the occurrence, source document ®les, visual aids and other materials required to support the description, presentations or brie®ngs, and any reporting forms or other documentation. If desired, deliverables may also include reported needs disclosed by the investiga- tion, and proposed changes to improve operations. Planners must consider the regulatory requirements and their eects on criteria for the deliverables. It is advisable to review the potential adverse as well as bene®cial consequences of each with legal counsel before the plan is adopted. Another important deliverable, particularly when potential injury claims or litigation are foreseeable, is the source material used to de®ne the reported actions, consisting of documents, photos, selected debris, sketches, or other source materials. Plans should address their acquisition, handling, archiving, and dis- posal. Provide speci®cations for deliverables expected from investigations of incidents such as breakdowns, disruptions, or similar problems. If descriptions of the occurrences are not documented, the problems will probably return. When forms are required, provide examples of entries that satisfy the form's designers. 1.3.2.4 Select Preferred Investigation Process (14) Alternative investigation processes are available for review [2,3,6,10,13±15]. Planners should document the criteria for the investigation process selection as part of the evaluation process. They will be used in subsequent evaluations of the process. The criteria should include those described above and any addi- tional criteria needed to tailor the process to the orga- nization's capabilities. Each candidate process should be evaluated against each criterion and the results com- pared, and documented for later review. 1.3.2.5 De®ne Case Selection Process (15) What occurrences should be investigated? In a nar- rowly focused program, case selection is limited to those required by regulatory authorities, usually invol- ving. a reportable or lost-time injury or fatality. In a broad program, the emphasis is on investigating any surprises, especially those during which a worse out- come was averted by successful intervention of people or object controls. Case selection can be made automatic. For example, when an automated system breaks down or functions erratically, the troubleshooting and repair are a form of investigation that is initiated automatically. When disruption of a production process occurs, investiga- tions are also preuthorized. Preparations should include identi®cation of the kinds of occurrence that are investigated automatically and those for which a case selection decision will be required. Criteria for determining the scope of each kind of investigation should also be prepared to guide investi- gators in speci®c cases. These speci®cations should address at least the extent of the scenario to be devel- oped, hours to be committed, and the investigation deliverables, among other speci®cations. 1.3.2.6 De®ne Investigation Operations (16) This aspect of the investigation plan should address administrative matters. That includes guidance for the assignment of investigators, record keeping, and administrative requirements, including time and expense record keeping; also noti®cation of and co- ordination with others who have requested noti®ca- tion, including regulatory agencies if applicable. Develop requirements for others in the organization to co-operate with investigators, and output reviews, distribution procedures, and any other speci®cations needed to tailor the plan for the organization. Do not overlook guidance for investigators when they sus- pect a crime rather than an unintended occurrence. 1.3.2.7 Document Investigation Process (17) This section of the plan documents the selected inves- tigation process. It outlines guidance for acquiring data from people and objects; for handling those data after they are acquired; for validating interactions or bridging gaps; for problem discovery and de®nition; for assessing support needs and capabilities; for quality assurance procedures; for distribution of work products; for media contacts; for consultations with counsel; for self or peer assessment of investiga- tion performance; and any other tailored elements of the selected process. References provide detailed descriptions of investigation tasks [10,16]. 1.3.2.8 Adopt Investigation Plan (18) This step is the ®nal co-ordination step. Each person aected by the plan reviews it, con®rms the intended operation and bene®ts, demonstrates any diculties it might present, helps modify it if so required, and com- mits to it with a sign-o indicating concurrence. This step typically involves selected executives, managers of activities that might be investigated, and the likely Investigation Programs 705 Copyright © 2000 Marcel Dekker, Inc. investigation program manager or senior or lead inves- tigators who will implement the plan. 1.3.2.9 Investigation Plan Ready (20) Plan future tasks needed to maintain plan readiness in the future. This may require periodic review and tune- up of the plan, by using performance indicators to identify the needed modi®cations or updates. 1.3.3 Investigator Preparation 1.3.3.1 De®ne Investigator Tasks (21) What are investigators expected to do during investi- gations? The investigation process selection decision determines investigators' tasks. If a formalized process is adopted, descriptions of various useful techniques can be identi®ed from the literature [2,3,6,9,10,13± 20]. Each reference oers dierent ideas about investi- gation processes and techniques. Review those ideas and techniques to determine if they should be incorpo- rated into the plan. For example, tailoring might be needed because of special classes of robotics equip- ment. Tailoring might also be needed because of spe- cial regulatory considerations, or because of the nature of the organization or its policies. If so, descriptions of techniques in the literature should, of course, be mod- i®ed to accommodate those special needs. Task de®ni- tions need not be complex but should provide sucient detail to prevent inconsistent overall performance for dierent levels of investigation. Consider investigation task de®nitions to be dynamic, subject to change whenever circumstances change. For example, introduction of new products or new materials, expanded processes or any other changes aecting investigation performance might pre- cipitate a review and modi®cation of the investigation procedures. 