A Journey Through the CAST Handbook: Avengers! Assemble! (The basic information about the accident...)

Previous: Welcome to Haz(z)ard County!

What is past is prologue. The previous articles in this series have set the stage, and we've come to Chapter 4 in the CAST Handbook, "Performing a #CAST Analysis."

(NOTA BENE: There is no hastag in the actual handbook chapter title)

CAST has five parts. This article will cover the first, and the next few articles will address each in turn.

1. Assemble Basic Information
2. Model Safety Control Structure
3. Analyze Each Component in Loss
4. Identify Control Structure Flaws
5. Create Improvement Program

1. Assemble! (Basic Information)

There are several suggested activities during assembly of basic information. These are not required to be accomplished consecutively nor are they meant to be visited only once. Iterations involving different steps may occur. The intent is the generate questions and a description sufficient to support the analysis.

a. Define the system involved and the boundary of the analysis.

b. Describe the loss and hazardous state that led to it.

c. From the hazard, identify the system-level safety constraints required to prevent the hazard (the system safety requirements and constraints).

d. Describe what happened (the events) without conclusions nor blame. Generate questions that need to be answered to explain why the events occurred.

e. Analyze the physical loss in terms of the physical equipment and controls, the requirements on the physical design to prevent the hazard involved, the physical controls (emergency and safety equipment) included in the design to prevent this type of accident, failures and unsafe interactions leading to the hazard, missing or inadequate physical controls that might have prevented the accident, and any contextual factors that influenced the events.

a. Define the system involved and the boundary of the analysis.

The harrowing tale of that morning was told in How Not to Cry Over Spilt Coffee.

THE SYSTEM involved is simple:

1. Me
2. The Machine (Coffee Maker)

THE SYSTEM involved is simple

Me & The Machine (Coffee Maker)

Everything outside of these two subsytems is outside the boundary of the analysis, and therefore the "environment" outside of the control of myself or the coffee maker.

The importance of defining the system cannot be overstated. Recall that "HAZARD" is defined as a SYSTEM STATE, and that the combination of a system state and the state of the environment leads to a loss.

If the system is left undefined, or not explicitly defined resulting in individuals with different systems in mind, then no shared understanding and no meaningful analysis can occur. Also, the system definition simultaneously defines the environment as "everything not the system."

b. Describe the loss(es) and hazardous state(s) that led to it(them)

THE LOSSES

1. Wasted time: Lost time while cleaning up and salvaging brewed coffee
2. Wasted materiel: Lost coffee filters while salvaging brewed coffee

THE LOSSES

Lost TIME & Lost COFFEE FILTERS

THE HAZARD THAT LED TO THE LOSSES*

1. Uncontrolled release of coffee grounds and water

THE HAZARD

Uncontrolled release of

coffee grounds & water

A quick note on "hazard + environment ? loss":

The hazard of uncontrolled release of coffee grounds and water led to the losses described because it occurred in my kitchen. Another environment with the same hazard would not have led to the losses, because if I didn't care about cleaning up or about salvaging the brewed coffee, then there's no wasted time or materiel! Remember, the "team" defines what counts as a loss. So if the environment was "in the shower" or "in my garden," no loss, even if the hazard occurs!

c. From the hazard, identify the system-level safety constraints required to prevent the hazard (the system safety requirements and constraints).

SAFETY CONSTRAINTS

1. Water must remain contained within the coffee maker.
2. Warnings and other measures must be available to minimize uncontrolled release.
3. Means must be available, effective, and used to respond to uncontrolled releases.

SAFETY CONSTRAINTS

Keep the water in!

If you can't keep the water in,

alert someone so they can DO something!

If they couldn't do something,

have an effective spill response!

The first is a translation of the hazard to a goal statement.

In case the hazard cannot be avoided, the second provides for responses that mitigate the impact if the hazard does occur, and the third minimizes the loss if the impact cannot be mitigated.

d. Describe what happened (the events) without conclusions nor blame. Generate questions that need to be answered to explain why the events occurred.

