International Journal of Industrial Ergonomics 25 (2000) 327}347

A comparison of accident analysis techniques for safety-critical

man}machine systems
Tom Kontogiannis!,*, Vrassidas Leopoulos", Nikos Marmaras"
!Department of Production Engineering and Management, Technical University of Crete, GR 73100 Chania, Crete, Greece
"Department of Mechanical Engineering, National Technical University of Athens, Greece
Received 23 February 1999; accepted 20 April 1999

Abstract

The complexity of modern industrial systems has prompted the development of accident analysis techniques focusing
on specialised aspects of the system. Although it is di$cult to "nd a single technique that would integrate the di!erent
types of analysis (e.g. event analysis, human error analysis, and causal factors analysis), accident analysis techniques
should provide appropriate input to others investigating complementary aspects of the system. To ful"l this requirement,
this article proposes a taxonomy of criteria for the assessment and revision of system engineering techniques that have
been applied to accident analysis. The proposed criteria are illustrated in the context of three techniques, i.e. fault trees,
sequentially Timed Events Plotting, and Petri Nets. The Piper Alpha incident has been selected as a case study to
illustrate the strengths and weaknesses of the three accident analysis techniques. Extensions of the notation of these
techniques are suggested in order to generate appropriate information for the analysis of human errors, error recovery
paths and causal factors at the workplace and organisational levels.
Relevance to industry
Accident analysis techniques are essential in learning lessons and preventing similar unfortunate events in future.
Advances in human error research provide useful opportunities for improving the e!ectiveness and usability of these
techniques. A set of assessment criteria are proposed to provide a basis for further developments in accident analysis
techniques. ( 2000 Elsevier Science B.V. All rights reserved.

Keywords: Accident analysis; Human error; Fault trees; Sequentially Timed Events Plotting; Petri Nets; Safety

1. Introduction life, severe environmental damage and loss of the

Accidents are undesired events which result from
unplanned deviations in system operations. Their
adverse consequences may include injury, loss of
* Corresponding author. Tel.: 0030-821-37320; fax: 0030-821-
69410.
E-mail address: konto@orpheas.dpem.tuc.gr (T. Kontogian-
nis)
system itself. Accidents are usually caused by
a combination of latent failures (e.g. maintenance
problems), machine failures and erroneous human
nterventions. In safety-critical systems, the analysis
of major accidents focuses on investigating the
causal factors of system failures in order to pre-
vent similar incidents in future or minimise their
consequences. In the last two decades there
has been an increasing realisation that a similar