1.3.3.2 Document Investigator Procedures (22) This planning task requires documentation of the orderly sequencing and execution of investigation tasks to provide guidance for investigators, and to accommodate the nature and levels of anticipated investigations. Investigation procedures might range from troubleshooting to major accidents. Planning for investigations of serious accidents should have priority. Include a ``walk through'' of each kind of investigation during planning, to determine personnel involved in the investigation, task interactions of these personnel, and the timing of the investigation tasks relative to each other. Project planning software can be a useful aid to this documentation process. Be sure to designate a supervisory process to accommodate decision ¯ows during the investigations. Pay special technical attention to procedures for acquiring data after an incident from digital electronic devices and applications which control automated sys- tems. In transport systems, recording devices are used to keep track of selected operating system parameters during operations, providing the ability to determine their behavior if an accident occurs. Without such recorders, operators should identify proposed means to examine such devices for whatever data they might hold. If this situation arises, information about avail- able investigation techniques is available through sources such as the International Society of Air Safety investigators [21]. 1.3.3.3 De®ne Investigator Knowledge and Skill Needs (23) De®ne knowledge and skills required to perform inves- tigation tasks next, to ensure that investigators are capable of performing their assigned tasks. The knowl- edge needs to include an understanding of tasks and outputs required, and methods that will equip investi- gators to perform those tasks. The knowledge needs are outlined above, but a few are worth repeating. Absolutely essential are knowledge of observation pro- cesses and how to transform data into investigation data language, practical knowledge of logical reason- ing procedures, an understanding of problems that certain kinds of words and language can create, and awareness of investigation concepts and principles described earlier. These apply to all levels of investiga- tion. 1.3.3.4 Establish Investigator Selection Criteria (24) Selection of personnel to qualify as investigators must be responsive to the needs dictated by the investigation process used. Generally, the more rigorously disci- plined the investigation process, the more stringent the criteria for investigator selection. The level of investigations required also has a bearing on those criteria. Basic criteria for investigators must include the abil- ity to make observations without distortion or bias; transform and document investigation data with mini- mal interjection of personal views, experiences or per- sonal values; order and present data sequentially; visualize patterns and scenarios; reason logically; have a reasonable memory for detail; and be self-criti- 706 Benner Copyright © 2000 Marcel Dekker, Inc. cal without personal constraints. Physical capabilities should be consistent with the tasks and environment in which the investigator will be working. If special knowledge or skills will be required because of the nature of the systems being investigated or the levels of investigation, include these criteria. 1.3.3.5 Complete Investigator Selection (25) The interviewing and selection of investigators contri- bute to the subsequent tone of the activities and expec- tations of both the employee and supervisor. When describing the duties of the position, discuss the mis- sion and policies governing investigations, particularly with respect to regulatory agencies. Also, resolve any questions about the levels of investigations, their authority and responsibilities, acceptability of their work products, and how their performance will be judged. Investigator selection might include selection of out- side experts to assist in or direct Level 4 or 3 investiga- tions under contract. The anticipated frequency of major investigation cases may be too low to justify development and maintenance of an investigation team within the organization. If so, the selection of an outside team to perform the investigations under contract might be desirable. Select all contractors based on their ability to perform the investigations as prescribed by the adopted investigation program plan criteria. 1.3.3.6 Train Investigators (26) Typically, selected investigators will have systems expertise in some form. They will probably not have formal investigation training, so plans should include training in the selected investigation process and tech- niques before they are assigned a case. For level 1 investigations, an apprenticeship to trained investiga- tors might oer sucient training. For other levels, consider providing classroom investigation training. Design the training to accommodate the mission, poli- cies and plans, the tools provided for investigations, and tasks required to achieve the desired outputs. Ensure training in quality assurance tasks. 