Events listed here are from Learning From Tragedy

EVENT: During chute cleaning, previous grounds were kept in the filter basket to catch the chute dropping

• What about the machine makes catching the chute cleaning droppings in the filter basket attractive?
• Why were previous grounds kept in the filter basket?
• What other methods of catching the chute cleaning droppings have been considered? If any were considered, why were they not used? If not considered, why not?

EVENT: During chute cleaning, filter basket cover was removed to allow chute droppings to fall directly into filter basket and not clog the filter basket cover

• What about the design of the filter basket cover makes removing it attractive?
• Is removing the filter basket cover necessary?

EVENT: During chute cleaning, filter door was closed to allow chute droppings to fall directly into filter basket

• What about the design makes closing the filter door more attractive than holding the filter basket?

EVENT: After chute cleaning, filter door remained closed, water and beans were added, and the "Go" button was pushed

• What contributed to leaving the filter door closed after cleaning?
• What is the normal procedure when making coffee when the chute has not been cleaned?

EVENT: After "Go" button was pushed, the "filter basket cover missing" alarm sounded, prompting the replacement of the filter basket cover, but not the removal of the old grounds, chute droppings, and used filter

• What other alarms are features of the coffee maker?
• Why was the existence of the old grounds, chute droppings, and used filter consciously registered?
• Why wasn't the filter basket emptied?
• What other controls have an effect when manually initiating the brew cycle?

EVENT: After the filter door was closed again, the "Go" button was pushed again with no further alarms

• How can an operator be aware of the current state of the machine?

EVENT: Overflow continued for the duration of the brewing cycle

• How is the end of the brewing cycle communicated?
• Why was the overflow not consciously registered during the brewing cycle?
• Is there any way to stop the brewing cycle once initiated?
• If an attempt to stop the brewing cycle is made, how quickly do the effects of the attempt become effective? When does cycle cease?
• Can the cycle be resumed if ceased?

EVENT DESCRIPTION

The key is to generate questions,

not to dwell on the events.

e. Analyze the physical loss in terms of the physical equipment and controls

This includes the requirements on the physical design to prevent the hazard involved, the physical controls (emergency and safety equipment) included in the design to prevent this type of accident, failures and unsafe interactions leading to the hazard, missing or inadequate physical controls that might have prevented the accident, and any contextual factors that influenced the events.

REQUIREMENTS FOR HAZARD MITIGATION

1. Protect against uncontrolled release of coffee grounds or water
2. Provide feedback about the state of the equipment
3. Provide indicators of the existence of hazardous conditions
4. Contain released coffee grounds or water

REQUIREMENTS FOR

HAZARD MITIGATION

may not have been recognized during the design of the system.

They are a result of the analysis.

CONTROLS

1. The grind chute lever is spring loaded to close the grind trap when not automatically or manually held open
2. The?coffee channel cover closes automatically when the hopper is replaced
3. The filter basket cover seals the path of the coffee grounds with an "open channel" to prevent grounds from escaping
4. A microswitch senses the filter basket cover, part of the "Safety Interlock System"
5. An alarm sounds if the filter basket cover is not in place when the "Go" button is pressed, part of the "Safety Interlock System"
6. The filter basket cover cannot be in place without the filter basket appropriately set in the filter door
7. The filter basket cover cannot be in place without the filter door fully closed
8. The filter basket cover seals the path of the water with an "open channel" to prevent water from escaping
9. An overflow drain is built into the water reservoir to direct excess water to the back of the machine
10. A permanent shield is placed over the electrical cord entrance to the machine to divert water from the overflow drain away from the electronics
11. A water level window with graduated markings and a floating indicator displays the water level in the water reservoir, providing feedback to the operator about when to cease filling the reservoir
12. A spring loaded valve prevents fluid flow through the bottom of the filter basket without the carafe set in the correct position

CONTROLS

are the ones actually implemented in the system.

FAILURES

None. There were no controls that failed. There were no components that failed.

Once again, for those in the nosebleed section.

FAILURES

None!

No physical controls failed.

No components failed.

