Chapter 8.1 Investigation Programs Ludwig Benner, Jr. Events Analysis, Inc., Alexandria, Virginia 1.1 INTRODUCTION This chapter describes what an investigation program is, what it should accomplish for an organization, how it should be created, and what investigators should do within that framework. It presents investigation fundamentals in a way that enables everyone in an organization to tailor the ideas so they satisfy their speci®c investigation needs. It includes models to help investigators during investigations, and references providing detailed guidance for program designers and investigators. Accidents involving automated systems occur infre- quently. However, many kinds of investigations are conducted in organizations using automated systems. Supervisors, mechanics, engineers, labor representa- tives, claims adjusters, safety sta, and others investi- gate claims, operational disruptions, equipment breakdowns, accidents, ®res, injuries, outages, quality deviations, environmental insults, and other unex- pected or undesired occurrences. Each type of investi- gation has many common tasks. These commonalties are masked by thinking about each kind of investiga- tion as unique. In this fragmented environment nobody looks for the commonalties, or opportunities that co-ordinated thinking about all investigations might oer. Thus potential improvements in investiga- tion programs are overlooked. This chapter addresses that oversight. It describes the overlooked opportu- nities and how to establish a program to take advan- tage of them. 1.2 WHAT IS AN INVESTIGATION PROGRAM? An investigation program is an organization's ongoing structured activity to investigate unintended or unexpected and unwanted occurrences. This sec- tion describes the context in which such a program exists and functions, the role of the program in a dynamic organization, the nature of occurrences and investigations and the conceptual basis for an inves- tigation program. The context provides the back- ground that explains what an investigation program should accomplish, and what an organization should demand of an investigation program. The discussion of the role describes the relationship of an investigation program to other organizational activities. The discus- sion of the nature of occurrences and investigations describes useful ways to think about them within an organization. The discussion of the knowledge needed to do investigations describes essential investigation concepts and principles needed to produce the desired results 1.2.1 Investigation Program Context Investigations take place within an organizational con- text and a regulatory context. The organizational con- text should dominate investigation programs, but must accommodate the regulatory environment. 689 Copyright © 2000 Marcel Dekker, Inc. 1.2.1.1 Organizational Context Nobody likes unpleasant surprises. Progressive man- agers view an investigation program broadly as a set of continuing activities designed to understand, pre- dict, and control or prevent unpleasant and unwanted ``surprises'' in operations. These surprises include many kinds of occurrences, such as injuries, accidents, ®res, breakdowns, outages or delays, environmental insults, operational disruptions, claims, or other kinds of undesired events. Surprises re¯ect deviations from expected or intended or hoped-for performance, interfering with desired outcomes. The fundamental mission of a comprehensive investigation program is to improve future performance by thoroughly under- standing and acting on past occurrences of all kinds. Recurring unpleasant surprises are in indication, in part, of investigation program shortcomings or fail- ures, or possibly the lack of a competent investigation program. 1.2.1.2 Regulatory Context In addition to an organization's internal interests, cer- tain regulatory requirements aect the investigation context in most organizations employing or supplying automated systems. Most employers are subject to occupational safety and health regulations, which include investigation program requirements [1]. Brie¯y summarized, regulations require that: 1. All accidents should be investigated. 2. Accidents involving fatalities or hospitalization of ®ve or more employees be investigated to determine casual factors involved and that on scene evidence be left untouched until agency inspectors can examine it. 3. Any information or evidence uncovered during accident investigations which would be of bene®t in developing a new regulatory standard or in modifying or revoking an existing stan- dard be promptly transmitted to the agency. 4. The investigative report of the accident shall include appropriate documentation on date, time, location, description of operations, description of accident, photographs, interviews of employees and witnesses, measurements, and other pertinent information, be distributed to certain people, and made available to an agency representative. The regulation does not specify explicitly the purpose of required investigations, but a standards development purpose is implied. 