1.3.3.7 Complete Investigation Drills (27) Include investigation drills for investigators in the pro- gram. During training, drills simulating hypothetical investigations or case studies can be developed for spe- ci®c operations to strengthen the investigator thought processes. It is also good practice to have newly trained investigators do an independent quality assurance check of a recently completed case report. Have them use ¯owcharting tools and the quality assurance checks in Appendix C to build their skills in applying the desired thought processes. Use feedback about the results to reinforce any investigation process elements that need attention. A more sophisticated drill to give new investigators insights into and experience with the kinds of problems that arise during an actual investigation is desirable. Have them investigate the breakdown of an automated system to determine what happened and why it hap- pened. This has the added advantage of introducing operational personnel to the thought processes used in investigations. A third kind of drill is to rotate the quality assur- ance of work products among investigators. This enables investigators to keep abreast of ®ndings by others, while continually improving their data gather- ing, analysis, and logic skills. 1.3.3.8 Put Quality Controls in Place (28) Quality control procedures should be put in place to assure the adequacy of the deliverables, the quality of actions implemented as a result of the investigations, and the quality of the investigation process itself. The quality of the deliverables and ®ndings can be screened before they are distributed. Use the quality assurance check lists described in Appendix C. References provide detailed quality assurance instruc- tions [9,22]. Tracking acceptance of the ®ndings pro- vides another indicator of deliverable quality [4d]. The greater the controversy or reluctance to accept the ®ndings, the greater the likelihood that the qual- ity of the investigation deliverables needs to be improved. The quality of the actions proposed as a result of the investigation is also assessed by the results they pro- duce. Before they are released, any recommended actions should predict the intended eects in a way that can be veri®ed. Quality control plans should address the monitoring and veri®cation tasks. The quality of the investigation process is assessed by occasional spot auditing of the procedures at the conclusions of an investigation. It is also indicated by the performance against budgets, nature of any delays, handling of uncertainties and unknowns, complaints about the investigators or their actions, and the work products produced. Quality control plans should address this need. Investigation Programs 707 Copyright © 2000 Marcel Dekker, Inc. 1.3.4 Investigation Support Preparations Investigators may need various kinds of help, particu- larly if the investigation involves casualties. 1.3.4.1 De®ne Support Needs for Organization (30) Plans should identify the kind of help that may be needed during investigations, and assure that it will be available promptly when needed. The help required may include functional backup for collateral duty investigators, document handling, communications, go-kit maintenance, investigation equipment, readiness monitoring, technical expertise, legal expertise, and media expertise. Technical expertise may include elec- tronics, mechanical, chemical, medical, or design experts. 1.3.4.2 Establish Data Source Handling Plan (31) During investigations, sources from which investiga- tors extract data increase in number as the investiga- tion progresses. Address how data sources are to be documented, processed and preserved during and after investigations, including possible chain-of-custody implementation tasks in speci®ed cases. If willful harm is involved, consult counsel for planning guidance. 1.3.4.3 Communications Protocols and Equipment Ready (32) Depending on the occurrence, voice or data commu- nications links may be required at the site of an occur- rence. Preparations should be responsive to any anticipated special requirements for such communica- tions. For example, consider communications proto- cols, security concerns, interfacility electronic data transfers or exchanges, external data source access with suppliers, and incompatibility with facility com- munications or control equipment. 1.3.4.4 Complete Go Kit Preparations (33) Go-kits are the investigators' transportable tool kits, containing the equipment an investigator will need on arrival at the site of an occurrence. At a minimum, preparations should specify the equipment to be pro- vided, and its regular maintenance or updating. A camera and ®lm, sketch pad, voice recorder, personnel protective equipment, and note-taking equipment are absolute minimum equipment. A list of special instru- ments and special experts, with contact information, is also a must. Planning should keep in mind that the investigator must be able to transport the go-kit, usually without help. 1.3.4.5 Con®rm Support Equipment Readiness (34) Surprises occur irregularly and hopefully infrequently. Thus preparations should address how support equip- ment will be maintained in a continuing state of opera- tional readiness, including assignment of task responsibility and perhaps checklists and inspection schedules. 1.3.4.6 Arrange for Functional Backup (35) Investigations interrupt the normal duties assigned to investigators except in large organizations where inves- tigation might be a full-time job. When investigations occur, preparations should provide for backup person- nel to take over the investigator's normal duties when the investigator is at the occurrence site or elsewhere doing investigation tasks. 1.3.4.7 Prepare Technical Support Personnel (36) Technical support personnel are likely to be required when an investigator encounters a need to understand how something was designed to work, or how it actu- ally worked. For example, if a tear down of an auto- mated system or component is needed to examine internal parts after an occurrence, the investigator may need help in planning the tear down sequence and methods to minimize data loss. A tear down will probably require skilled mechanics or engineers. Expertise may be required to recover data or settings from electronic control components. Planners should identify and provide for access to in-house expertise, supplier expertise and contractor expertise. 