0169-8141/00/$ - see front matter ( 2000 Elsevier Science B.V. All rights reserved.
PII: S 0 1 6 9 - 8 1 4 1 ( 9 9 ) 0 0 0 2 2 - 0
328 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
systematic analysis should be undertaken for minor
incidents and even near misses because of the
greater amount, reliability and accessibility of in-
formation that can be made available in these situ-
ations. The analysis of near misses, for instance, can
reveal useful information about recovery actions
that stopped the sequence of events from giving rise
to an accident. Accident reporting and analysis can
also be seen as a special case of the feedback
loop required in quality management to generate
improvements in system quality.
Accident analysis in safety-critical systems, such
as nuclear power stations, chemical production
plants, commercial shipping and aviation, can be
time-consuming and labour-intensive. Amongst
others, the following activities make accident ana-
lysis a demanding cognitive task:
f Represent mentally both the technical system,
which may consist of several interrelated compo-
nents with varying dynamic responses, and its
changing con"guration due to unanticipated
events and human interventions.
f Infer logically or through traces the failures of
the technical system, the inadequacies of the
human}machine interface, and the erroneous
human interventions. In addition, latent failures
at the technological and management levels
should be identi"ed.
f Determine possible error recovery paths and
safety barriers that could have prevented the
accident.
These activities become increasingly di$cult
since information concerning the accident may be
lacking or unreliable. To cope with these di$cul-
ties, accident analysis is usually conducted by
a team of people comprising forensic scientists,
experienced operators of the domain, engineers and
human factors specialists. However, the co-opera-
tion of all these people may be di$cult due to their
di!erent background knowledge, points of view,
technical jargons, and so on.
To facilitate the conduct of accident analysis,
several techniques have been developed in the last
few decades for investigating serious accidents in
safety-critical systems (for an overview see Benner,
1985; Ferry 1988; Suokas and Pyy, 1988). These
techniques can be broadly classi"ed into three
categories, according to their primary focus on: (i)
critical events and technological interventions, (ii)
human errors and their mechanisms, and (iii) causal
factors at the workplace and organisational levels.
Traditionally, the "rst area of investigation has
received the greatest attention mainly from system
engineering techniques, such as fault tree analysis,
post-hoc event trees, and so on. These techniques
focus on the failures of the technical systems, auto-
matic control systems, barrier mechanisms, and
escape systems. In recent years, a lot of emphasis
has been placed on the erroneous human interven-
tions that failed to control or exacerbated the acci-
dent sequence.
More systematic assessment of human errors and
their mechanisms was made possible by the work of
human science researchers (e.g., Rasmussen, 1986;
Hale and Glendon, 1987; Reason, 1990) who de-
veloped practical taxonomies of error types, error
mechanisms and error-producing conditions of
work and error types. These error taxonomies have
resulted in the development of several accident
analysis techniques which focus on the contribu-
tion of human agents and conditions of work to the
accident sequence (Kontogiannis, 1997; Kirwan,
1998; Hollnagel, 1998). It is conceivable that
these human error analysis techniques can provide
valuable input to the traditional accident analysis
techniques utilised in the context of system
engineering.
In the 1990s, there has been a growth of new
techniques focusing on the management responsi-
bilities for the conditions of work and technical
failures that lead to accidents. Techniques which
re#ect this viewpoint examine the organisational
systems and mechanisms which were responsible
for the control and maintenance of the intended
operations, but which allowed the accident or near
miss to occur. Inadequacies or failures of organisa-
tional systems can give rise to several latent failures
(e.g. maintenance problems, inadequate training
and procedures) which are likely to give rise to an
accident sooner or later. The management over-
sight and risk tree (MORT) technique (Johnson,
1980) is one of the few examples in this category of
accident analysis. MORT enables analysts to ident-
ify aspects of the safety management system which
must be improved in order to achieve the desired
level of risk control.
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
These developments in accident analysis have
led to a revision of existing techniques so that a
range of technical, ergonomic and management
factors are included in the same accident repres-
entation. For instance, Johnson (1999) has extended
the notation of fault tree analysis to visualise the
relationship between human error and organisa-
tional failures. In this sense, developments in acci-
dent analysis call for new criteria in the assessment
of techniques.
The objective of this article is to evaluate recent
techniques in accident investigation which aim to
provide more complete accounts of critical events
and human actions in terms of their underlying
workplace and management causes. Based on an
earlier assessment (Benner, 1985), two accident
analysis techniques } i.e. fault tree analyis (FTA)
and sequentially timed events plotting (STEP)
} were judged to be the most comprehensible ones
for the analysis of critical events and errors. This
article has undertaken a comparison of these tech-
niques with a third one concerning the application
of Petri Nets to accident analysis.
The following section presents a taxonomy of
assessment criteria for accident analysis techniques
which aim at expanding the analysis of critical
events into the human interventions and the man-
agement factors which gave rise, failed to control,
or exacerbated the initial sequence of events. The
main body of the article concerns the comparison
of the previous three techniques in terms of the
proposed assessment criteria. The Piper Alpha inci-
dent has been selected as a case study to illustrate
the strengths and weaknesses of the accident analy-
sis techniques.
2. Criteria for the evaluation of accident analysis
techniques
Previous studies have speci"ed a variety of as-
sessment criteria for accident analysis techniques
(e.g. Benner, 1985; Ferry, 1988; Suokas and Pyy,
1988) which could be assigned to the following
categories:
f Sequential and temporal aspects of the accident
scenario } i.e. sequence, timing, event depend-
encies, and levels of representation, etc.
329
f Aspects of the accident analysis process } i.e. cop-
ing with unreliable evidence, modelling of as-
sumptions, and encouraging participation,
f Aspects of accident prevention } i.e. identifying
causal factors at the workplace and management
levels, modelling error recovery paths, and devis-
ing prevention measures at the management and
legislation levels.
In this section, a taxonomy of assessment criteria
is proposed speci"cally for accident analysis tech-
niques which aim to expand the traditional system
engineering approach and incorporate aspects of
human interventions and causal factors at the
workplace and management levels. Techniques
which perform in-depth investigation of human
error mechanisms and analysis of management fac-
tors are beyond the scope of this article. This was
the reason for selecting FTA, STEP and Petri Nets
as candidates for the application of the taxonomy
of assessment criteria.
2.1. Sequential and temporal aspects of accident
scenarios
Accident analysis techniques are usually judged
in terms of the support provided to investigate
complex scenarios. Multiple agents may be in-
volved in the accident, taking a number of actions
which interact in complex ways. In addition, the
events may have di!erent temporal characteristics
such as timing and duration. The representation of
accident scenarios often produces complicated dia-
grams which are di$cult to use. For this reason, the
analysts should be able to represent the accident
scenario at di!erent levels of abstraction. The
following criteria are proposed to examine the
support o!ered for analysing the sequential and
temporal aspects of events:
f Event sequence: The technique should support
analysts in describing and representing the se-
quence of events/actions that have led to the
accident.
f Event agents: The graphical representation should
facilitate the identi"cation of agents of di!erent
events/actions and, if possible, facilitate their
grouping in technical, interface, and human agents.
f Event dependencies and cascade ewects: The
technique should support the identi"cation of
330 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
relationships between the events/actions and
examine their dependencies and cascade e!ects.
Dependency refers to the extent that the occur-
rence of an event/action is dependent upon pre-
ceding ones. In addition, the technique should
represent cases where the consequences of an
event/action are spread upon other areas of the
accident scenario.
f Modelling the timing and duration: The technique
should record both the `timinga (i.e. when the
event happened) and the `durationa of the
event/action (i.e. how long the event lasted).
Special notation may be required when descrip-
tions of timing are imprecise. The duration is
also important because we can appreciate cases
where operators have to perform many tasks or
respond to many events at close time proximity.
In other words, the representation of timing and
duration may provide a rough estimate of the
workload of operators.
f Multiple levels of representation: Graphical
representations of accidents frequently become
unwieldy because of the large number of events/
actions involved and their complex relationships.
To simplify the representation, analysts should
be able to create `groups of eventsa or `groups of
actionsa and describe them in more abstract
terms; this would enable them to create a mul-
tiple level description of the accident scenario.
2.2. Aspects of the accident analysis process
Accident analysis is a dynamic process which
requires modi"cations to the representation of acci-
dent as additional evidence becomes available. This
implies that analysts may have to make assump-
tions about events which are supported by weak
evidence and accommodate di!erent accounts of-
fered by various witnesses. Modelling of assump-
tions and inconsistencies, therefore, is very
important for re"ning the accident analysis as evid-
ence accrues. In addition, accident analysis tech-
niques should facilitate the co-operation between
analysts of di!erent backgrounds. Therefore, the fol-
lowing three criteria are proposed for assessing the
cognitive support provided in the course of analysis:
f Modelling assumptions. The graphical represen-
tation of the accident should o!er capabilities