1.2.2 Investigation Roles The basic functional role of investigations of all kinds is to develop a basis for and report on future action to improve future performance. The basis for action must always be a valid description and explanation of occur- rences, developed promptly, eciently, objectively, and consistently. This requires investigators to document their description and explanation, reporting them in a way that enables managers and others to understand, accept, and want to act on this new information. Investigations should assure discovery and de®nition of problems or needs that require action, and of actions for addressing them. They should also provide a way to assess whether the changes introduced actu- ally improved future performance. Investigations should also validate predictive analyses and design decisions. If these basic needs are satis®ed, opportu- nities for additional bene®ts can be realized. Investigators ®rst look backward in time to deter- mine and explain what happened. When they under- stand that, they must look forward in time to identify changes that will improve future performance. To ful- ®ll their role, investigations must be perceived by all aected as desirable, valuable and helpful, rather than judgmental, threatening, punitive, vengeful, or accusa- tory. To achieve best long term results, the tone of the investigation program must encourage co-operation and support. 1.2.2.1 Desired Roles for Investigations Competently designed and implemented investigation programs should report new understanding of occur- rences in ways that help: Reduce future surprises which interfere with desired outputs. Resolve claims and disputes. Satisfy regulatory requirements. They also have the potential to: Reduce resource needs by revealing potential pro- cess improvements. Enhance employee capability and morale with constructive work products. Reduce exposure to litigation. Provide a way to audit analyses of planned func- tions. Predict changes to in¯uence future risks. Identify shifting norms and parameters in operations. 690 Benner Copyright © 2000 Marcel Dekker, Inc. Contribute to the organization's long term corpo- rate memory. One other potential role requires an executive deci- sion. The choice is whether or not to use investigations to assess installed safety and reliability systems and their performance. Audits require special criteria and audit methods, and additional data, so it is advisable to conduct program audits as stand-alone activities rather than an element of investigations. 1.2.2.2 Traditional Views of Investigation Role That view diers from the regulatory view of the role of investigations. Traditional investigation perceptions and assumptions in industrial settings focus narrowly on accident investigations, failures, unsafe acts and con- ditions, basic, direct and indirect accident causes, and compliance. That focus does not address or satisfy many internal needs, and limits opportunities for broader achievements. The Federal agency regulating industrial robotics safety, for example, views investiga- tions as an element of a safety program rather than a part of a broad organizational performance improve- ment program. In its view investigations have a narrow goal of preventing similar accidents and incidents in the future. It holds that ``thousands of accidents occur throughout the United States every day, and that the failure of people, equipment, supplies, or sur- roundings to behave or react as expected causes most of the accidents. Accident investigations determine how and why these failures occur'' [2]. Note the negative tone of this ``failure'' and cause-oriented perspective. The agency's demands of investigations are also narrow. ``By using the information gained through an investigation, a similar or perhaps more disastrous accident may be prevented. Conduct accident investi- gations with accident prevention in mind'' (emphasis added) [2]. The loss or harm threshold, rather than the surprise nature of the occurrence, narrows the ®eld of candi- dates for investigation. The authority to impose penal- ties also in¯uences the agency's perception of investigations, and the procedures it must follow. When it becomes involved in investigations, operating organizations must recognize and adapt to the regula- tory agency's perspectives. In summary, the role of an investigation program should be constructive, designed to develop new knowledge to support a broad range of future actions in an organization, and produce timely, ecient, objec- tive and consistent outputs. 1.2.3 Nature of Investigation Processes To investigate something is to examine it systemati- cally. Any investigation should be a systematic exam- ination process. The investigation process focuses on examining the people and objects involved in the occurrence, and everything they did that was necessary and sucient to produce the process outcome that prompted the investigation. Investigations involve many tasks. Most share many common investigation tasks and tools. For example, in every investigation the investigator must: Make observations of people and objects involved in the occurrence. Acquire, structure, document, and organize data about their interactions. Discover, de®ne, and describe what people and objects had to do to produce the outcomes. Apply logic to action data to de®ne cause-eect linkages. Recognize, de®ne, and act on unknowns, and frame questions to pose. Diagnose objectively what happened to de®ne needs for change and candidate changes. Evaluate needs and propose actions, with ways to monitor their success. Prepare valid and persuasive investigation work products. Mediate diering views. The speci®c nature of each task and level of eort required of the investigator dier in nature depending on the kind and level of investigation required. For example, the degree of eort required to prepare an incident report form is the least complex, and may be considered the lowest level of investigation (Level 1). The nature of that investigation is to gather data needed to complete a reporting form. That need is usually satis®ed by sequencing whatever data can be acquired in a relatively brief time. Note that the data collected on forms are analyzed later by accident or claims analysts. This may mean that several similar incidents must occur before sucient data for some analysis methods is available. A