1.3.4.8 Prepare Legal Support (37) When people are harmed in any way, and sometimes when warranties are involved, investigators may need help from a legal expert or counsel. Planners should work with counsel to identify when investigators should seek legal advice, and how to access and use it. 1.3.4.9 Prepare Media Support (38) Occasionally occurrences may precipitate media inter- est, particularly if fatalities occurred, or regulatory agencies become involved. Recognize that the media 708 Benner Copyright © 2000 Marcel Dekker, Inc. tend to focus on controversy. Plans should establish procedures and contact points for responding to media inquiries, and for adequate guidance and com- pliance with those procedures. 1.3.4.10 Support Personnel Prepared (39) The planning should include some scheduled feedback arrangement, to accommodate changes in personnel, personnel assignments, housekeeping, equipment obsolescence, expired supply dates, etc. Plans should assign feedback and review tasks to whoever manages or directs the investigation program. 1.3.5 Monitor Startup of Investigation Processes Any change requires planning before implementation, and monitoring after implementation. If a new pro- gram is initiated, or changes in investigation practices are instituted, performance monitoring and feedback to the executive in charge of the investigation program should be provided frequently during startup, and per- iodically during subsequent operations. After a predetermined time, monitor the program for its achievements, and distribute periodic reports of its achievements. 1.4 CONDUCTING INVESTIGATIONS This section outlines how to conduct investigations involving automated systems, and the basic tasks com- mon to all kinds of investigations. Each occurrence is dierent, but this general guidance is applicable in all investigations. For detailed investigation task guidance, consult the references. Before beginning, remember a basic axiom of inves- tigation: if you can't ¯owchart it, you don't understand it. Thus, as an investigation progresses it is good prac- tice to work toward developing a ¯owchart of events constituting the occurrence. With automated systems, the relative timing of events involved with the system controls often become critical to understanding what happened [23]. 1.4.1 Initial Response to Noti®cation The ®rst information about an occurrence is usually very sketchy, especially if any casualties are involved. However sketchy, it is necessarily the basis on which the decision is made to launch an investigation based on case selection guidance. Delaying a response often raises the risk of losing data or increasing the loss. Preauthorized automatic launches can begin immedi- ately. If the responsible manager decides to launch an investigation, the manager assigns the investigator, with initial instructions about its speci®c goals, con- cerns, resources available, and deliverable schedule. The manager also implements the plans for backup and support services, including site preservation assignments pending arrival of the investigator. The manager then initiates the planned contacts, to provide them the information requested or required by regula- tion or local law. The investigator or team goes to the site of the occurrence. Early communications should also consider direc- tions to retrieve data about the equipment or processes involved, or any earlier analyses of the operations, addressed to the custodians of those data. If deemed appropriate or necessary, those contacts can include directions to protect any data sources. 1.4.2 On-Site Tasks On arrival at the site, the investigator has four priori- ties. They are to preserve the data at the site; to over- view the occurrence setting and get a rough idea about what happened; to set priorities for data gathering; and, frequently, to restart the system. 1.4.2.1 Data Protection Generally stated, the ®rst task is to prevent inadvertent or deliberate changes to the ending state of objects surviving the incident, or to the memories of people who acquired data during the occurrence. This can be done by roping o or otherwise isolating the area or the equipment or the people. Alternatively, post guards until the sources have been examined and the data they oer has been acquired by the investigator. 1.4.2.2 Data Acquisition and Processing The next task is to begin to acquire data. The task challenge is to develop data in a format that supports ecient and timely development of a description and explanation of what happened. Further details are pro- vided in the investigation plan discussion and refer- ences. Start with a ``walkaround'' at the site to get a gen- eral overview of what is there and what might have happened. During the walkaround task, the investiga- tor begins to plan the order of the data acquisition tasks, setting priorities to examine or record the con- dition of any perishable data sources before they change. Priorities may also be required for examina- Investigation Programs 709 Copyright © 2000 Marcel Dekker, Inc. tion or documentation of equipment that is to be returned to service to restore operations. If potential witnesses to the occurrence are going to be leaving the site, arrangements for acquiring their data also require priority attention. A part of the walkaround task is to document the ending state of the objects found at the site. This can be accomplished with cameras, video camcorders, sketches, or drawings, or maps if debris is scattered. Notes describing what was photographed or sketched should be part of the documentation. Investigators should be prepared to delegate some of these tasks, such as the witness contacts and scheduling, or photographing damaged or changed equipment, for example. Use support personnel freely when needed. The acquisition of data from people and objects continues after the walkaround. The investigator's challenge is to identify the people and objects that contributed to the outcome, identify what they did, and document those actions. The order in which this is done varies with the occurrence, but generally it begins with asking the ®rst people found at the scene for their observations. They can help the investigator identify other data sources like witnesses and victims, or equipment that they observed doing something. They can also