for marking events or actions where assumptions
are made due to weak evidence. For example,
dotted lines can be used for assumed events or
assumed actions; these lines can be turned into
solid when we become certain that our evidence
is reliable at later stages of the analysis.
f Modelling inconsistencies. Sometimes, the evid-
ence that we get from the accident data contains
inconsistencies or con#icts. This happens be-
cause di!erent people o!er contradictory ac-
counts of what happened. To resolve this issue,
analysts so far have tended to create two or more
sequences of events corresponding to di!erent
interpretations of what happened. However, it
would be desirable to be able to merge all incon-
sistencies in a single diagram.
f Co-operation facilitation. The graphical represen-
tation should be comprehensible to all members
of the accident analysis team so that it can be
used as a common reference framework as well
as facilitate their co-operation.
2.3. Aspects of accident prevention
The ultimate outcome of the accident analysis is
to identify the critical events that have led to the
accident and the failures of the agents that gave rise
to the critical events. In this sense, the accident
analysis aims to identify factors at the technical,
workplace and management levels (i.e. the context
of work) that should be controlled in order to
prevent future accidents or minimise their conse-
quences. Prevention measures, therefore, are tightly
linked to the causal factors of the work context. In
the past, a lot of emphasis has been placed into the
prevention or avoidance of human error. However,
this is not always possible in complex systems and
attention must also be paid to the error recovery
paths that could have prevented errors or mini-
mised their consequences (Kontogiannis, 1999).
For this reason, the modelling of error recovery
paths should be treated as an additional criterion in
the assessment of accident analysis techniques.
Therefore, the following criteria can be used for
assessing the support provided in the accident pre-
vention process:
f Event criticality. The technique should support
the judgment of the importance or criticality of
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
the events/actions and their contribution to the
accident.
f Modelling error recovery. There are very few
techniques available for modelling events and
information cues that could have helped oper-
ators to detect and recover their errors. Kon-
togiannis (1996) argued that accident analysis
should o!er capabilities for recording `missing
eventsa (i.e. events that were absent or delayed
when operators made their decisions), `mis-lead-
ing eventsa (i.e. events that over-shadowed
others) and `attention-diverting eventsa.
f Modelling the context of work. It has been argued
that modelling the timing and duration of
events/actions would provide an indication of
the workload of operators. However, other
things the operators had to do in parallel within
their main tasks, could also contribute to their
workload. It would be desirable, therefore, to
represent not only the events/actions that were
directly involved in the accident, but also other
events/actions that undoubtedly a!ected the
workload and perception of operators.
f Preventive measures. The graphical representa-
tion should facilitate the development of preven-
tive measures and their cost}bene"t analysis.
3. Presentation of accident analysis techniques
To apply the assessment criteria, three accident
analysis techniques have been selected which ap-
peared to be amongst the most favourable in acci-
dent analysis (Benner, 1985; Johnson, 1998). The
techniques of Fault Tree Analysis, Sequentially
Timed Event Plotting (STEP) and Petri Nets are
brie#y described below.
3.1. Fault trees
Typically, fault trees have been used pre hoc to
analyse potential errors in the design of technical
systems (Vesely et al., 1981). Recently fault trees
have been used in a post hoc fashion to analyse
accidents. Fault trees are constructed from events
and gates. Basic events can be used to represent
underlying technical failures that lead to accidents
while intermediate events can represent operator
331
errors that may exacerbate technical failures. The
gates of the fault trees can be used to represent
several ways in which machine and human failures
combine to give rise to the accident. For instance,
an AND-gate implies that both initial events need
to occur in order to give rise to the intermediate
event. Conversely, an OR-gate means that either of
two initial events can give rise to the intermediate
event. In the context of accident analysis, an OR-
gate implies lack of evidence; as more evidence
becomes available we can become more certain
which of the two initial events were true.
More detailed information about the notation
of events and gates in fault trees is provided by
Andrews and Moss (1993). It is worth quoting,
however, the notation of an INHIBIT-gate in fault
trees which helps analysts to record non-contribu-
tory events to the accident. Non-contributory
events are worth recording in fault trees because of
their implications for the causation of a similar
accident under di!erent circumstances.
3.2. STEP
The STEP technique (Hendrick and Benner, 1987)
provides a reconstruction of the harm process by
plotting the sequence of events/actions that contrib-
uted to the accident. The main concepts in STEP are
the initiation of the accident through an event or
change that disrupted the technical system, the
agents which intervene to control the system (e.g.
human beings, automatic controllers, equipment,
and monitoring systems), and the elementary `event
building blocksa. The analysts construct an STEP
worksheet which charts the evolution of events, ac-
tions and system interventions (on the horizontal
axis) performed by the agents (on the vertical axis).
The "rst stage in STEP involves the de"nition of
the `beginninga and `enda states of the accident.
This bounds the scope of the investigation from the
"rst event that deviated from the planned technical
process to the last harmful event in the incident.
Subsequently, the analysts identify the main events/
actions that contributed to the accident and con-
struct their `event building blocksa which contain
the following information:
f the time at which the event/action started;
f the duration of the event/action;
332 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
f the agent which caused the event or action;
f the description of the event/action, and,
f the name of the source which o!ered this in-
formation.
In the second stage, the events/actions are in-
ter-connected with arrows. All events should have
incoming and outgoing arrows which show `pre-
cedea and `followa relationships between events.
Converging arrows show dependencies between
events while divergent arrows show the impact on
following events. The converging arrows are com-
parable to the AND-gates of fault trees. STEP does
not use OR-gates because the completed worksheet
shows events with a certainty of one rather than
with probabilities.
The accuracy of the event representation is
checked using the backSTEP technique by which
we reason backwards in order to examine how each
`event building blocka could be made to occur.
Reasoning backwards helps analysts to identify
other ways in which the accident process could
have occurred, and this guides the search for addi-
tional data. Measures for preventing an accident
can be identi"ed in terms of causal links that could
be blocked and `missinga links to events with a pre-
vention capability. STEP provides a valuable over-
view of the timing and sequence of events/actions
that contributed to the accident.
3.3. Petri Nets
Petri Nets is a formal and graphical language
which is appropriate for modelling systems with
concurrency. Petri Nets have been under develop-
ment since the early 1960s, where C.A. Petri de"ned
their notation; it was the "rst time that a general
theory of discrete parallel systems was formula-
ted. The language is a generalisation of automata
theory which supports the concept of concur-
rency. Petri Nets have found many industrial
applications, ranging from the modelling of Pro-
grammable Logic Controllers to the modelling of
Manufacturing Systems (Leopoulos, 1984; Proth et
al., 1993; Leopoulos and Tatsiopoulos, 1999).
A Petri Net technique (High-Level Petri Nets,
HLPN), for which an International Standard is
under development, has been selected for its ap-
plication to accident analysis.
3.3.1. High-level Petri Net (HLPN ) graphs
A high-level Petri Net graph comprises the fol-
lowing elements:
f A Net Graph. It consists of nodes (i.e. places and
transitions) and arcs connecting places to
transitions;
f Place Types. Places come in several types but one
type is associated with each place;
f Place Marking. A collection of data items (called
tokens) indicating the state of each place;
f Arc Annotations. Arcs are inscribed with expres-
sions which may comprise constants, variables
and function images (e.g. f (x)). The expressions
are evaluated by substituting values for the vari-
ables. When an arc's expression is evaluated, it
must result in a movement of tokens from the
input to the output places;
f Transition Conditions. They consist of signals or
external events (i.e. Boolean expressions), priori-
ties and delays that determine the "ring of
transitions;
f Declarations. They are statements about place
types, variable types, and functions.
HLPN-graphs are executable, allowing the #ow
of tokens around the net to be visualised; this
can illustrate the #ow of control and #ow of
data within the same model. Key concepts govern-
ing this execution are the enabling of transitions
and the #ow of control de"ned by the transition
rules.
3.3.2. Enabling of transitions
A transition is enabled in a particular mode
with respect to a set of places connected to the
transition. A transition mode is an assignment of
values for the transition's variables that satisfy the
transition conditions. The transition's variables are
those that occur in the transition conditions and
arc annotations. The enabling of a transition results
in the marking of its input places. For each
transition mode, the expression of input arcs are
evaluated, resulting in a set of tokens of the same
type as that of the input place. If each input place
contains at least the number of tokens required by
each input arc then the transition is enabled in
a speci"c mode. Two transition modes are concur-
rently enabled for a particular marking when each
input place's marking contains at least the sum of
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
the enabling tokens of each input arc associated
with that input place.
3.3.3. Transition rules
Enabled transitions can occur ("re). When a
transition "res, tokens are removed from its input
places and added to its output places, according to
the expressions of the arcs. On the "ring of a
transition, two events can occur atomically: (i) an
input place loses as many tokens as speci"ed in the
input arc and (ii) an output place gains as many