slightly greater eort and more tasks are required to complete a logically sequenced and tested narrative description of what happened, or Level 2 investigation. This level requires the investigator to do some logical analysis tasks as the data are gathered. For example, understanding equipment breakdowns requires this kind of eort. Investigation Programs 691 Copyright © 2000 Marcel Dekker, Inc. When the description of what happened must be expanded to include carefully developed explanations, a greater level of investigation is required. Level 3 investigations may involve teams, and additional ana- lytical and testing tasks to validate the explanation and assure adequate objectivity and quality. This level is required for matters that might be involved in litiga- tion or compliance actions, or contractual disputes over equipment performance or warranty claims. If recommendations for actions to improve future performance are required of an investigator, the investigator must do additional forward-looking data gathering and dierent analytical tasks. Level 4 inves- tigations are the most complex and demanding and usually involve an investigation team. They should be required for any major casualty, or facility or design changes driven by undesired occurrences. Thus the nat- ure of an investigation and the knowledge and skills required to do them is dependent on the expected investigation level and outputs. The nature of an investigation is also partially dependent on the number of investigating organiza- tions conducting investigations of the same occurrence. The tasks where interactions occur should be reviewed with organizations which might be involved in investi- gations. For example, whenever fatal injuries occur, an incident might involve investigators from organiza- tions such as a local law enforcement agency or med- ical examiner, a state or federal regulatory authority, an insurance representative, and an organizational team. The authority and actions of those ocials should be identi®ed before an occurrence, and general agreement reached about who would do what in an investigation. When law enforcement or regulatory investigators are involved, their interests include access to witnesses and property, and preservation of evi- dence until an investigation has been completed [1]. Legal rights also may aect the nature of the investiga- tion. These interactions are complex, but planning helps everyone work together when required. 1.2.4 Investigation Knowledge Needs Performance of investigation tasks requires knowledge about investigation concepts, principles and practices, and skills in applying that knowledge. Investigation knowledge is not the same as knowledge about auto- mated or robotics systems. Every automated system expert is not intuitively an automated system investiga- tion expert. Additionally, system experts tend to unconsciously accept assumptions and ideas on which their decisions about the system are structured. Frequently those assumptions and ideas have contrib- uted to the occurrence. Expert investigators avoid that trap by applying their investigation knowledge and skills. During the investigation process, investigators use investigation tools to determine, describe, and explain what happened. Sometimes they need expert help to acquire or interpret data they need from objects involved in the occurrence. These data can be acquired with the help of others by knowing how to identify the expertise needed, and how to frame the right questions for those experts. Typically, such experts have expert knowledge and experience in some specialized ®eld of the physical sciences, and can interpret what actions were required to produce the observed postoccurrence states. Their outputs must support the investigator's concrete needs. To discover and de®ne needs indicated by the occurrence, investigators require data about how a speci®c system was intended or expected to function in its daily environment. Expert investigators get such system data from people with system knowledge, either directly or from their work products. Those system experts have knowledge of a speci®c system's design, manufacture, testing, programming, opera- tional behavior, safety or failure analyses, mainte- nance, or other system support activities. 1.2.5 Investigation Task Knowledge Study of investigation processes has disclosed that, to be eective, investigation process tasks must be disci- plined, objective, timely, ecient, and logical, and pro- duce demonstrably valid, credible, and readily useful outputs. Special investigation knowledge investigators need to perform their investigation tasks adequately includes fundamental investigation concepts, princi- ples, and procedures. They must incorporate this knowledge into investigation program plans for all kinds of investigations. 1.2.5.1 Investigation Concepts Concepts about occurrences and investigations guide how investigators think about what they are investigat- ing, and what they do during an investigation [3]. Concepts needed by investigators to produce quality work products include: A multilinear conceptual framework. The role of change in occurrences. An investigation data language. Mental movies 692 Benner Copyright © 2000 Marcel Dekker, Inc. Progressive analyses Break down events Energy tracing Event pairing Event linking Investigation quality assurance. Multilinear Conceptual Framework. What is the gen- eral nature of occurrences to be investigated? Research has identi®ed at least ®ve different perceptions of unintended and unexpected occurrences [4]. Each perception results in a different framework or model that drives what investigators think and do during investigations. The most helpful perception of