describe changes to debris or other objects which they introduced or saw occurring. When physical conditions of objects can be observed, investigators have to determine ``how what you see came to be''Ðor who or what did what to produce the condition(s) they see. Detailed guidance for extracting action data from physical objects can be found in some references [3,19,16,20]. Sometimes investigators want to conduct tests or simulations to determine what produced the condition or attributes of an object. Before any testing is initiated, the investiga- tor should insist on a test plan, which incorporates criteria for creating actor±action formatted data as a test output. A test plan should specify who will do what and in what sequence, to ensure needed data are not lost inadvertently [24,25]. The acquisition of stored data from digital or analog electronic devices associated with automated or robotics systems poses dierent challenges. The plans for acquir- ing these data should be followed. Exercise caution to avoid changing such data before it has been retrieved. The next step is transforming observations of the data sources into descriptions of the actions that can be sequentially organized and analyzed. The best way to do this is to use the actor±action data structure. When listening to people describe what they observed, the investigator should be listening for and document- ing data that describe who or what did what and when it happened, and documenting the data as events. 1.4.2.3 Restarts Sometimes the desire to restart equipment or processes involved in the occurrence with minimal delay in¯u- ences the investigation. When this desire exists, the need to identify what happened and identify the pro- blems and new controls needed quickly in¯uences the priorities for the investigation, and the resources devoted to the investigation. The need to take short- cuts and the consequences of doing so should be dis- cussed with the operational and investigation managers, who are responsible for accepting the risks. 1.4.3 Data Handling Tasks As data about interactions are acquired, the investiga- tor can add newly discovered actions to the developing scenario, as ``frames'' to the mental movie, or events to the events worksheets. The data handling goal is to narrow the focus of the investigation continuously. A concurrent goal may be to assure compliance with chain of custody requirements. When other organiza- tions are involved, ensure that the investigation plan is observed. 1.4.3.1 Event Linking and Testing The technical goal of this task is to prepare a com- pleted event ¯owchart that describes what happened and why it happened during the occurrence. Gaps in the mental movie or sequential layout of events point to speci®c questions that the investigator should pur- sue. Working the gaps narrows the focus of the data acquisition eort, and separates the relevant from the irrelevant events. As data are added to the mental movie or analysis worksheets, relevance is determined by examining events in pairs, and identifying cause± eect relationships between them. When they exist, the events should be linked to show the sequence and where important the relative timing of related interac- tions. The examination can begin with the process out- come, and proceeds backward in time toward the change event(s) that initiated the process. Alternatively, it can start wherever an event is dis- played; work in both directions. Events that do not have a cause±eect relationship with other events should be considered irrelevant, and tentatively set aside; they can be recalled if additional information shows a need to do so. 710 Benner Copyright © 2000 Marcel Dekker, Inc. When available data have been exhausted, the events with a cause±eect relationship should describe what happened in the proper sequence, from the ®rst deviant event to the last harmful event. In cases where adaptive actions prevented a loss outcome, the last event would be restoration of the original activity or a shutdown. The testing task checks the description of the events for completeness. The investigator looks at each ``caus- ing'' event to determine if the ``causing'' event was sucient to produce the ``eect'' event every time it occurred. If so, that part of the description is complete. If not, the investigator needs to determine what addi- tional actions were needed to produce the ``eect'' event each and every time the ``causing'' events occurred. When this task is ®nished the investigator has identi®ed all the events necessary to produce the outcome. Remaining gaps in the description identify remaining unknowns. Methods for hypothesizing events to ®ll gaps in the scenarios exposed by the testing task use bounded logic trees to display possible alternative scenarios. A bounded logic tree has both the top and bottom events de®ned. Alternative hypothesized scenarios are devel- oped to link the bottom event to the top event. The most likely alternative supported by data recovered after the occurrence can be used to complete the description, provided their source is noted, and uncer- tainties acknowledged. 1.4.4 Work Product Development Tasks These tasks depend on the deliverables speci®ed in the investigation plan. An investigation is remembered by the work products it produces. The description and explanation documentation are the main work product common to all investigations. An investigator's main task is to produce the doc- umentation describing the ¯ow of interactions that produced the outcome. The mental movies or events ¯owcharts provide the basis for describing and explain- ing what happened. If acceptable in the organization, the ¯owchart satis®es the basic documentation needs. If not, a narrative description prepared from the ¯ow- chart may be needed to satisfy other needs. If another reporting structure is required, such as the facts/ana- lysis/®ndings/conclusions reporting format, the events ¯owcharts with their supporting data enable investiga- tors to produce that work product. Regardless of the format, the description must pro- vide sucient information to enable