UNSAFE INTERACTIONS

1. The used filter, old coffee grounds, and coffee chute droppings remained in the filter basket when the "Go" button was pushed and the brew cycle initiated. Because of the new coffee grounds on top of all the previous materials, insufficient volume and flow rate remained in the filter basket to accomodate the water flow during the brewing cycle.
2. The excess water and coffee grounds spilled over the top of the filter basket, down onto the top of the carafe, the outside of the carafe, the counter, and the floor.
3. The flow rate through the carafe lid into the carafe was smaller than the flow rate of the spilled liquid.

UNSAFE INTERACTIONS

Accidents often result from interactions among the system components.

MISSING OR INADEQUATE PHYSICAL CONTROLS

1. There is no feedback or alarm for an overflow condition.
2. There is no means to cease water flow except to remove power to the machine, thus cooling the heating element, but water will continue to flow as long as enough heat is available.
3. There is no means to prevent filter basket overflow if the fluid level overtops the edge of the filter basket.
4. The water reservior can still be filled more than the carafe can hold before the overflow drain releases excess water. (This was not a factor in this particular loss, but could result in uncontrolled release in the future.)

MISSING OR INADEQUATE

PHYSICAL CONTROLS

might have prevented the accident

CONTEXTUAL FACTORS

Nothing Significant to Report (NSTR)

CONTEXTUAL FACTORS

capture things not necessarily part of the event description

Physical System ONLY

"The description is restricted to the physical system. Operators, process control systems, etc. are not—and should not be—mentioned. The role they played will be considered later."

Operator-related unsafe interactions

1. The operator did not dispose of the used filter, old coffee grounds, and coffee chute droppings when responding to the "filter basket cover not in place" alarm.
2. The operator was watching internet videos while operating the machine, distracting attention away from the machine.

Operator-related contextual factors

1. It was early morning, pre-caffeine intake. (Why does one need caffeine to make caffeine?)
2. There were no other humans in the vicinity to sense the overflow.

FIN

Whew! That was something. It may feel like a lot, but compare How Not to Cry Over Spilt Coffee & Learning From Tragedy with the results of this first step of CAST, "Assemble Basic Information."

We now have the foundation of information to build a solid analysis that has the potential to discover both OPERATIONAL concerns, as well as DESIGN & DEVELOPMENT concerns.

"Too often, accident analysis only focuses on operations and not system development and, therefore, only operational limitations are considered. Deficiencies in the way the system was developed are not always identified or fully understood."

We must be careful to not rely only on operational procedures and training to prevent accidents. As shown in Figure 4 from the CAST Handbook, there are many other considerations that influence safety.

Next Time: "Model Safety Control Structure"

* Capturing system-level hazards that don't reference specific components is very challenging, and is addressed on page 38 of the #CAST Handbook.

System hazard: The aircraft stalls and does not have adequate airspeed to provide lift.

Non-system-hazard: The engines do not provide enough propulsion to remain airborne.

Non-system- hazard: The pilots do not keep the angle-of-attack down to prevent or respond to a stall.

System hazard: The automobile violates minimum separation requirements from the car ahead

Non-system-hazard: The driver maneuvers the car in a way that violates minimum separation

Non-system-hazard: The automation does not slow the car adequately to avoid violating minimum separation from the car ahead

Non-system-hazard: Brake failure.

System hazard: Explosion and fire in a chemical plant

Non-system-hazard: Failure of the pressure release valve

Non-system-hazard: Over-pressurization of the reactor

Non-system-hazard: Operators not maintaining control over the reactor pressure

Non-system-hazard: Inappropriate reactor design for the chemical being produced.

"Remember, our goal is not just to find an explanation for the events but to identify the most comprehensive explanation and all contributions to the loss in order to maximize learning and to prevent as many future losses as possible. Focusing on the behavior of one component will lead to missing the contributions of other system components and the interactions among multiple components, like the car, the driver, the design of the interface between the car and the driver, etc. Rarely, if ever, is only one system component involved in a loss; focusing too narrowly leads to missing important information."