occurrences or fra- mework for investigators is the ``multilinear'' events sequences concept [5a]. This framework views occur- rences as a process, during which people and objects act, concurrently and in sequence, to produce succes- sive changes resulting in the outcomes of interest. Relative timing of events in this multilinear framework is often essential to understanding and explaining what happened. The framework leads investigators to focus on developing descriptions and explanations of process interactions that produced the outcomes of interest. Other perceptions of the nature of occurrences are often encountered. A linear ``chain of events'' per- ception of occurrences such as accidents has long been the most popular in lay circles and the legal community. It relies on experts to identify a chain of unsafe acts and conditions and accident causes ``leading to the accident'' or incident. Typically, it results in subjectively developed, investigator-depen- dent, judgment-laden and frequently controversial investigation work products. The stochastic percep- tion is similarly investigator or analyst dependent. The tree perception is more disciplined, and helps to orga- nize data, but lacks criteria for selecting top events and a data language, does not accommodate relative event timing and duration considerations, or show interac- tions among concurrent events readily. The ®ve major perceptions are illustrated in Fig. 1. Role of Change in Occurrences. The role of change in surprise occurrences and their analysis was de®ned by Johnson during research leading to the MORT safety assurance system [6]. He pointed out the congruence between change control and accidents, and the importance of examining changes during investigations. Investigation Programs 693 Figure 1 Perceptions of accidents: the ®ve ways investigators perceive the nature of the accident phenomenon. Each perception in¯uences what investigators think and do during investigations. (From Accident Investigation: Safety's Hidden Defect. Oakton, VA: Ludwig Benner & Associates, 1981.) Copyright © 2000 Marcel Dekker, Inc. During the operation of a process, people or objects act on other people or objects to produce cascading changes, with resultant outputs or outcomes. When desired outputs result, change produces progress. When undesired or unintended outputs result, change produces trouble. The change concept facilitates inves- tigations by providing a focus for investigators' data searches: look for the changes required to produce the outcome. When people act during a process, they act to pro- duce an intended change, to adapt to an unanticipated change to sustain the process, or to arrest undesired cascading changes. For example, if a robotic device needs adjustment, a programmer acts to reprogram the device. If a robotics device suddenly activates dur- ing maintenance, the repairman might either adapt by trying to avoid the moving parts, or arrest the progres- sion by activating the emergency ``o'' control. A useful aspect of change is the concept of change signals. The signal emitted by a change has conse- quences for investigators. For example, if the signal emitted is not detectable or detected too late, the opportunities for an adaptive response by either peo- ple or objects are foreclosed. If it is detectable, it must be detected before an adaptive response is mounted. This general adaptive subprocess has been modeled from observations during investigations (see Appendix A). Event Data Language. Investigation data language is the language structure and terms investigators use to document, analyze, describe, and explain an occur- rence. To be consistent with the process framework for occurrences, the investigation data language must be able to describe and report what people and objects did to advance the undesired process toward its out- come. The data language structure used by investiga- tors determines what they can do during an investigation. A structure that facilitates the veri®able reporting of what happened and why it happened is needed. A structure and terms that undermine veri®- able reporting are not helpful. The structure should encourage investigators to focus their observations on ®nding and documenting data that de®ne and permit the value-free reporting of what the people and objects did during the occurrence. It should steer investigators to veri®able terms, and away from terms with built-in judgments or unsup- ported inferences which stop thought. The data language structure and terms that best satisfy these demands are the actor±action structure and event-related terms. The structure is simple: one actor one action  one event. That is the founda- tion for the ``think events'' guidance encouraging investigators to structure their investigation thought processes. It employs the de®nitive power of the gram- matical active voice, facilitating the visualization of speci®c people or objects. This ``actor  action''- based structure, or ``event'' structure, makes possible the most economical acquisition and ordering of data. It facilitates the most concrete descriptions of what happened, the most practical approach to systematic problem discovery and remedial action selection, the implementation of objective quality controls, and timely results. The actor  action language structure helps guide other tasks, such as facilitating visualization of what happened, rather than impeding visualization of what happened. It should be used while interviewing witnesses, photographing ending states of objects, or designing damaged-equipment test protocols. Docu- menting data with abstract, ambiguous or equivocal terms does not oer such guidance. It is important to note that conditions are the result