human-related accident to be analyzed, the timeline needs to be identified first so that the operating process involved can be understood. To identify the potential human error, the human activities should be highlighted along the timeline. Besides, as much information associated with the accident is also required as possible. Both the efforts are necessary to provide STAMP-based HRA with the supporting information in the following components.

Component B: Description of the Accident Causes Identified in the Official Accident Report

Abundant information about accident causes could be extracted from the accident report issued officially, to facilitate the understanding of the mitigation in human error or other risk aspects. However, it is more favorable if such insights can be obtained before accidents occur than after that. With the aim of comprehensively understanding the causality and thus having the foresight to prepare technologically in case of accidents, a broad view of accident mechanisms can be analyzed based on the data coming from the official accident report.

Component C: Modeling of the Sociotechnical System With STAMP to Describe the Mechanism Within the System Behavior

Step C-a: Identify human errors and all the human-related contributing factors in the accident

First, human errors and all the human-related contributing factors must be identified. Systematic analysis based on STAMP is needed because people are facing increasingly complex accident processes where the factors contributing to human error often exist in almost all the aspects of a sociotechnical system. Leveson (2011) provides a generalized accident analysis process called CAST (causal analysis based on STAMP), from which some core steps are borrowed and adopted with some degree of modification to analyze human-related accidents. Step C-a is described in Table 1, where Steps 1 and 3 are borrowed from CAST (Leveson, 2011).

Table 1:

Step C-a of STAMP-Based HRA

No.	Steps of the STAMP-Based Analysis
Step 1	Identify the safety constraints and the system requirements associated with that accident. Document the hierarchical structure of safety control in place to control the hazards and enforce the safety constraints.
Step 2	Identify and analyze the factors of human-related hazards in the operating process. Discuss how the combination of human factors and others influences the occurrence of the accident.
Step 3	Moving up to the levels of the safety control structure, determine how and why each successive higher level allows or contributes to the inadequate control at the current level.
Step 4	Summarize the human errors and all the human-related contributing factors.

Step C-b: Analyze the causal relationships among human errors and human-related contributing factors, and identify the PSFs

The causal relationships include two parts: the effects between human errors and human-related contributing factors, and the effects among only the contributing factors. The former is usually analyzed prior to the latter. According to the degree of influence of the human related contributing factors on human errors, the identified contributing factors are then classified into two types: direct influencing factors and indirect ones. In particular, the feedback is one of the basic concepts in STAMP, acting an important role when safety is treated as a control problem. There are feedback effects of human errors on other social and technical factors such as management, personnel, and so on. All the feedback effects of human errors on other factors should be identified as well. When determining PSFs, the direct human-related contributing factors are considered. Gertman et al. (2005) provides the references that the ideal mean LHE can be taken as a function of PSF influence, showing that the relationships between LHE and PSFs are positively correlated, that is, LHE increases as the negative influence of the PSF grows.

Component D: System Dynamics Modeling

Step D-a: Determine the CLDs

The causal relationships identified in Component C are used to construct the CLD. The polarity of link between a causing factor and the one affected by it is determined for each pair of them, with the causal loops and their types identified. The time lags are marked based on the time-delay-related contributing factors identified in Component C, and on the objective control or feedback delay between the higher and the lower levels in control structure.

Step D-b: Discuss the dynamics in system behavior and human error

Loop dominance is an important concept in SD as a shift in loop dominance is responsible for most of the nonlinear behavior of complex systems (Goh, Love, Brown, & Spickett, 2012; Richardson, 1995). It is adopted here to analyze the possible dynamics in system behavior and human error by analyzing the migration from the favorable state (safety) to an accident. The potential change from a dominant loop into another is discussed to identify the key factors and effects during the migration, which will consequently be given a higher priority to consider when making recommendations on risk mitigations.

Component E: Comparison of C to B, and of D to B

As mentioned in Component B, the analysis results in Components C and D are compared with the investigation and analysis shown in the official accident report to determine any more of constructive information (i.e., more elaborated or comprehensive description of accident scenarios) concluded from the approach proposed in this paper than demonstrated apparently in the accident report. The comparison assists in comprehensively understanding the mechanism of the accident and human error, as well as the dynamics in the system state migration, so as to prevent future accidents.

Component F: Actions to Control Human Error and Improve Safety

The feasible recommendations for the risk mitigations are proposed to control human error and improve safety.

Minuteman (MM) III Case Study

By taking a human-related fire accident during the MM III operating process as a case, the application of the proposed method to the improved HRA is illustrated in this section.

Component A: Description of the Human-Related Accident Timeline and Background

On May 23, 2008, a fire broke out in the MM III launch facility (LF) A06, located near F. E. Warren Air Force Base (AFB), Wyoming. Fortunately, the fire did not damage the missile. According to the accident report (Walker, 2008) issued officially, the fire caused an estimated $1,029,855.77 in damage. The direct cause of the accident was related to a loose connection on the capacitor C101A of the battery charger inside A06’s launcher equipment room (LER), but human error played an important role in the accident causes as well. Table 2, refined from the accident report (Walker, 2008), shows the timeline of the human-involved situations and other factors.

