Most accident analyses are based on ad hoc approaches. Many formal analysis techniques have been proposed, but few are widely used. This case study shows how a structured process called CAST (Causal Analysis based on Systems Theory), based on a more powerful model of accident causation, can improve the results of accident investigation. The case study used is a CFIT (controlled flight into terrain) accident
involving a UPS A300-600 aircraft while landing at the Birmingham-Shuttlesworth International Airport on August 14, 2013. The results are compared with the official NTSB accident report. The NTSB process is usually considered the “gold standard” in accident investigations, and indeed, they do an excellent job. Therefore, a comparison of the results is informative about how accident investigation and analysis might be improved beyond the standard approach used by the NTSB and most others.
The structured analysis method used, called CAST (Causal Analysis based on System Theory), is based on an expanded accident model called STAMP (Systems-Theoretic Accident Model and Processes) [Leveson, 2012]. Traditionally, accidents have been thought of as resulting from a chain of failure events, each event directly related to the event that precedes it in the chain. For example, the baggage door is not completely closed, the aircraft climbs to a level where unequal pressure between the cargo
compartment and the passenger cabin causes the cabin floor to collapse, the cables to the control surfaces (which run through the floor) are severed, the pilots cannot control the aircraft, and the plane crashes. The biggest problem with such a chain-of-events model is what it omits. For example, why did the design of the baggage door closure mechanism made it difficult to determine whether it was effectively sealed? Why did the pilots not detect that the door was not shut correctly? Why did the engineers create a design with a single point failure mode by running all the cables through the cabin floor? Why did the FAA certification process allow such designs to be used? And so on. While these
additional factors can be included in accident investigation and analysis, there is no structured process for making sure that “systemic” causal factors are not missed.
STAMP extends the traditional model of accident causation to include the chain-of-events model as one subcase but includes the causes of accidents that do not fit within this model, particularly those that occur in the complex sociotechnical systems common today. These causes (in addition to component failure) include system design errors, unintended and unplanned interactions among system components (none of which may have failed), flawed safety culture and human decision making, inadequate controls and oversight, and flawed organizational design. In STAMP, accidents are treated as more complex processes than simple chains of failure events. The focus is not simply on the events that led to the accident, but why those events occurred.