of actions by someone or something. Improving future performance requires a change in behavior of people or objects. A condition cannot be changed without chan- ging the behavior of someone or something that cre- ated the condition. Thus, investigators should focus on the actor  action data language during investigations, and use observed conditions as a basis to infer the actions that produced them. During investigations, investigators' major chal- lenge is transforming their observations and all other information they acquire into a common format to give them building blocks for creating their description and explanation of what happened. This task is not intuitive. Further, it con¯icts with daily language experiences. The challenge is to recast all kinds of data from all kinds of sources into a basic common format suitable for documentation, analysis, testing, reporting, and dissemination. That challenge is depictedinFig.2. The exact attributes of event building blocks depend on the choice of investigation process adopted by an organization. The most basic form of event building blocks(Fig.3)containsthefollowinginformation: Actor is any person or any object that initiates a change of state during the process required to produce the outcome achieved by the occurrence. An actor has only one name. Ambiguous, com- pound, group, or plural names will corrupt the investigation and are unacceptable. 694 Benner Copyright © 2000 Marcel Dekker, Inc. Action is one speci®c act which aected another actor or action and helped initiate or sustain the process that produced the outcome of the occurrence. Descriptor is used to expand the description of what the actor did, to describe what the actor acted on, or otherwise to de®ne the act so it is uniquely described, can be visualized, and then can be related to other events. Source is the source of the data from which the event block was formulated, noted so it can be referenced as needed to verify the event. For more complex investigations or investigations requiring clear documentation of source data and veri- ®cation of the reasoning, it is helpful to use more comprehensive building blocks, as shown in Fig. 4. The numbers refer to the sequence in which the contents are typically added. Without a speci®ed data language structure to guide investigators, investigators are likely to use words that can corrupt the investigation or undermine the poten- tial value of an investigation. Corrupting words include ambiguous names or action descriptions, implicit conclusions,andwords with built-in judgments. For example, ambiguous names of actors like ``they'' or ``she'' or grouped actors like ``the crew'' or ``the second shift'' can confuse hearers or readers, because they can not visualize who did what without more data. Ambiguous actors re¯ecting inadvertent use of the pas- sive voice grammatically, such as ``it was decided,'' have the same eect. Investigators often use the passive voice to cover up their incomplete or shoddy investiga- tion or unacknowledged unknowns. Implicit conclu- Investigation Programs 695 Figure 2 The investigator's data transformation challenge. The investigator must transform all kinds of data from all sources into the investigation data language format needed to describe what happened. (From 10 MES Investigation Guides. Guide 1, MES Event Building Blocks. Oakton, VA: Ludwig Benner & Associates, 1998, p. 6.) Figure 3 Minimum event building block elements. This is the minimum information required to permit investigators to arrange events into their correct sequence as they develop their description of what happened. (Adapted from K Hendrick, L Benner. Investigating Accidents with STEP. New York: Marcel Dekker, 1986, p 128.) Figure 4 Comprehensive event building block. This format is helpful for documenting actions during a complex occurrence, and for investigations which might be used in potentially controversial environments such as claims settlement, arbitration or litigation. (Adapted from K Hendrick, L Benner. Investigating Accidents with STEP. New York: Marcel Dekker, 1986, p 128.) Copyright © 2000 Marcel Dekker, Inc. sions may be subtle, and are usually hidden in words like ``did not,'' or ``failed,'' or ``inadequately.'' They should be avoided, unless the evidence and behavior standard on which the conclusion is based are also clearly de®ned and described. Most corrupting are words with built-in judgments. Descriptions of occurrences should be factual, not judg- mental. Frequently the judgments can not be veri®ed, convey false certainty, rouse defensive feelings, mask dierences in understanding, sti¯e thought, and slant viewpoints. For example, once a judgment is made that someone ``failed'' to act, made a ``human error,'' or was ``inadequately'' prepared, the tone of what fol- lows is setÐto ®nd out what the person did wrong and lay blame on that person. Investigators should view such words as poison words, and avoid them. A review of lan- guage pitfalls described in Hayakawa's work [7] is highly recommended. The investigator should strive to report events at the lowest rung on Hayakawa's ladder of abstraction. Conformance to the actor  action data structure helps investigators avoid these pitfalls, economize their investigation reporting eorts, and improve investigation eciencies. Mental Movies. A mental movie is a sequence of visualized images of what happened, arrayed in the sequential order and approximate times they hap- pened. Making mental pictures or a ``mental movie'' of what people and objects did enables investigators to cope with new data as the data are acquired. They enable investigators to integrate data gathering and analysis functions. Mental movies serve four important investigation