Table 2:

Timeline of the MM III Accident

Time	Human Activities in Operation and Maintenance	Situations of Environment and Equipment
December 5, 2007	• The 90th Missile Maintenance Squadron (90 MMXS) personnel initiated an operating sequence to replace A06’s battery charger. The battery charger is located inside the LER. It charges the LF batteries and provides emergency power supply to the LF. • The 582d Missile Maintenance Squadron (582 MMXS) completed the modification of the battery charger, but the LF’s battery charger had a loose electrical connection on a capacitor terminal caused by inadequate technical order.
December 12, 2007	• Boeing Company technicians installed the new environmental control system (ECS). Its function is drawing air from within the LER through its air handler. The ECS’s chiller then cools the air and recycles it by getting it back into the LER. But the new ECS eliminated the addition of fresh air, called makeup air, into the LER.
March 4, 2008	• An electro-mechanical maintenance team (EMT) from the 90 MMXS installed the new battery charger at A06.	• Between March 4 and May 23, the batteries were overcharged due to the loose connection, which created excessive hydrogen gas (H₂) inside the LER.
May 23, 2008, 16:00–17:00 Mountain Standard Time (MST)		• There were approximately eight lightning strikes within one mile of A06, which caused a commercial (primary) power interruption.
May 23, 2008, 16:34 MST		• The LF switched automatically to the backup power supply provided by a set of batteries located in the lower LER.• A06 reported a series of ground maintenance responses (GMRs), which are electronically transmitted alarms, including GMR2 (primary power or battery power failure), GMR26 (equipment inlet air temperature), GMR27 (equipment inlet air flow abnormal), GMR28 (launch tube temperature alarm), and GMR29 (launch tube flooded). It is normal to report the GMRs when there is an interruption in commercial power, and they will usually be cleared when the commercial power is restored.
May 23, 2008, 16:34–16:38 MST		• An accidental spark or fire at the loose connection inside the battery charger ignited the gas (H₂) inside the LER.
May 23, 2008, 16:38 MST	• The missile combat crew (MCC) notified the Missile Maintenance Operations Center (MMOC) of the GMRs reported at A06.	• A06 reported a fault in the missile suspension system (GMR 30).
May 23, 2008, 22:41 MST		• All GMRs were cleared except for GMR28 and GMR30.
May 28, 2008	• An EMT from the 90 MMXS went to A06 to attempt to clear the GMR30. The task required the team members to enter the LER, where they discovered the evidence of a fire that had occurred.

Source. Adapted from Walker (2008).

Component B: Description of the Accident Causes Identified in the Official Accident Report

In the Statement of Opinion section of the accident report, Walker (2008) stated that “the loose connection was most likely caused by the failure of the technician who installed the capacitor to securely fasten the nut,” and concluded that the following factors substantially contributed to the accident (Table 3).

Table 3:

Contributing Factors to the MM III Accident

No.	Contributing Factors of the Accident
1	The technical order (TO) provided inadequate direction to the technicians, which allowed the variation in fastening the capacitor connection wires and caused the loose connection.
2	The quality assurance (QA) evaluation procedure did not require a visual hardware check to validate proper installation of the capacitors.
3	The modification of A06’s ECS required a sealed makeup air line at A06, which eliminated the addition of fresh air into the LER and thus caused accumulation of H₂.
4	The use of duct tape on the lower umbilical cables introduced a flammable substance, and the holes cut in the shotgun case exposed the internal foam insulation to the fire.

Source. Adapted from Walker (2008).

Walker (2008) presented a reasonable explanation for the accident, and expounded the causation especially concerning the component failure and human error in the operating and maintenance process. However, further analysis by looking into causality among the technical, organizational, and managerial factors can be performed based on the views of Walker (2008).

Component C: Modeling of the Sociotechnical System With STAMP to Describe the Mechanism Within the System Behavior

Step C-a: Identify human errors and all the human-related contributing factors in the accident

The analyses of steps in Table 1 are described later. Step 1: For the hazard of the fire, the safety constraint at the system level can be defined as follows: to avoid the concurrence and the interaction of flammable substances, oxidizer, and ignition source.

As implied in the accident description, the hierarchical control structure to enforce the safety constraint is shown on the left side of Figure 2. All the controllers in the hierarchical structure, including the operators and managers, play roles in enforcing the system-level constraint to prevent the fire accident. The specific safety-related requirements and constraints for each controller are shown on the right side of Figure 2.

Figure 2.

The overall safety control structure and the safety constraints.

Step 2: The control structure in the operating process at the time of the accident is shown in Figure 3, where the dotted line means the ineffective or missing controllers and control/feedback channels. The causal analysis results are shown in Table 4, including the identification of each controller’s behaviors or states that can lead to the accident, together with the classification of the contributing factors identified, and some basis for judgment as well as assumptions. The identified contributing factors in the operating process are numbered by OP (short for operating process).

Figure 3.

The control structure in the operating process at the time of the accident.

Table 4:

The Causal Analysis Results Based on STAMP for the Operating Process

Controller	No.	Contributing Factors	Classification	Basis of Judgment and Assumptions
Equipment	OP1.1	The loose connection at the capacitor C101A of the battery charger caused excessive hydrogen gas inside the LER.	Controlled component failures	It is assumed that the system-level safety constraints of avoiding the concurrence and interaction of flammable substances, oxidizer and ignition source was violated.
	OP1.2	The loose connection caused an electrical spark or fire inside the battery charger.
	OP1.3	The new ECS eliminated the addition of fresh air into the LER.	Dysfunctional interactions	“The modification of A06’s ECS required sealed make-up air line at A06, which eliminated the addition of fresh air into the LER and caused accumulation of H₂” (Walker, 2008).
	OP1.4	Aging of equipment caused the false alarms of launch facility monitoring system, and brought about the flammable cable and duct tape.	Controlled component failures	“Aging Minuteman II sites were refurbished and modified to hold them [the MM III missile]. They [missile wing] still use the same old MMII LCC’s, intersite cabling, and so on” (“Explore the US ICBM Network,” n.d.) And it is assumed that the false GMRs reported with aging equipment slackened the vigilance of operators.
MCC	OP2.1	There were missing or wrong implementation of policies, orders, and instructions from the 90MW, e.g., delayed or missing site supervision.	Delayed or missing control action	“On 28 May 2008, a maintenance team sent to resolve faults reported by sensors inside the LF discovered the evidence of the fire” (Walker, 2008). It was five days since the accident, so it is assumed that the MCC did not keep adequate communication with the MMOC during those five days.
	OP2.2	There were missing or delayed periodical inspection of the LF.	Missing control action	“A loose connection on capacitor C101A of the battery charger . . . was not detected or corrected by routine equipment inspections of the facility” (Walker, 2008), and it caused the month-long accumulation of H₂.
	OP2.3	MCC thought the equipment were always normal whether the inspections were implemented or not.	Incorrect process model	Walker (2008) says “the Alpha flight MCC had sufficient planning to appropriately respond to the mishap at A06 on 23 May 2008,” but no timely actions of site inspection were taken by MCC after the GMRs are reported.
	OP2.4	MCC over relied on the monitoring system whereas there was something that the system cannot monitor.
	OP2.5	MCC allowed the flammable substances to be in the LER, which consisted of flammable shotgun and duct tape.	Incorrect process model	The MCC did not and would not implement flammable substances management rules of “4.1 nuclear weapons shall not be intentionally exposed to abnormal environments except in an emergency” (U.S. Department of the Air Force, 2006), because their “mental model” was that shotgun keeping was reasonable and made sense, e.g., shotgun was kept for the security purpose.
MMOC	OP3.1	Arrival at the LF of the maintenance team sent by MMOC was delayed.	Delayed control action	“On 28 May 2008, a maintenance team sent to resolve faults reported by sensors inside the LF discovered the evidence of the fire” (Walker, 2008). It was five days since the accident.
	OP3.2	MMOC mistook the GMRs for false alarms when they were not.	Incorrect process model	It is assumed based on the delayed arrival at the LF of the maintenance team (OP3.1) and the aging of equipment (OP1.4).

Step 3: The expanded insight into the accident causes based on the views shown in the accident report is obtained in this step. The analysis results are summarized in Figure 4 and Table 5. Similarly to Step 2, the identified contributing factors at the higher levels of the control structure are numbered by MD (short for management department).

Figure 4.

The control structure analysis toward the controllers at the higher levels.

Table 5:

The Causal Analysis Results Based on STAMP for the Higher Levels of the Control Structure