places as speci"ed in the output arc. Several en-
abled transitions can "re concurrently in one step.
The change to the marking of the net when a step
occurs is given by the sum of all changes that occur
for each transition mode, as described above. Petri
Nets is a graphical modelling formalism, especially
suited for discrete-event dynamic systems with con-
current or parallel events and activities.
4. A case study: The Piper Alpha incident
The case study we used to compare the accident
analysis techniques concerns the sequence of events
leading up to a hydrocarbon explosion which was
Fig. 1. A simpli"ed schematic of the system where the accident sequence was initiated in the Piper Alpha.
333
the starting point for the Piper Alpha o!shore
disaster where approximately 170 people lost their
lives (July 1988). The initial explosion caused a "re
at the west end of Module B which was spread
quickly to neighbouring portions of the platform.
Shortly afterwards, a major explosion occurred cre-
ating a massive and prolonged high pressure jet of
#ames that generated intense heat. Structural de-
terioration at the level below Module B had begun
which eventually led to the capsize of the Piper
Alpha platform. The description of the sequence of
events leading to the Piper Alpha incident has
been given by one of the authors in Embrey et al.
(1994).
The process involved in the incident concerns the
separation of crude oil into three phases. The crude
is pumped into a two-stage separation process
where it is divided into three phases: oil, gas, and
water. The water is cleaned up and dumped to
drain while the remaining mixture of oil and gas is
pumped into the main oil line where it is metered
and sent on for further processing (a simpli"ed
process diagram is shown in Fig. 1). The case study
described here is centred on a #ange leak in one of
the oil pipeline pumps (pump A) and its associated
pressure relief valve (PRV) piping.
334 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
The separation plant had been running smoothly
for several weeks and the planned shutdown was
some time away. On the day of the incident a num-
ber of unusual events occurred which contributed
to its developement. Shortly after the start of his
day shift, the control room operator (CRO) re-
ceived a high vibration alarm from booster pump
A in the crude #uid separation building. Following
normal procedures, he switched-over to the stand-
by pump B, switched-o! pump A, and told his
supervisor of the alarm. The supervisor subsequently
organised a work permit for maintenance to be
carried out on pump A by the day-shift mainten-
ance team. The permit was issued and repair work
started. Since pump A and its associated pipework
was o!-line, the supervisor took the opportunity to
carry out scheduled maintenance on the pressure
relief valve (PRV) downstream of pump A. The
valve had been malfunctioning, and although the
work was not scheduled to be done for some weeks,
the specialist contractor team who maintain the
PRVs had a team available to carry out the work
immediately. The supervisor therefore now had two
teams working on the pump A systems: the shift
maintenance team working on the pump itself, and
a two-man contractor team working on the PRV
and its associated pipework. The PRV for pump
A is not located immediately adjacent to the pump,
and is above #oor level, close to a number of other
pipe runs. The following description represents
a hypothetical sequence of events based on the
inquiry "ndings, but embellished for the purposes
of the case study.
During the course of the day, the shift mainten-
ance team identi"ed the cause of the vibration and
recti"ed it. They rebuilt the pump and completed
the work at about 17:30, before their shift ended.
The permit was returned to the operations supervi-
sor who duly signed it o!. The contractor's work,
however, did not go as smoothly. The team re-
moved the PRV and the team leader took it to his
workshop for maintenance and pressure testing.
His partner remained behind in order to "t a blank
to the pipeline, as required by site procedures. The
contractor "tted the blank to the pipe, although
the job was made di$cult by its awkward position,
and he returned to the workshop to help with the
maintenance on the valve itself. Unknown to the
workers, the blank had not been "tted correctly
and did not seal the pipe. The PRV required a com-
plete strip and overhaul but the contractors were
unable to complete the work by the end of the day.
They did not inform the day-shift operations super-
visor, as they thought that the pump had been
signed o! for more than one day and that they
would be able to complete the work the following
morning. The day-shift supervisor, having had no
contact with the contractor team since signing-on
their permit, made the assumption that the con-
tractors, as they were no longer on the job, would
be working overtime to complete the job during the
night shift.
At shift handover at 18:00, the incoming night-
shift supervisor was briefed by the day supervisor.
The conversation centred on the vibration fault and
subsequent repair work carried out. However, no
mention was made of the work on the PRV, so
consequently none of the incoming shift were aware
of it. The night-shift supervisor, wanting to return
pump A to standby as soon as possible, asked the
plant operator to check the status of the pump, and
together with the shift electrician, to reset it and put
it back on standby. The operator, unaware of the
work being done on the PRV, did not check this
part of the system and, following inspection of the
pump, returned it to standby.
Later in the night-shift the CRO received a trip
alarm from pump B. Soon after, the second stage
separator high oil level alarm sounded in the con-
trol room. The CRO switched to the standby pump
A in order to reduce the level. Unknown to the
CRO, switching to pump A resulted in high-pres-
sure oil and gas leaking from the incorrectly "tted
blank. The CRO's monitoring of the oil level was
interrupted by the gas monitoring system giving an
alarm. The CRO accepted the alarm but was not
unduly worried, thinking it was a false alarm, as
often happens after work has been done on a pump.
He decided to radio the plant operator and asked
him to check it out. The oil level continued to fall in
the separator, and the leaking #ange continued to
release oil and gas into the separation building. The
plant operator, responding to the CRO's request,
went to investigate the low level alarm in the separ-
ation building. While the CRO was waiting for the
plant operator to report back, the high gas alarm
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
sounded. He immediately started safety shutdown
procedures. It was at this point that the oil and gas
mixture ignited and exploded, and the next phase of
the Piper Alpha disaster began.
5. Analysis of the incident
This section presents an application of the three
techniques to the analysis of the Piper Alpha incident.
5.1. FTA of the Piper Alpha incident
An FTA has been applied to the Piper Alpha
accident according to the most probable scenario
as described in the previous section. Fig. 2 shows
that two intermediate events were necessary to give
rise to the oil/gas leak, that is, (a) incorrect installa-
tion of the blank on the PRV line, and (b) pump
A was started by the CRO. The analysis proceeds in
a top-down fashion to identify other events or fac-
tors that led to the previous two events.
On the one hand, the incorrect installation of the
blank requires that an error is made (i.e. the con-
tractor mechanic does not "t the blank properly)
which is not detected in the night shift (i.e. plant
operator fails to detect). The latter event is repre-
sented as an undeveloped event in Fig. 2 which
implies that further analysis should be carried out.
The former event was attributed to the `cramped
and con"ned work spacea which prevented the
mechanic from doing the installation properly. The
analysts would have to consider other causes that
may have contributed to the mechanic's error and
examine their likelihood in the particular scenario.
For instance, the analysts may argue that the incor-
rect installation could have been due to inadequate
maintenance skills; if the evidence leads to such
a conclusion, `inadequate skillsa should be incorp-
orated in the FTA (see OR-gate in Fig. 2). In case
that the evidence precludes this conclusion, we
can still keep this event in the FTA as far as an
INHIBIT-gate is used. This gate implies that
`inadequate skillsa could still be a contributory
factor in a similar scenario.
On the other hand, `switching on pump Aa re-
quires that there is a need for this action (i.e. pump
B trip alarm and high oil level alarm), that pump
335
A is available (i.e. CRO knows that pump A is on
standby) and that such an action is taken (i.e. CRO
is not aware of maintenance work on PRV). The
latter event has been identi"ed in the FTA as a criti-
cal event that could have been avoided, had the
plant operator detected the removal of PRV and
the night-shift supervisor received proper noti"ca-
tion from the day-shift supervisor. The analysis
proceeds with the causes of mis-communication
between the two supervisors. As it can be seen from
Fig. 2, the contractor maintenance team failed to
notify the day-shift supervisor who, in turn, failed
to use the formal handover procedures to brief the
night shift. The failure of the contractor to report
on the status of the PRV was due to his assumption
that the PRV was signed-o! for two days and the
inadequate work permit. An OR-gate is used to
relate these intermediate events since further evid-
ence is required to determine which of the two
events were true.
FTA provides a convenient way of representing
the main technical, human and management fac-
tors that lead to accidents. The INHIBIT-gate also
provides useful information about factors that
could have led to similar accidents in future. The
main criticism of FTA is that it provides an im-
poverished representation of real time. There is no
ordering amongst the events that lead into a gate.
Although PRIORITY-AND gates can be used to
capture some temporal aspects of the interaction,
real time is not supported. This is important be-
cause information about real time a!ects the ability
of operators to respond to the scenario. Recent
work by Love and Johnson (1997) has extended the
fault tree notation to include real time by citing the
time at the bottom of each event. However, even
this notation cannot capture temporal relation-
ships between events that have a long duration.
Continuous events are very di$cult to represent in
fault trees.
Another limitation of the application of FTA to
accident analysis concerns the representation of
concurrency. In some cases, the impact of an event
spreads across di!erent areas of the system or trig-
gers the action of di!erent operators. Information
about concurrent events or actions is very impor-
tant for determining the workload of operators
and the amount of data currently available to
336 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347