purposes. They force investigators to try to visualize what happened, demand concrete action data, help order the data as they are acquired, and pinpoint what they do not know about the occurrence. The mental movie construction requires investigators to visualize the speci®c actors and actions involved in the occurrence and the eects of their actions on others. As the data acquisition continues, the mental movie framework provides a place to order the actions relative to other data already in hand. When investi- gators cannot visualize what happened, each ``blank frame'' in the mental movie identi®es unknowns, and the need for speci®c data about the actor or action in the time period involved. Thus blank frames de®ne unknowns and narrow the search for additional data as the investigation progresses. The concept also applies to witness interviews. The investigators' challenge is to transfer the mental movie from the witnesses' heads into their heads. This view helps investigators probe for concrete data from witnesses, and ask questions that generate concrete answers. Progressive Analysis. This is the concept of integrat- ing new data into all existing data as each new data item is acquired during the investigation. The reason for using progressive analysis methods is to integrate the data gathering and analysis functions into an ef®cient, effective consolidated task as the investiga- tion progresses. The progressive analysis concept provides a basis for establishing criteria for the selection of the investi- gation methods. The formulation of mental movies is an informal implementation of this concept. A more formal implementation is the multilinear events sequencing methodology and its ¯ow charting time- events matrices, or worksheets. Using either method, investigators can achieve very ecient, real-time data gathering and analysis task integration during investi- gations. The historical approach to investigation has been to gather all the facts, analyze the facts, and then draw conclusions and report ®ndings. This approach results in separately gathering the ``facts'' and subsequently analyzing them to develop conclusions and ®ndings. The approach is widely used by traditional industrial accident investigators, by litigants, and by many public investigation organizations. This process is inecient, time consuming, and prone to overlooking relevant data. Additionally, it is more tolerant of ambiguous and irrelevant data, particularly in investigations with two or more investigators. The identi®cation of rele- vant data during data gathering tasks is ill de®ned, and objective quality management methods are not usually viable. Break Down Events. Breaking down or decomposing events is an old concept, but understanding how it is done is very important to investigators. When the ``think events'' concept is employed, unclear or grouped actors or actions can be ``broken down'' or decomposed into two or more actors or actions to help investigators understand what happened. One question every investigator faces in each inves- tigation is how long to continue breaking down events. The technical answer is ``it depends''Ðon the need to understand what happened in sucient detail to be able to reproduce the occurrence with a high degree of con®dence. Alternatively, it may depend on the resources available for the investigation: stop when the allotted time or money is exhausted. Still another 696 Benner Copyright © 2000 Marcel Dekker, Inc. answer depends on the quality assurance task needs: stop when quality assurance tasks meet quality assur- ance criteria, including the degree to which uncertain- ties or unknowns are tolerated in work products. Event Pairs and Sets. An event pair or event set con- sists of two or more events, either next to each other in the sequence, or part of a cause±effect relationship. Event pairs or sets provide the foundation for sequen- cing events disclosed by the investigation data, using temporal and spatial sequencing logic. After the sequential logic is satis®ed, a second application of the concept is to apply cause±effect logic to determine if the events are causally related to each other. After causal relationships are established, application of necessary and suf®cient logic to each related pair or set can be used to determine the completeness of the investigation or description of the occurrence. The event pairing also enables investigators to de®ne gaps in the occurrence description, or any un- certainties associated with those events. That in turn enables investigators to integrate each new data item into the existing event patterns and gaps as data are acquired, as shown in Fig. 5. Event pairs are also used to compare what hap- pened with what was expected to happen, as part of the problem discovery and de®nition investigative sub- process. Another use is for identifying and assessing performance improvement options, and preparing plans for monitoring implementation of new actions. By ``thinking events'' and using progressive analysis methods, investigators can accelerate the investigation and reduce data-gathering burdens. Event Linking. An event link is a representation of a cause±effect relationship between two events. The orderly sequencing of events found during the investi- gation generates the evolving description of what hap- pened. To understand why events happened, the investigator needs identify and document rigorously and completely the cause±effect relationships among all the relevant the events. This task rests on the event linking concept. In practice, links are arrows on documents showing the cause±effect relationships between the earlier and later events. By convention, links lead from the triggering event to