Controller	No.	Contributing Factors	Classification	Basis of Judgment and Assumptions
90MW	MD1.1	Orders, standards, and regulations from the MDIBM (such as flammable substance management rule) were missing or wrong.	Wrong or missing control input	The section 4.1 of safety rules AFI91-166 in 2006 says “nuclear weapons shall not be intentionally exposed to abnormal environments except in an emergency” (U.S. Department of the Air Force, 2006), but flammable materials (the shotgun and duct tape) still occurred in the LER in the accident (in 2008). So it is assumed that the situation had lasted for two years at least.
	MD1.2	The safety culture construction was incomplete.	Ineffective control action	It is assumed to be based on the existence of flammable materials in LER (OP2.5) and the delayed team sending (OP3.1), which implied a weak safety culture.
	MD1.3	90MW thought the MCC and MMOC had received the orders or task plan information whereas they had not.	Inconsistent process model	It is assumed to be based on the delayed control actions (OP2.1, OP3.1) and the incorrect process model (OP2.5) of MCC and MMOC.
	MD1.4	90MW thought the MCC and MMOC had implemented the task plans and safety rules correctly whereas they had not.
	MD1.5	There was task pressure from resources or finance on the supervision and management of the MCC and MMOC.	Context and environment	It is assumed that it may cause delayed team sending (OP3.1) due to the shortage of hands or resources.
	MD1.6	There was a lack of communication with the MCC and MMOC.	Context and environment	It is assumed to be based on the long inadequate management (MD1.1) and the long time without any accident, which implied that the managers were not likely to pay much attention to safety aspects.
582 MMXS	MD2.1	The equipment improvement & maintenance plan and technical documents from the IMMD were missing or wrong.	Wrong control input	“582 MMXS procedures for QA evaluation of battery charger modifications and maintenance did not require visual or other direct inspection of the capacitor installation, which might have detected and corrected the loose connection” (Walker, 2008). It may cause controlled component failures (OP1.1, OP1.2).
	MD2.2	The technical documents including TO were inappropriate.	Inappropriate control action	The TO provided inadequate and vague direction of “fasten the nuts with 3/8 inch wrench” (Walker, 2008), which failed to provide the technicians with a specific torque value of the capacitor connection, and caused the loose connection.
	MD2.3	582 MMXS thought the LF and the missile were in good condition when they were not.	Inconsistent process model	It is assumed to be based on the aging of the old MM II equipment (OP1.4) and the old 1996 document T.O.21M-LGM30G-863 for modifications of battery chargers.
	MD2.4	The equipment improvement & maintenance plan and technical documents were delayed being updated.	Delayed control action	The old 1996 document T.O.21M-LGM30G-863 for modifications of battery chargers was not suitable for the new modification conducted in 2007.
	MD2.5	The problem reports and safety reports were missing.	Inadequate or missing feedback	It is assumed that it may cause inconsistence in the process model of managers, which contributes to the inadequate or delayed management and control (MD2.4).
	MD2.6	Error in modifying the battery charger caused the loose connection.	Inappropriate control action	The error in the modification was related to the inappropriate TO, which caused technician error.
	MD2.7	The training for technicians was insufficient.	Context and environment	“Training records from the 582 MMXS do not specifically list battery charger modification as a trained task” (Walker, 2008).
	MD2.8	There was pressure from resources or finance on supervision and management of the equipment	Context and environment	It is assumed that it may cause a delay or stop in the equipment improvement, e.g., replacing the shotgun or duct tape with nonflammable materials.
IMMD	MD3.1	There was deficiency in the QA procedure of equipment improvement & maintenance.	Ineffective control action	It is assumed that it may cause the wrong control input at the lower level (MD2.1).
	MD3.2	IMMD thought the improved equipment had satisfied the safety requirements in the operating process.	Inconsistent process model	The approved modifications of battery chargers and the ECS are taken as contributing factors of the accident (OP1.1, OP1.2, and OP1.3).
	MD3.3	IMMD thought the safety measures and rules were effective when they were not.	Inconsistent process model	It is assumed to be based on the existence of flammable materials in LER (OP2.5) and the delayed team sending (OP3.1).
	MD3.4	The design and safety technical documents were delayed being updated or wrongly updated.	Inappropriate control action	It is assumed that it may cause the inappropriate control actions at the lower level (MD2.2).
	MD3.5	There was pressure of equipment improvement schedule from the MDIBM	Context and environment	It is assumed that the pressure of launching capability and task from the higher levels may cause the delay in updating TO, training and hiring plan, as well as cause other thoughtless decisions.
	MD3.6	The training for technicians was insufficient.	Context and environment	No adequate training decision plan was made, which caused the insufficient training for technicians (MD2.7).
MDIBM	MD4.1	MDIBM thought the safety management and techniques had been implemented effectively in the operating processes whereas they had not.	Inconsistent process model	It is assumed to be based on the aging of the old MM II equipment (OP1.4), the old 1996 document T.O.21M-LGM30G-863 for modifications of battery chargers, and on the weak safety culture (MD1.2).
	MD4.2	MDIBM thought the safety measures were effective whereas they were not.
	MD4.3	MDIBM thought the risk level was low since no accident happened in the operating processes.
	MD4.4	MDIBM thought the missile body was more important than its supporting site equipment in the LF, whereas they were equally important.	Inconsistent process model	“All the bases still in operation have been converting their missiles to Minuteman III’s—just the missiles and necessary electronics, not a complete rebuild of the silo” (“Explore the US ICBM Network,” n.d.).
	MD4.5	MDIBM thought the techniques were more important than management whereas they were equally important.	Inconsistent process model	It is assumed to be based on the insufficient implementation of management rules in the operating process, e.g., the delayed control actions of the MCC (OP2.3) and MMOC (OP3.1).
	MD4.6	The accident reports and hazard reports from lower level controllers were delayed or missing.	Delayed or missing feedback	It is assumed that it may cause the inconsistence in the process model of managers, which contributes to the inadequate or delayed management and control.
	MD4.7	Insufficient safety requirements were conveyed to the IMMD.	Inappropriate control action	It is assumed to be based on the inconsistence in the process model of managers (MD4.1, MD4.2, and MD4.3), which caused insufficient modifications of safety requirements (OP1.3).
	MD4.8	Insufficient safety assessment was conducted for the equipment improvement & maintenance task	Inappropriate control action	It is assumed to be based on the dysfunctional interactions of the new-installed ECS (OP1.3).
	MD4.9	The supervision and control of the 90MW and IMMD was insufficient.	Inappropriate control action	It is assumed to be based on the inadequate control at the lower level (90MW and IMMD).
	MD4.10	There was pressure from the national strategies and the commitment to launching capability.	Context and environment	“The Air Force is replacing the propulsion and guidance systems . . . at a total cost of $5 billion . . . the three-warhead configuration is scheduled to be replaced by the Peacekeeper (W87) warhead” (McKinzie, Cochran, Norris, & Arkin, 2001).

Step 4: Based on the contributing factors identified in Tables 4 and 5, all the human errors in the operating and maintenance process, which are numbered by HE, are summarized in Table 6.

Table 6:

Human Errors in the MM III Accident

No.	Description of Human Errors	Derived From
HE1	There was no periodical inspection of the LF, which allowed the hazards to propagate and induce the accident.	OP2.2
HE2	Flammable substances were allowed to be there in the LER, which allowed the hazards to propagate and induce the accident.	OP2.5
HE3	The maintenance team was delayed being assigned to the LF, which contributed to the damage caused by the accident.	OP3.1
HE4	There was a human error in the modification of the battery charger, causing the loose connection.	MD2.6

Considering the complex causal relationships among the contributing factors and human errors, all the identified human-related contributing factors are categorized according to their relationships with human error and shown in Table 7 to facilitate the analysis in Step C-b.