the user to visua- lize what happened, and why it happened. If illustrations are needed to achieve this, they should be added to the description. An additional element of the investigation work product is the group of support- ing source documents or objects. Each source of data used should be identi®ed and archived and retained according to the investigation plan. 1.4.4.1 Problem Identi®cation One constructive use of the descriptions is problem discovery and de®nition. The problem discovery task requires a supplemental data-gathering eort. To de®ne a problem, an investigator must identify what a person or object was expected to do, or the norm for an action. Then the investigator must de®ne the dier- ence between what a person or object did and what they were expected to do, and examine why that occurred. This comparative approach is the basis for de®ning problems. Investigators sometimes fold this task into the description or explanation development tasks. That is not recommended unless restarting is urgent. Alternatively, if a ¯owchart is available, a problem can be de®ned as a subset of the events constituting the scenario. For example, if all expectations were satis- ®ed, but a person or object did not have adequate time to adapt to prior events, that subset of events identi®es a problem. See Appendix A for guidance about the kinds of events for which timing may be critical. However, then the investigator must pursue the reason the problem came into being. That pursuit can lead to design, administrative, supervisory, train- ing, programming, or other less direct decisions, assumptions, or actions. 1.4.4.2 Recommendation Development Another constructive use of the descriptions is in the development of recommendations for future actions [26]. If a ¯owchart of events is available, the events sets used to de®ne problems provide the basis for examining potential changes that might be introduced to change the future ¯ow of events. For each event in the set, every actor, action, or link can be examined as a candidate for change. Changes might include dier- ent sequencing or timing of events, changing the mag- nitude of events, or substitution of components, energies, or barriers, for example. Then, the conse- quences of each change can be estimated by studying what eect the change might have on the subsequent events involved in the occurrence. Comparing the predicted consequences of each can- didate change provides a basis for evaluating and rank- Investigation Programs 711 Copyright © 2000 Marcel Dekker, Inc. ing the desirability of the alternative choices, in terms of their relative ecacy and eciency. This compari- son and evaluation should include a discussion of the costs of implementation and value of predicted perfor- mance improvements [27]. 1.4.4.3 Success Monitoring Another constructive use of the descriptions is to develop a monitoring plan with which the predicted success of proposed actions can be monitored if they are implemented. The approach is to look for the recurrence of problem events sets during future opera- tions. Thus by identifying and monitoring those events sets the eectiveness can be identi®ed. If they recur, the change may be unsuccessful. If they do not recur, the change is probably successful. 1.4.4.4 Other Uses of Occurrence Descriptions Action-based ¯owcharts of occurrences can be used for ecient personnel training or retraining, to identify operational improvements, for design reviews or new design guidance, or to support changes in standards, codes, or regulations. The information on the ¯ow- charts is easy for individuals to assimilate because they can quickly relate actions shown on the ¯owchart to their own daily tasks. They can also see their rela- tionship to others' tasks, and use that as a basis for doing their tasks more eciently. Other kinds of investigation outputs have more limited uses, usually take longer to absorb, and are more dicult for individuals to assimilate. 1.4.5 Quality Assurance Tasks Quality assurance tasks involve examining the quality of the investigation work products, the investigation process, and the investigation program. 1.4.5.1 Investigation Work Product Quality The quality assurance task varies with the investigation process chosen. If the actor±action-based process is used, the quality assurance task consists of having another investigator review the ¯owchart and support- ing data for their logic and suciency. This helps identify and remove conjecture, speculation, and unsupported conclusions. Other indicators of quality problems are the number of questions raised by users, or the degree of controversy that follows release of a report. If another process is chosen, the quickest way to assess the quality of the work products is to ¯owchart the reported actions and links showing relationships, and look for gaps or logic errors to identify problems with the work product or perhaps the investigation process [21]. 1.4.5.2 Investigation Process Quality Problems with the quality of the work products pro- vide one indication of problems with the investigation process. If work products are found to have problems during the quality assurance tasks, the investigation process should be re-examined as one possible reason for the problems. The problem may also result from the process chosen, or its execution. Another indicator of problems with the investiga- tion process is the level of complaints about investiga- tor actions or behavior during the investigation. 1.4.5.3 Investigation Program Quality A third and broader indicator of problems is in the value of the results produced by investigations over time. A measure of performance is the comparison of the resources allocated to the investigation program and the cost of investigations with the value of the improvements produced. This quality assurance task is more subjective, but still requires attention. How that is done should re¯ect the assessment practices applied to other kinds of activities in the organization. 