the triggered event. To establish links, the investigator considers each potentially relevant event in pairs or sets, to decide whether or not they have a cause±eect relationship. If one had to occur to produce the other, the investi- gator links the events to document that relationship. If the causal relationship is not direct but through another event, that third event (or a ``?'') is added to the set. If the original events in the pair have no cause± eect relationship, no link is added, and one or both of the unlinked events may be irrelevant (Fig. 6). The linking concept provides a way to display logi- cal cause±eect relationships for each event that is identi®ed. It also provides a way, with the question marks, to: Progressively incorporate relevant events into the description of the occurrence as each is acquired. Identify completed data acquisition tasks. Identify un®nished investigation tasks. Investigation Programs 697 Figure 5 Sequencing new events. As new data de®ning event A2 become available, the investigator can assure its proper sequencing by determining where it should be placed on the time±actor matrix relative to other known events. (From K Hendrick, L Benner. Investigating Accidents with STEP. New York: Marcel Dekker, 1986, p 135.) Figure 6 Linked events sets. Set 1 represents two events with a direct cause±effect relationship. Set 2 represents three events (A1, A2, A3) that will produce B1 every time they occur. Set 3 represents one event that will lead to three other events. Set 4 represents two events for which a causal relationship may exist. The ``?'' represents an un®nished investigation task. (From 10 MES Investigation Guides, Guide 2, Worksheets. Oakton, VA: Ludwig Benner & Associates, 1998, p 4.) Copyright © 2000 Marcel Dekker, Inc. De®ne speci®c remaining data needs and acquisition tasks or workload. Control expenditures of more time or money to get missing data. Filter irrelevant or unlinked data from work pro- ducts. Show users uncertainties or unknowns at the end of an investigation. An ideal investigation will produce a description of the occurrence that consists of all interacting or linked events, and only those which were necessary and sucient to produce the outcomes. Anything less indicates an incomplete description of the occur- rence. Anything more will almost certainly raise unne- cessary questions. Energy Tracing. This concept is also based on Johnson's MORT safety research [6]. His point was that energy is directed by barriers to do desired work. When barriers do not successfully direct the energy to its work target, the energy can do harm to vulnerable targets. These events are part of the auto- mated system or robotics accident or incident process. Energy produces the changes investigators see in objects or people. Tracing energy paths and ¯ows to ®nd what produced the observed changes helps inves- tigators explain ``how did what you see come to be?'' Energy ¯ows leave tracks of varying duration. To trace energy ¯ows the investigator's challenge is to ®nd those tracks or changes that resulted from the energy ¯ow. This energy tracing can be done in a sequential way, from the time the energy enters the system until the energy has produced the work that can be observed. ``Energy'' should be viewed broadly, ranging from the readily identi®ed electrical and mechanical categories to people inputs, for example [8]. It can also be a more obscure energy such as gas generated by bacterial action, temperature changes and oxygen that rusts iron. See Appendix B for a thought-starting list of energies observed by the author during investigations over a 20- year period [9,10]. Each energy form is an actor that is tracked through the system to identify any harm that it did, and any constructive work or control it brought to the system during the occurrence. The concept also has the eect of requiring an understanding of the system in which the energy ¯ows. Systems are designed to constructively direct energy ¯ows with barriers. Thus the investigator needs to ®nd out what energies might have aected the system, the barrier behaviors, and the harmful work that was done, and also to trace any ameliora- tion work that aected the interactions or changed the potential outcome. The orderly tracing of energy ¯ow backward from the harm produced often helps de®ne the system, if it has not been de®ned before the occurrence. That is not unusual, and is why investi- gating minor occurrences is usually so valuable. Witness Plates. This concept was adapted from the explosives testing ®eld. During ®eld tests, metal plates positioned all around an outdoor explosion bore wit- ness to work done on them by objects and energies released when the device was exploded. Experts then interpreted the changes to the witness plates to analyze what acted on them during the explosion. The concept de®nes the process for ``reading'' events on objects after an occurrence. It applies the energy-trace principle to investigation, in that energy which does work during occurrences leaves tracks on ``witness plates.'' Witness plates are the keepers of the tracks left by energy exchanges. This applies to both objects and people. By viewing both as witness plates or keepers of data about events that occurred, investi- gators respect the sources. They recognize that their ability to access the data depends on their own skills to acquire the data, more than the witness or object's ability to communicate their data to them. Thus the concept helps investigators maintain a constructive attitude about witnesses they interview, and objects they study in investigations. Objective Investigation Quality Assurance. Objective quality assurance is the use of nonjudgmental criteria to