Table 7:

The Categorization of the Identified Human-Related Contributing Factors

The Relationship to Human Error	Categorization	No. of the Contributing Factors
Refers to the false alarms of the equipment caused by aging, which slackened vigilance of the operators.	Equipment technology level	OP1.4
Contains the factors regarding obsolete experience in the operating and maintenance processes.	Experience	OP2.4, MD2.7
Contains the factors regarding labor pressure in the operating and maintenance processes.	Task pressure	OP2.1, MD2.1, MD2.2, MD2.4
Includes the factors about a weak safety awareness.	Personal commitment to safety (a measure of safety awareness for personnel)	OP2.3, OP3.2
Comprises the control flaws in training, task planning and the construction of safety culture.	Management commitment to safety: (a measure of safety assurance for managers)
	Training	MD1.4, MD2.3, MD3.2, MD3.3, MD3.6, MD4.9
	Task planning	MD1.5, MD2.8, MD3.4, MD3.5, MD4.7, MD4.8
	Safety culture	MD1.1, MD1.2, MD1.3, MD1.6, MD2.5, MD3.1, MD4.1, MD4.2, MD4.3, MD4.6, MD4.9
Refers to the views that launching capability is prior to safety in the management department.	Management commitment to launching capability (a measure of launching capability assurance for managers)	MD4.4, MD4.5, MD4.10

Step C-b: Analyze the causal relationships among human errors and human-related contributing factors, and identify the PSFs

The analysis results of the effects among human error and human-related contributing factors are listed in Table 8. According to the categorization of identified human-related contributing factors, the analysis is elaborated as follows.

Table 8:

The Summary of the Identified Causal Relationships

No.	Causal Relationships Among All the Accident-Contributing Factors
No.	From	To
Effect 1	Equipment technology levelOP1.4	Human errorHE1, HE3
Effect 2	ExperienceOP2.4, MD2.7	Human errorHE1, HE2, HE4
Effect 3	Task pressureOP2.1, MD2.1, MD2.2, MD2.4	Human errorHE2, HE3
Effect 4	Personal commitment to safetyOP2.3, OP3.2	Human errorHE1, HE3
Effect 5	TrainingMD1.4, MD2.3	ExperienceOP2.4, MD2.7
Effect 6	Task planningMD1.5, MD2.8	Task pressureOP2.1, MD2.1, MD2.2, MD2.4
Effect 7	Safety cultureMD1.1, MD1.2, MD1.3, MD1.6	Personal commitment to safetyOP2.3, OP3.2
Effect 8	Management commitment to safetyMD3.2, MD3.3, MD3.6, MD4.9	TrainingMD1.4, MD2.3
Effect 9	Management commitment to safetyMD3.4, MD3.5, MD4.7, MD4.8	Task planningMD1.5, MD2.8
Effect 10	Management commitment to safetyMD3.1, MD4.1, MD4.2, MD4.3, MD4.6, MD4.9	Safety cultureMD1.1, MD1.2, MD1.3, MD1.6
Effect 11	Management commitment to launching capabilityMD4.4, MD4.5, MD4.10	Management commitment to safetyMD3.1, MD3.2, MD3.3, MD3.4, MD3.5, MD3.6, MD4.1, MD4.2, MD4.3, MD4.6, MD4.7, MD4.8, MD4.9
Human error feedback 1	Human errorHE1, HE2, HE3, HE4	Personal commitment to safetyOP2.3, OP3.2
Human error feedback 2	Human errorHE1, HE2, HE3, HE4	Management commitment to safetyMD3.1, MD3.2, MD3.3, MD3.4, MD3.5, MD3.6, MD4.1, MD4.2, MD4.3, MD4.6, MD4.7, MD4.8, MD4.9
Human error feedback 3	Human errorHE1, HE2, HE3, HE4	Management commitment to launching capabilityMD4.4, MD4.5, MD4.10

Equipment technology level (Effect 1)

The inadequate human-related control (HE1, HE2) in the operating process was exacerbated with the degraded equipment technology level (OP1.4). As the supporting site equipment in the LF were still those for the older Minuteman II (“Explore the US ICBM Network,” n.d.), the equipment technology level since the MM II version (completed in 1967) was in a decreasing trend year by year, according to the reliability theory. The false alarms caused by aging of the equipment slackened vigilance of the operators, and could increase the occurrence of human error.

Experience (Effect 2)

The MCC dealt with GMRs in terms of their obsolete experience (OP2.4), which was related to the HE1. The MCC allowed flammable substances to be there according to their obsolete experience related to HE2. Because there was no training task for the battery charger modification (MD2.7), 582 MMXS performed the modification based on the obsolete experience related to HE4. The personal experience is influenced by accumulation of the training and working experience, and has a direct effect on human error.

Task pressure (Effect 3)

The pressure from resources or finance on supervision and management of the equipment (MD1.5) may cause missing or wrong implementation of site supervision, which is due to the shortage of hands or resources. This has a direct effect on HE2. The task pressure on supervision and management of the equipment (MD2.8) may cause a delay or stop in the equipment improvement, such as replacing the shotgun or duct tape with nonflammable materials, and it has a direct effect on HE4. From the view of human error, the task pressure is related to mandatory tasks and available human resources.

Personal commitment to safety (Effect 4)

The inadequate control action of the MCC (HE1) and the delayed control action of the MMOC (HE3) reflected a weak personal commitment to safety in both the mindset and actions (OP2.3 and OP3.2). It was the long term without any accident that the weak personal commitment to safety was exacerbated by, which definitely meant a high risk. Hence, personal commitment to safety has a direct effect on human error, and it is influenced by the safety culture involved in management commitment to safety.

Management commitment to safety (from Effect 5 to Effect 10)

Management commitment to safety has an indirect influence on human error. The contributing factors from training, task planning and safety culture in the higher levels of control structure indicates the insufficient attention of managers paid to safety. The flawed management of training and task planning affects personal experience and task pressure. The weak safety culture influences personal commitment to safety that consequently influences human error directly.