Fig. 2. A fault tree showing the main events and causes of the Piper Alpha incident.

operators. Fault trees are inadequate in this sense Johnson (1998) has identi"ed some limitations
and need to be supplemented with cause}conse- with the semantics of the AND-gate in fault trees.
quence diagrams (Nielsen, 1974). Fig. 2, for instance, shows that the failure of the
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
night supervisor to notify the CRO (bottom right
part of FTA) was due to lack of communica-
tion between the day supervisor and the contractor
team and between the day and night super-
visors (i.e. they did not follow formal handover
procedures). In a conventional fault tree, the event
would have been prevented if one of the two initiat-
ing events had been avoided (i.e. by following for-
mal handover procedures). In accident analysis,
however, there is no means of knowing if an acci-
dent would have been prevented in this way. As
Johnson (1998) argued, an AND-gate represents
the fact that an accident report cites several events
as contributory causes; no inferences can be made
about the outcome of an AND gate if any of the
initiating events do not hold.
While FTA cannot capture the temporal aspects
and dependencies of events, it remains a convenient
format for modelling the context of work (i.e. work-
place factors, handover procedures, and com-
munication problems) and, thus, helps analysts in
devising preventive measures both at the technical
and management levels. Fault trees also facilitate
co-operation between analysts because of their
familiar notation and hierarchical description of
the accident scenario.
5.2. STEP analysis of the Piper Alpha incident
A STEP worksheet of the analysis of the Piper
Alpha incident is shown in Figs. 3 and 4, repro-
duced from the work of one of the authors in
Embrey et al. (1994). The STEP analysis was pro-
ved to be an important aid in structuring the data
collection and event representation. First, the point
at which the initial deviation in the planned tech-
nical process occurred was identi"ed (i.e. the vibra-
tions observed in pump A). The agents are placed
on the vertical axis of the worksheet. The horizon-
tal axis represents the time-line on which
events/actions are placed for each agent. The aim is
to trace each agent's actions from the `starta state
to the `enda state. This portrays the contribution of
each agent to the incident, the e!ects on other
agents, and the in#uences of the actions of the
agents. This method can lead to new agents being
considered which were not initially identi"ed in the
incident. Taking the process control system (PCS)
337
as an agent, for example, we can obtain valuable
information about the status of plant equipment
before, during, and after various events. Data avail-
able from the PCS alarm recorder were used to
specify critical time points on the STEP worksheet.
A similar process was carried out for all agents
identi"ed. For agents that are human beings, how-
ever, the analysis can present problems. In the
Piper Alpha case, for instance, the time period for
the development of the incident crossed a shift
boundary, another "xed point on the work sheet,
and therefore involved di!erent people. It is impor-
tant to focus on the events involving the agents and
to avoid introducing bias into the worksheet. Par-
ticular focus was also paid to agent's actions which
initiated changes in other agents. For example, the
CRO's request for the plant operator to check out
the low gas alarm, or the high oil level alarm led the
CRO to switch to pump A and directed his atten-
tion to the status of the oil level.
The backSTEP technique helped to determine
whether all the events for an agent were listed and
whether the relevant `event building blocksa were
placed correctly on the worksheet relatively to
other events. Here lies one of the strengths of the
STEP worksheet. Viewing the events for each
agent, linking the events and looking for neces-
sary-and-su$cient conditions, are activities that
provide valuable help in identifying gaps in the
analyst's knowledge.
The necessary and su$cient test of the back-
STEP technique was found particularly valuable
when applied to event pairs. For example, the trip-
ping of pump B is necessary for the event involving
the night-shift operator switching from pump B to
pump A, but not su$cient to cause this event. The
process control system gave the high oil level alarm
which reduced the time window for the operator to
take other action, for example, investigation of the
causes of the trip. However, other events were also
necessary. These were the con"rmations by the
plant operator and electrician that pump A had
been placed back on standby. If this had not hap-
pened the option to switch to pump A would not
have been available. The necessary and su$cient
test can also lead to diverging links, for example
where the gas/oil leaking from the #ange leads to
both low and high gas alarms and is necessary for
 338
T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347