assess the quality of an investigation and its work products. This concept results in displaying events, and using rigorous logic tests to assess the order, relevance and completeness of the description and explanation of the occurrence. It uses time and spatial sequencing of events to assure the proper ordering of events. It then uses cause±effect logic to assure discovery of relevant interactions among events. It then uses necessary and suf®cient logic to assure the completeness of the ordered and linked events which describe and explain what happened. The display enables the investigator to invite con- structive critiques of the logic ¯ow of the events con- stituting the occurrence. The demand to state the data and name the sources to justify any proposed addi- tional events or changes to a ¯ow chart disciplines experience-based experts who want to challenge an investigator, promote their interests, redirect plans, or create uncertainty for other reasons. 698 Benner Copyright © 2000 Marcel Dekker, Inc. [...]... models and investigation methodologies J Safety Res 16(3): 105126, 1 985 This work can also be found in ref 3 13 Handbook P 8 8- I-1 Investigation of Mining Accidents and Other Occurrences Relating to Health and Safety U.S Department of Labor, Mine Safety and Health Administration, 6/21 /94 Release 3 (http:// www.msha.gov/READROOM /HANDBOOK/ PH88I-l.pdf.) 14 Introduction to investigation (Companion guide to a... Society of Air Safety Investigators Forum, 14:1, 1 981 (http:// www.iprr.org) Investigation Programs 5 K Hendrick, L Benner Investigation concepts In: Investigating Accidents with STEP New York: Marcel Dekker, 1 986 , pp 30, 235 6 WG Johnson The Management Oversight and Risk Tree-MORT SAN 82 1-2 UC4l, prepared for the U.S Atomic Energy Commission, Division of Operational Safety under contract AT(0 4-3 ) -8 21,... timing of events, changing the magnitude of events, or substitution of components, energies, or barriers, for example Then, the consequences of each change can be estimated by studying what e€ect the change might have on the subsequent events involved in the occurrence Comparing the predicted consequences of each candidate change provides a basis for evaluating and rank- 712 Benner ing the desirability of. .. explanations of what happened, with recurring jargon such as chain of events, unsafe acts, human error, failures, fault, and the like An emphasis on ®nding a single ``golden bullet'' to explain the occurrence such as ``the cause'' or the root cause or equivalent A lack of scienti®c rigor or disciplining procedures demanded of investigators, such as time-disciplined demonstration of relationships Lack of objective... continually improving their data gathering, analysis, and logic skills 1.3.3 .8 Put Quality Controls in Place ( 28) Quality control procedures should be put in place to assure the adequacy of the deliverables, the quality of actions implemented as a result of the investigations, and the quality of the investigation process itself The quality of the deliverables and ®ndings can be screened before they are distributed... you're wrong,'' in any careful, literal reading of the entire volume of the OSHA standards Copyright © 2000 Marcel Dekker, Inc 721 applied ``wall-to-wall'' throughout an industrial plant of any reasonable size 2.2 GENERAL REQUIREMENTS Most OSHA standards have survived the public controversy over their volume, their origins, and their relevance to current industrial operations While it may seem that nearly... acceptable means of informing OSHA of these major incidents Fortunately, tragedies of this magnitude are rare for applications of automation, but unlike the imminent danger category, fatalities or major accidents are de®nitely a possibility when working around automatic Copyright © 2000 Marcel Dekker, Inc machines, robots, or other automated systems Accounts of human fatalities at the hands of industrial. .. products; for media contacts; for consultations with counsel; for self or peer assessment of investigation performance; and any other tailored elements of the selected process References provide detailed descriptions of investigation tasks [10,16] 1.3.2 .8 Adopt Investigation Plan ( 18) This step is the ®nal co-ordination step Each person a€ected by the plan reviews it, con®rms the intended operation... desirability of the alternative choices, in terms of their relative ecacy and eciency This comparison and evaluation should include a discussion of the costs of implementation and value of predicted performance improvements [27] 1.4.4.3 Success Monitoring Another constructive use of the descriptions is to develop a monitoring plan with which the predicted success of proposed actions can be monitored if they... actor±action-based process is used, the quality assurance task consists of having another investigator review the ¯owchart and supporting data for their logic and suciency This helps identify and remove conjecture, speculation, and unsupported conclusions Other indicators of quality problems are the number of questions raised by users, or the degree of controversy that follows release of a report . explanations of process interactions that produced the outcomes of interest. Other perceptions of the nature of occurrences are often encountered. A linear ``chain of events'' per- ception of. lack of scienti®c rigor or disciplining procedures demanded of investigators, such as time-disci- plined demonstration of relationships Lack of objective quality control criteria and proce- dures. classes of robotics equip- ment. Tailoring might also be needed because of spe- cial regulatory considerations, or because of the nature of the organization or its policies. If so, descriptions of techniques