Management commitment to launching capability (Effect 11)

The main objective of a missile wing is to get more powerful launching capability. It has an unapparent influence on human error, whereas it has an effect on management commitment to safety. Due to the pressure from national strategies and commitment to launching capability, most managers tend to think the launching capability is more important than safety (MD4.4, MD4.5, MD4.10).

Human error feedback (1, 2, 3)

Based on the safety control structure, the managers should create control according to the information or reports got from feedback channels. When human error is focused on, the LHE can be viewed as a type of report, which is a measurement of system risk. When human error is detected by managers, related response will be made by managers, just as the incident rate as a risk measurement in references (Mohaghegh, Kazemi, & Mosleh, 2009; Ouyang, Hong, Yu, & Fei, 2010; Zhang & Li, 2009). Hence, the feedback effects are reflected in management commitment to safety (human error feedback 2) and to launching capability (human error feedback 3). When personnel operated in process and were aware of their error, personal commitment to safety will be increased to improve their behaviors, and thus the other feedback effect of human error (i.e., human error feedback 1) is put on personal commitment to safety.

In summary, equipment technology level, experience, task pressure, and personal commitment to safety have direct influences on human error, and they should be identified as PSFs, whereas management commitment to safety and management commitment to launching capability have indirect ones.

Component D: System Dynamics Modeling

Step D-a: Determine the CLDs

All the causal relationships among human errors and human-related contributing factors identified in Component C are combined with the basic structure of CLD (Figure 5), and thus the causal relationships in Figure 5 are essentially based on the control and feedback among controllers or levels in the control structure. In the form of causal loops, all the relationships in the operation system involved in the MM III accident are described; also, the development mechanism of human error identified by means of STAMP-based analysis is presented.

Figure 5.

The causal loop diagram (overview) of the MM III operation system.

Loop B1 represents the dynamics of training efforts to accumulate the personal experience and control human error, made by managers at the higher level in the control structure. Similarly, Loop B2 and B3 represent the task planning efforts to release personal pressure and the safety improving efforts to enhance personal awareness respectively. Although it appears that the three loops are helpful in reducing the LHE, it is critical to note that there tends to be time lags between the strategy of management commitment to safety and the activity implementation (Effects 8, 9, 10), as well as between the LHE and the higher level managers (MD 4.6). In practice, this means it takes a longer time to rectify human error through more careful study, consideration, and orders assigning at the high levels of the control structure. Therefore, this delay facilitates the tendency of personnel to make immediate “knee-jerk” changes at the operating process level. Loop B4 exactly represents the dynamics of personal efforts on the system, in which the knee-jerk reactions have positive effects on human error without delay.

Loop R1 represents the military objective of launching capability pursued by the higher level managers in the control structure. This loop is significant because it shows that human behaviors in the operating process can be affected negatively after time delay when the managers at the higher level hold different opinions and some time is needed for negotiation. More specifically, management commitment to safety is affected negatively when management commitment to launching capability dominates due to the increasing level of human error or degrading equipment technology level; accordingly, the safety policies will not be implemented effectively through Effects 8, 9, and 10, and then the LHE out of control will lead a reinforcing tendency to management commitment to launching capability again.

Step D-b. Discuss the dynamics in system behavior and human error

As discussed in Step C-a, the control flaws occurring in the control structure reflect the violation to the safety constraints at the time of the accident. Before the accident, the system state has been in a migration with an increasing risk over time. Two states in the migration, that is, state in control and state out of control, are assumed here to discuss the possible dynamics in system behavior and human error.

In the former state, the effects of the four PSFs on human behavior are appropriate, leading to a lower LHE. All the causal loops tend to be relatively stable, and there is no dominant loop(s). However, the equipment technology level caused by the lack of timely equipment improvement management plan (MD 2.4) degrades over time. If the degradation is serious enough to increase the LHE, the human-related risk tends to be controlled by personal knee-jerk efforts first (Loop B4 dominates).

After the time delay discussed in Step D-a, the long-term safety activity plan from the higher level managers are implemented (Loop B1, B2, or B3 dominates). During this period, the LHE may fluctuate due to the time delay.

Furthermore, the military objective of launching capability is enhanced by the feedback from the increasing LHE and the continuously decreasing equipment technology level. management commitment to safety is weakened by the commitment to launching capability (Loop R1 dominates).

Finally, even the fullest amount of attention to safety paid by personnel or managers can hardly reverse the increasing trend of LHE, when the system situation has been worsened excessively. Under this circumstance, the state out of control will occur sooner or later.

Component E: Comparison of C With B, and of D With B

Through the STAMP-based analysis in Component C, 41 contributing factors were identified, which covered the accident causes demonstrated in the official accident report (Component B). Unlike the causes officially issued that are primarily focused on component failures and human errors obviously, the factors identified in this paper are related to a broad view of sociotechnical systems. From the systemic view of STAMP, an uncontrolled risk in sociotechnical systems is hardly avoided, if through eliminating only the individual component failures and human errors instead of through the comprehensive control based on the cognition of interactions among the multiple risk-contributing aspects.

Through the SD modeling in Component D, two critical deficiencies were identified. One is that the different opinions about safety and launching capability among the managers at the higher level will affect the human behaviors negatively. The other is the lack of control and feedback channels from the equipment technology level to the managers, which causes continuous degradation of the equipment.