1.4.6 Deliverables The speci®cations in the investigation plan de®ne the content of the deliverables produced by the investiga- tion, and their distribution. The investigator's task is to produce the required deliverables. From time to time, the investigators are called upon to make oral presen- tations to explain or defend their deliverables. To do this well, investigators should ensure that the logic of their reasoning has been checked carefully. Another important deliverable, particularly when potential injury claims or litigation are foreseeable, is the source material. That consists of documents, photos, selected debris, sketches, or whatever source materials were used to de®ne and document the reported actions. Chain-of-custody documents may be an essential element of these deliverables. When regulatory agencies prepare a report, ensure that internal deliverables are compatible with those reports, or explain any inconsistencies. When accidents requiring investigation under regulations are investi- 712 Benner Copyright © 2000 Marcel Dekker, Inc. gated, it is desirable to prepare reports containing the descriptive data required by regulations to meet their requirements. They require ``the date, time, description of operations, description of the accident, photo- graphs, interviews of employees and witnesses, mea- surements, and other pertinent information.'' A separate report, with ``information or evidence uncov- ered during the investigation'' that would be of bene®t in developing a new or changed standard is also required to be submitted to the agency [1]. It is good practice to review reports prepared for regulatory agencies to remove subjective opinions or built-in judg- ments from the reports. Cause statements can be con- tentious. To minimize arguments about causes, specify what action(s) caused what speci®c eects, using event terms. 1.4.7 Postinvestigation Tasks Postinvestigation tasks involve distributing and using the investigation work products for additional pur- poses. These uses range from resolution of claims and disputes to long-term enhancement of corporate memory. Some uses are obvious, like resolution of claims, where the description of what happened pro- vides a basis for negotiating settlements. Other uses include their incorporation into training or recurrent training of personnel as case studies. Charts can be used as guidance for operating personnel to help them to understand interactions among system compo- nents, and to do their jobs more eciently. Distribution to designers helps them identify design options or changes that could improve future perfor- mance. In multifacility organizations, the charts are convenient to exchange among facilities for the same purposes. When consistency among all investigation is achieved, it becomes possible to combine the outputs into a growing body of process ¯owcharts covering any aspect of operations that may have been investigated. Analogous to mapping DNA, use of investigation work products to build a map of operations increases understanding of the processes. That also provides new opportunities for developing improvement recommen- dations beyond those made in a single occurrence. This is a new frontier in industrial operations. Another important use of the work products is to update predictive job, hazard, or operational analyses of the systems. Investigations provide the main tool for assessing the quality of or verifying prior risk and hazard analyses of the system, and showing where changes might be needed [23]. 1.5 SUMMARY For an investigation program to be of constructive value to an organization, a positive approach trans- cending conventional compliance and prevention per- spectives needs to be in place. The program must rest on progressive policies, concepts, principles, plans, and preparations. The material presented helps organiza- tions accomplish this, while enabling investigators to satisfy regulatory agency and other narrower demands of investigations. Investigation technology is expanding at an acceler- ating rate. Investigators are urged to use the Internet resources and newly published information to keep abreast of new developments. They present opportu- nities to learn more about the investigation process and emerging developments, and the investigation require- ments imposed by regulations. The Internet is in ¯ux, but the web sites noted with the references are useful starting points as this is written. 1.6 APPENDICES: INVESTIGATION TOOLS The models and checklists in the appendices oer guidance to help investigators during investigations. A. General Human Decision Model for Investigators This model was developed from observations of human behaviors in many transportation accident investigations(Fig.A1).Itwasdevelopedbytracking what happened during the accident, and by using the event-based data language and event matrices to show the events ¯ows found. A.1 Application of the General Human Decision Model for Investigators To apply this model during investigations or inter- views, identify people who appear to have had a role in the incident process. For each relevant action: 1. Begin by ®nding the change or changes in the activity that created a need for action by that person to keep the activity progressing toward its undesired outcome. 2. When identifying that change, determine if the change emitted some kind of signal that a person could detect or observe. If it did not, Investigation Programs 713 Copyright © 2000 Marcel Dekker, Inc. achieve a no-accident outcome, explore why it did not. Often this leads to discovery of invalid system design assumptions or other design problems. After working with this model, you will be in a much better position to discover, de®ne, describe, and explain what happened when a so-called ``human error'' or ``failure'' is alleged. You will also be able to identify more than one possible action to improve future performance of that system. B. Energy Trace and Barrier Analysis This model (Fig. B1) describes generally the steps to follow to examine events with the energy trace and barrier analysis (ETBA) method during investigations. It is a generalized model. Investigators can apply it to understand energy ¯ows that produced an observed changed condition or reaction, or when an action needs to be understood in greater detail. The kinds of energy that might be involved in a speci®c investigation are listed below. Look for possi- ble energy sources when the energy source is not obvious. Man-made energy sources: 1. Electrical. 