Fig. 3. A STEP analysis of the initiating events of the Piper Alpha in the morning shift. (From Embrey et al., 1994).
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347

Fig. 4. A STEP analysis of the events leading to the oil-gas leak in the Piper Alpha in the night shift. (From Embrey et al., 1994)
339
340 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
the ignition of the leak. In this way, the relation-
ships among events are elicited and the investigator
is forced to think about causal events one at a time
instead of considering the incident as a whole. The
process of data collection, with its conversion and
positioning of the `events building blocksa and
logic testing, was an iterative one and this diagram
went though several revisions.
The STEP technique provides accident ana-
lysts with a disciplined, logical, and veri"able
representation of the events involved in the inci-
dent. It also represents well the temporal aspects of
the contributory events, although it needs addi-
tional notation for imprecise timings (i.e. events for
which we are not sure for their precise starting
point). Although continuous events are marked on
the `event building blocksa, still the STEP graph
needs additional visual notation to remind analysts
of events currently activated.
This advantage of STEP over FTA in represent-
ing the temporal aspects of events is at the expense
of representing the workplace and management
factors that have led to human errors. A separate
worksheet is needed in order to perform the human
error analysis and avoid making the STEP graph
unwieldy. Both FTA and STEP techniques score
high on the facilitation of the accident analysis
process and the development of preventive meas-
ures. However, both techniques impose a high
workload on the analysts in keeping a mental track
of all interactions. Although the backSTEP tech-
nique is very helpful in verifying the analysis, it still
lacks the powerful mechanisms of simulation tech-
niques such as Petri Nets.
5.3. Application of Petri Nets to the analysis of Piper
Alpha incident
The development of the Petri Net graph was
based on the ARTIFEX software package (Artifex,
1997). The "rst stage in the development of the
graph concerns the identi"cation of the physical
system, the human agents, and the messages com-
municated (oral and displayed messages) in the
course of the accident. The key concept here is
that the physical system, during its operation,
send messages to human operators, through the
monitoring and alarm system. These messages initi-
ate human actions, some of which may change the
state of the physical system. Fig. 5 presents a Petri
Net graph with the physical system, messages, and
actions while Table 1 describes the places used. The
critical path that led to the accident is also shown in
Fig. 5 where it is further elaborated.
f States of the physical system. The physical sys-
tem involved in the incident consists of the
physical equipment (Pump A, Pump B, PRV,
and the Oil}Gas #ows). For each component,
a Petri Net module was developed to model the
various states in which the component can be
found.
f Messages. Messages can be provided by the
monitoring or the alarm system as a result of
speci"c changes in the state of the physical sys-
tem; these messages can also be modelled as
places in the Petri Net graph.
f Human actions. The actions of human operators,
initiated by the messages of the monitoring
} alarm system, are modelled as places in the
Petri Net graph.
In the Petri Net graph, transitions were utilized to
present pre-conditions and relationships between
the places. Pre-conditions were modelled as signals
or external events to the transitions (see text in
italics) while relationships were modelled as arcs.
For instance, the detection of the problem with the
incorrectly "t blank (Fig. 6) requires that at least
one of the following pre-conditions is satis"ed: (i)
the handover to the night shift is done properly, or
(ii) the contractor team noti"es the day-shift super-
visor (iii) the plant operator detects the problem.
Human errors and consequences can also be rep-
resented as places in the Petri Net graph. However,
to avoid cluttering the graph, it is possible to model
only the correct actions (as shown in Fig. 5) but use
the transitions and arcs to point to di!erent error
consequences. For instance, the preparation of
pump A (PO-prepares-A) involves a visual check
on the pipelines leading to the PRV valve; the plant
operator may either detect the removal of PRV
(`PO-detects?a signal) or fail to detect the problem
and start pump A (A-works). Representing human
errors as places can help to visualise the develop-
ment of the accident but is not required by the
software simulation as far as the error conse-
quences are satisfactorily modelled.
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347 341