Component F: Actions to Control Human Error and Improve Safety

Walker (2008) did not give recommendations for the prevention of future accident. It is supposed here that the recommendations based on the accident causes officially recognized are referred to but further expanded and developed in the way discussed earlier. Based on the analysis in Component E, the recommendations of risk mitigation (covering both technical and managerial aspects), as well as the time for implementation are proposed for safety improvement, as shown in Table 9.

Table 9:

The Mitigation Recommendations for Safety Improvement

	Categorization	Recommendations of Risk Mitigation	Time for Implementation
Technical	Timely improvement of equipment and technical documents	Update the TO and improve the QA procedures timely.	Present
		Improve the aging missile-supporting equipment including launch facility monitoring system, cables, and shotguns.	Present
	Check and elimination of dysfunctional interactions	Ensure that management rules in the operating process, such as the rules of flammable materials management, cannot affect safety negatively so that they can assist in preventing managerial dysfunctional interactions.	Present
		Enforce safety assurance of the equipment such as the ECS, to prevent technical dysfunctional interactions.	Future
Managerial	Add control and feedback channels	Add control and feedback channels between the equipment technology level and the managers at the higher level, to effectively monitor the equipment’s condition in the LF.	Future
	Enhance information sharing and communication	Enforce the feedback or communication channels in the control structure to ensure a correct process model among the controllers at a higher or the same level of the control structure.	Present
		Enforce the control and supervision of implementation of safety regulations (e.g., flammable substance management) in the operating process.	Present
		Make decisions of training, task planning according to the feedback from human error or accident risk reports in the operating process, and ensure appropriate task pressure for the operators.	Future
		Pay the same amount of attention to management and technology when making decisions. Balance safety and launching capability reasonably.	Future
	Perfect the construction of safety culture	Ensure continuous vigilance even if no accidents have happened.	Present
		Improve safety awareness of the operators through training and other measures.	Future

Conclusion and Future Work

Within the HRA community, there is a widely acknowledged need for an improved HRA method with a more robust scientific basis. The STAMP-based HRA framework presents two significant advances in developing a method like that.

First, the systemic model STAMP was applied to causal analysis. The traditional HRA methods tend to be used with focus on the easily sequential and generally low-level tasks, which are not the main source of systemic errors. This paper analyzed a human-related accident and identified contributing factors and causal relationships based on STAMP, since it is significant to understand accidents and human errors by considering the causality within a sociotechnical system. In the demonstrating study where the MM III accident was taken as a case, 41 contributing factors were identified based on an overall view of the system, and more information regarding accident causes were concluded that is an extension of the analysis in the accident report issued officially. Related managerial and technical recommendations were also given.

Second, based on the dynamics analysis by SD models, loop dominance in CLD was identified to analyze the possible migration in system behavior and the human error from the state “safety” toward the state “accident.” The key factors or effects in regard to the migration were discussed and then given higher priority to consider when making strategies or recommendations.

In addition, the development of a CLD such as that identified in Figure 5 provides building blocks to construct a SD simulation model, which is often used to assess the impact of possible interventions. In the following-up work, the CLD will hopefully be converted into a quantitative model, i.e., a SFD will be created which is made up of stocks linked with flows in accordance with SD rules. Stocks represent the accumulation of matters or information; flows refer to the rate of change of the stock. Auxiliary or intermediate variables will also be inserted as functions of stocks, constants, or exogenous factors. SFD simulation will require quantitative equations to be defined among the stocks, flows, and variables. Once established, the SFD model can then be used to quantitatively analyze how a human-related system behaves and responds to different changes in the variables, stocks, and flows. In comparison with CLD, the simulation of SFD will be more rigorous, but less accessible and understandable by managers (Goh, Love, Brown, et al., 2012; Richardson, 1995). Also, as an extension of research, the model proposed herein will be converted into a SFD simulation model to test a variety of strategies of risk control and to evaluate the results got from a wider range of case studies. The simulation model can then be used to enhance the CLD so that both the rigor and accessibility of the method can be achieved.

Key Points

The traditional HRA methods have limitations when dealing with causality within sociotechnical systems, as systems increase in complexity.

To improve HRA, the STAMP approach was used to develop a formalized framework of human error causal analysis.

A SD model was built to explore the causal relationships that lead to the migration in the system state toward an accident; based on the SD model, the dynamics analysis was conducted.

The case study was focused on a typical accident (the MM III missile accident occurred in the United States in 2008). The case illustrated how the human-related factors have a critical impact on system risk, and provided risk mitigation recommendations.

Footnotes

Acknowledgements

This work was supported by a grant from the Major State Basic Research Development Program of China (973 Program) (No. 2014CB744904).

Hao Rong is a postgraduate of Beihang University. He obtained his MS degree (2013) in control science and engineering from the School of Reliability and Systems Engineering. His research is focused on system safety, risk assessment, hazard identification and analysis, and human factors.

Jin Tian is an assistant professor in the School of Reliability and Systems Engineering, Beihang University. She earned her PhD (2007) and BS (2002) degrees in systems engineering from Beihang University. Her research activities are focused on system safety, risk assessment, hazard identification and analysis, reliability of products, system engineering, and so on.

References

Antonovsky

Pollock

Straker

(2010, September). Identification of the human factors contributing to maintenance failures in a petroleum operation. Paper presented at the Human Factors and Ergonomics Society annual meeting, San Francisco, CA.