2. Mass/gravity/height (MGH). 3. Rotational kinetic. 4. Pressure/volume/kinetic displacement (P/V/KD) 5. Linear kinetic. 6. Noise/vibration. 7. Dust. 8. Chemical (acute or chronic sources). 9. Thermal. 10. Etiological agents. 11. Radiation. 12. Magnetic ®elds. 13. Living creatures or things. 14. Moisture humidity. Natural energy sources: 15. Terrestrial. 16. Atmospheric. (Condensed from Ref. 9, Guide 5, p. 4. For an exhaus- tive listing of energy types see Ref. 14.) C. Investigator Checklists C.1 Quality Assurance Checklists Description of Occurrence. After a quality check of the description of what happened, check it against the following checklist one last time. Event form and content in description okay? Event names consistent in description? Abstractions and ambiguities removed? Sources referenced okay? Scope of description adequate? Flowchart causal links complete and valid? Uncertainties clearly indicated. Investigation Programs 715 Figure B1 Energy trace and barrier analysis process model for accident investigation. (Adapted from 10 MES Investigation Guides, Guide 5, ETBA. Oakton, VA: Ludwig Benner & Associates 1998, p 4.) Copyright © 2000 Marcel Dekker, Inc. [...]... local building code, which does have the force of law, these referenced standards and guidelines become a part of the building code and, therefore, state law Another example of where NFPA standards and guidelines have been adopted into law is the inclusion of many of them in the Occupational Safety and Health Act (OSHA) of 1970 The OSHA uses the NFPA standards and codes either by citing them as references... Code of Federal Register All of this simply means that a document called a ``standard'' may or may not be required by law, carry- Standards ing noncompliance and, possibly, criminal penalties The engineer must determine the origin and authority of any standard that may apply to the project Ignoring the history and legal authority of a standard can prove to be detrimental and costly to the engineer and. .. path through the spaghetti bowl called standards, codes, regulations, design practices, and guidelines Standards and codes are part of our everyday life We are raised with a set of standards taught to us by our parents We abide by a set of standard rules and codes at school and in sports We are considered ``law-abiding citizens'' if we follow the social rules and regulations established in our communities... the ``voluntary'' standard de®nition If a consensus standard is referenced in a federal, state, or local law, then that consensus standard can become a part of that law and made mandatory by de facto An example of this is the listing of certain National Fire Prevention Association (NFPA) standards and guidelines in many state building codes The NFPA standards and guidelines are documents that establish... industrial automation systems designers should remain aware of the fact that public sentiment is not very tolerant of machines that hurt people The sentiment is particularly compelling if that machine is an industrial robot, which is often perceived as a replacement for human workers The profession of the industrial automation system designer, then, is challenged with the task of providing robots and. .. and Techniques of Machine Safeguarding (OSHA 3067) Washington, DC: U.S Department of Labor, Occupational Safety and Health Administration, 1980 8 OSHA proposes ®nes for ergonomics-related injuries Mater Handling Eng 44(2): 42, 1989 9 Industrial Ventilation 15th ed Lansing, MI American Conference of Governmental Industrial Hygienists, Committee on Industrial Ventilation, 1978 10 OSHRC Docket Nos 9 1-2 973,... protecting employees and documenting compliance with OSHA standards Finally, some environments are so hazardous that they support development and investment in industrial robots to replace humans in these undesirable workstations The presence of federal standards and the OSHA enforcement agency have a signi®cant impact upon the present and future development of robots and industrial automation systems... employee to injury, shall be guarded The guarding device shall be in conformity with any appropriate standards therefor, or, in the absence of applicable speci®c standards, shall be so designed and constructed as to prevent the operator from having any part of his body in the danger zone during the operating cycle The point of operation is generally the most dangerous part of the machine and at the same... hazards and heed OSHA standards, while at the same time taking care not to introduce new hazards that run afoul of other OSHA standards REFERENCES 1 CR Asfahl Industrial Safety and Health Management 3rd ed Upper Saddle River, NJ: Prentice -Hall, 1995 2 CR Asfahl Robots and Manufacturing Automation Rev ed New York: John Wiley, 1992 3 Job Safety and Health Act of 1970 Washington, DC: The Bureau of National... especially true of industrial automation systems, such as robots, material handling systems, and process control systems Many modern industrial automation systems, such as those described in this book, were not invented at the time of the writing of the general body of national consensus standards that represent the bulk of what the OSHA enforces Therefore, the OSHA has turned to a general provision of the . Duty Clause for employees, as follows: Public Law 9 1-5 96 Section 5(b) Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to. literal reading of the entire volume of the OSHA standards applied ``wall-to-wall'' throughout an industrial plant of any reasonable size. 2.2 GENERAL REQUIREMENTS Most OSHA standards have. of the law, quoted here as follows [3]: Public Law 9 1-5 96 Section 5(a) Each employer . . . (1) shall furnish to each of his employees employ- ment and a place of employment which are free from