Fig. 5. A Petri Net graph of events leading to the oil-gas leak in the Piper Alpha.

It is important to examine the initial state of the
system prior to the accident by putting the tokens
in the appropriate places. In the initial state, pump
A was working, valve PRV was in normal state and
pump B was available on standby. In the Petri Net
notation, therefore, the analysts should mark the
following places: (A-works), (PRV-normal), and
(Pump-B-standby).
The incident started due to a problem with pump
A. In Fig. 5, this is represented in transition T5
which asks the analyst whether the signal (Vib-
on-A ?) is present. If the answer is a$rmative, the
incident sequence starts and the transition T5 "res.
As a result the token is removed from the place
(A-works) and two tokens are added to places
(A-vibrates) and (CRO-detects-vib). In order to
switch-o! pump A, it is necessary that another
condition exists } that is, the CRO performs this
action. This condition is met automatically since
the token moves through the transition T21 to
the place (CRO-switches-A-o! ). This results in the
"ring of T20 which moves the token to places
342 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
Fig. 6. A Petri Net graph of events leading to the oil-gas leak and possible recovery paths.
(DS-boss-permit-A) and (Pump-A-o! ). In turn this
activates transition T10 and maintenance starts on
pump A (Main-team-on-A).
For starting maintenance on PRV valve, it is
necessary that a problem is found (PRV-problem)
and a permit is issued (DS-boss-permit-PRV). The
former place receives a token once the analyst is
a$rmative about the start of inspection (`Inspect-
PRV ?a signal) while the latter place receives a token
from the "ring of transition T20. As a result,
transition T16 "res and maintenance work starts
on PRV (C-main-team-on-PRV). The system is put
into a safe state when the operator switches-on
pump B (CRO-switches-B-on) after the "ring of
transition T21.
The accident sequence starts upon the "ring
of T3. The software asks the analyst whether the
signal (B-problem ?) is present; if the answer is
a$rmative transition T3 "res. In the Petri Net
graph (Fig. 5), this results in the activation of
places (B-problem), (B-trip-alarm) and (Oil-level-
rises). It is possible to simulate the real time of the
occurrence of these events by specifying a `tem-
porisationa variable; that is, the software can delay
the activation of these places for the times speci"ed
by the analysts. Pump B is switched-o! (Pump-B-
o! ) by the night-shift supervisor upon detection of
the `trip alarm on Ba and the `high oil alarma.
From this point onwards, the event sequence
becomes very critical for the safety of the system.
Fig. 6 shows some elaboration that was necessary
to model both safe and disastrous outcomes. The
problem with pump B provided indications to
the night supervisor (`B-trip-alarma and `high-oil
alarma tokens) as to the need to prepare pump
A for operation (NS-boss-prepares-A). Three pos-
sible situations could result in the detection of the
problem with the un"nished work on PRV, that is:
(i) either the formal handover procedures were fol-
lowed (`Handover-OK ?a signal) or (ii) the plant
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347 343

Table 1
List of places cited in the Petri Net graph

States of the physical system

A-works Pump A works normally B-works Pump B works normally
A-vibrates Pump A vibrates B-problem Problem on pump B
Pump-A-o! Pump A is set o! Pump-B-o! Pump B is set o!
Pump-A- standby Pump A is put on standby Pump-B-standby Pump B is put on standby
PRV-normal PRV works normally Oil-level-rises Oil level rises
PRV-problem Problem on PRV Oil-gas-leaks Oil and gas leaks into the
separation building
Messages
High-vib-alarm High vibration alarm High-oil-alarm Separator high oil level alarm
B-trip-alarm trip alarm on pump B High-gas-alarm Gas monitoring system alarm