Boring

R. L.

(2009, October). Reconciling resilience with reliability: The complementary nature of resilience engineering and human reliability analysis. Paper presented at the Human Factors and Ergonomics Society annual meeting, San Antonio, TX.

Boring

R. L.

Bye

(2008, October). Bridging human factors and human reliability analysis. Paper presented at the Human Factors and Ergonomics Society annual meeting, San Diego, CA.

Boring

R. L.

Oxstrand

Hildebrandt

(2009, October). Human reliability analysis for control room upgrades. Paper presented at the Human Factors and Ergonomics Society annual meeting, San Antonio, TX.

Coyle

R. G.

(1996). System dynamics modelling: A practical approach. London: Chapman & Hall Press.

Dangelicon

R. M.

Garavelli

A. C.

Petruzzelli

A. M.

(2010). A system dynamics model to analyze technology districts’ evolution in a knowledge-based perspective. Technovation, 30, 142–153.

Darbra

R. M.

Palacios

Casal

(2010). Domino effect in chemical accidents: Main features and accident sequences. Journal of Hazardous Materials, 183, 565–573.

Explore the US ICBM Network. (n.d.). Retrieved from http://www.captainswoop.com/icbm/

Gertman

Blackman

Marble

Byers

Smith

(2005). The SPAR-H human reliability analysis method (NUREG/CR-6883). Washington, DC: U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research.

10.

Goh

Y. M.

Love

P. E. D.

Brown

Spickett

(2012). Organizational accidents: A systemic model of production versus protection. Journal of Management Studies, 49, 52–76.

11.

Goh

Y. M.

Love

P. E. D.

Stagbouer

Annesley

(2012). Dynamics of safety performance and culture: A group model building approach. Accident Analysis & Prevention, 48, 118–125.

12.

Griffith

C. D.

Mahadevan

(2011). Inclusion of fatigue effects in human reliability analysis. Reliability Engineering and System Safety, 96, 1437–1447.

13.

Groth

K. M.

Mosleh

(2012). Deriving causal Bayesian networks from human reliability analysis data: A methodology and example model. Proceedings of the Institution of Mechanical Engineers Part O—Journal of Risk and Reliability, 226, 361–379.

14.

Leveson

(2011). Engineering a safer world: Systems thinking applied to safety. Cambridge, MA: MIT Press.

15.

McKinzie

Cochran

T. B.

Norris

R. S.

Arkin

W. M.

(2001). The US nuclear war plan: A time for change. Washington, DC: Natural Resources Defense Council.

16.

Mohaghegh

Kazemi

Mosleh

(2009). Incorporating organizational factors into probabilistic risk assessment (PRA) of complex socio-technical systems: A hybrid technique formalization. Reliability Engineering & System Safety, 94, 1000–1018.

17.

O’Connor

O’Dea

Melton

(2007). A methodology for identifying human error in US navy diving accidents. Human Factors, 49, 214–226.

18.

Ouyang

Hong

M. H.

Fei

(2010). STAMP-based analysis on the railway accident and accident spreading: Taking the China-Jiaoji railway accident for example. Safety Science, 48, 544–555.

19.

Paletz

S. B. F.

Bearman

Orasanu

Holbrook

(2009). Socializing the human factors analysis and classification system: Incorporating social psychological phenomena into a human factors error classification system. Human Factors, 51, 435–445.

20.

Reason

Hollnagel

Paries

(2006). Revisiting the “Swiss cheese” model of accidents. Journal of Clinical Engineering, 27, 110–115.

21.

Richardson

G. P.

(1995). Loop polarity, loop dominance, and the concept of dominant polarity (1984). System Dynamics Review, 11, 67–88.

22.

Sheridan

T. B.

(2008). Risk, human error, and system resilience: Fundamental ideas. Human Factors, 50, 418–426.

23.

Sterman

(2000). Business dynamics. Boston, MA: McGraw-Hill.

24.

Strauch

(2010). Can cultural differences lead to accidents? Team cultural differences and sociotechnical system operations. Human Factors, 52, 246–263.

25.

Ung

S. T.

Shen

W. M.

(2011). A novel human error probability assessment using fuzzy modeling. Risk Analysis, 31, 745–757.

26.

U.S. Department of the Air Force. (2006). Safety rules for long-term storage and maintenance operations for nuclear weapons (AFI 91-116). Retrieved from http://www.bits.de/NRANEU/others/END-Archive/AFI91-116(11).pdf.

27.

van de Merwe

Øie

Gould

(2012, October). The application of the SPAR-H method in managed-pressure drilling operations. Paper presented at the Human Factors and Ergonomics Society annual meeting, Boston, MA.

28.

Vaurio

J. K.

(2001). Modelling and quantification of dependent repeatable human errors in system analysis and risk assessment. Reliability Engineering & System Safety, 71, 179–188.

29.

Walker

R. M.

(2008). United States Air Force missile accident investigation board report on Minuteman III launch facility A06 fire mishap (Conducted IAW Air Force Instruction 51-503). Retrieved from http://www.airforce-magazine.com/SiteCollectionDocuments/Reports/2008/November/Day03/AFSPC_AIB_MMIII_LF.pdf

30.

Williams

J. C.

(1988, June). A data-based method for assessing and reducing human error to improve operational performance. Paper presented at the Human Factors and Power Plants Conference, Monterey, CA.

31.

Zhang

X. X.

(2009). STAMP-based software safety verification. In Proceedings of 2009 International Symposium on Aircraft Airworthiness (pp. 479–483). Amsterdam, Netherlands: Elsevier.