Actions
CRO-detects-vib Control room operator receives a high vibration alarm from pump A
CRO-switches-A-o! Control room operator switches-o! pump A
DS-boss-permit-A Day shift supervisor organises a work permit for maintenance to be carried out on pump A
Main-team-on-A Day shift maintenance team works on pump A
NS-boss-prepares-A Night shift supervisor checks that the conditions for starting pump A are acceptable
NS-boss-requests-A Night shift supervisor requests the plant operator to check pump A in order to return it to standby
CRO-switches-B-on Control room operator switches over to pump B
NS-boss-B-o! Night shift supervisor asks the operator to switch o! pump B
Main-team-on-B Maintenance team works on pump B
DS-boss-permit-PRV Day shift supervisor organises a work permit for scheduled maintenance on the PRV valve
C-main-team-PRV Contractor's team works on PRV and its associated pipework
C- removes- PRV Contractor's team removes PRV
C-repairs-PRV Contractor's team repairs PRV
C-"ts-blank Technician (contractor's team) "ts a blank to the pipe

operator detected the removal of the PRV valve
(`PO-detects ?a signal), or (iii) the contractor noti"-
ed the supervisor (in the day or night shift) about
the un"nished state of maintenance (`C-notixes ?a
signal).
The likelihood of the latter situation, which
was pointed out in the accident report, is further
elaborated in the bottom of Fig. 6. Two alternative
events can occur after the removal of PRV
(C-removes-PRV) depending on how the analyst
answers the question `has the blank been "tted
properly?a (`Blank-xt-OK ?a signal). If the answer is
a$rmative then transition T22 "res and results in
the correct installation of the blank; it is assumed
that the system would continue functioning until
the contractor would have "nished the repair of the
PRV (C-repairs-PRV) that would bring PRV back
to the normal state (PRV-normal). A negative an-
swer would result in a technician error whose con-
sequences could be avoided only if the contractor
team had noti"ed the day- or night-shift supervi-
sors (the "ring of transition T25). Failure of the
contractor team to notify would result in the "ring
of transition of T9 and the consequent oil}gas leak.
Fig. 6 also shows another recovery path regarding
the duration of maintenance work on PRV; had the
maintenance work been completed within the day
shift (a$rmative answer on the signal `shift-xnish
?a) the PRV would return to its normal state
(PRV-normal). Fig. 6 shows vividly all possible
recovery paths that could have prevented the acci-
dent.
Petri Nets o!er a rich representation of the tem-
poral aspects of the events and minimise the work-
load in keeping a mental track of the interactions.
Although the Petri Net graph in Fig. 5 was de-
veloped in a bottom-up fashion, it is also possible
to use a top-down approach. In a top-down analy-
sis, analysts can start with an abstract model of the
accident scenario and proceed to more re"ned or
detailed models stepwise. Individual sub-models
can be produced by independent analysts, working
344 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347

possibly in parallel, and subsequently made to "t
the overall abstract model. This locality principle of
Petri Nets can facilitate the co-operation of di!er-
ent analysts once they acquired some expertise with
the Petri Nets notation. Therefore, Petri Nets im-
pose higher training requirements than the FTA
and STEP techniques. On the other hand, Petri
Nets scored high in terms of the facilitation of
the accident analysis process and the development
of prevention measures. A thorough comparison of
the accident analysis techniques follows in the next
section.
6. Assessment of the accident analysis techniques
Although the previous sections have discussed
some of the pros and cons of the three accident
analysis techniques, a more thorough assessment is
undertaken here in terms of the three groups of
criteria speci"ed in Section 2. Table 2 summarises
the comparative assessment of the three techniques.
A three-point scale has been used to indicate the
degree of compliance to the assessment criteria.
6.1. Modelling sequential and temporal aspects
The representation of the sequence of events/
actions that leads to an accident scenario is one of
the most essential requirements of accident analysis
techniques. All three techniques appeared to sup-
port the description and analysis of the sequence of
events that contributed to the accident. However,
STEP provided a better overview and grouping of
the agents (i.e. equipment, automatics, people) in-
volved in the accident. The procedure for using
Petri Nets was also useful in grouping technical,
interface and human agents in ways that seemed to
be superior to the FTA.
Related to the description of the event sequence
is the representation of their dependencies and cas-
cade e!ects. Section 5.1 identi"ed some problems
with the semantics of the AND-gate in FTA which
may have di!erent meanings to those of traditional
fault trees. In addition, FTA did not appear to
capture cascade e!ects on other events and human
actions. This is an important limitation of FTA
because it may deprive analysts from useful in-
formation regarding the workload of operators and
the available set of information for making deci-
sions how to control the accident. Cause-conse-
quence diagrams can be a useful supplement to the
FTA. The other two techniques, however, scored
quite high in this respect.
Another limitation of FTA, discussed in Section
5.1, was the representation of real time. Although
FTA can be annotated with citations of real
time (see Love and Johnson, 1997), the problem
still remains with the representation of continu-
ous events that last for long time periods. STEP

Table 2
A comparative assessment of the three accident analysis techniques

Criteria Fault tree Step Petri Nets

Event sequence www w w w w w w

Event agents w w w w w w w
Event dependencies - cascade e!ects w w w w w w w
Modelling the timing and duration w w w w w w
Multiple levels of representation www w w w w w

Modelling assumptions www www www

Modelling inconsistencies w w ww
Cooperation facilitation www www ww

Event criticality www w ww w ww

Modelling error recovery paths w w w w ww
Modelling the context of work www w w w w
Preventive measures www w ww w ww
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
analysis provides a better overview of real time but
requires additional visual notation to represent the
concurrency of events. This is precisely where the
value of Petri Nets lies. Petri Nets can represent
concurrency in a better way especially when
colour-coding is used in commercially available
software tools.
Finally, all three methods were very useful in
representing the accident scenario at various levels
of abstraction. Although Petri Nets are capable of
using multiple levels of representation, this facility
requires extensive expertise especially in cases
where the sub-models have complex structures and
interactions. For this reason, they were rated a bit
lower than the other two techniques.
6.2. Aspects of the accident analysis process
The accident analysis is a dynamic process re-
quiring that certain assumptions are made as evid-
ence becomes available incrementally. Accident
analysis techniques should enable analysts to easily
identify earlier assumptions and modify them as
con"dence is increased in certain facts. Although
this aspect of analysis has not been captured in the
previous "gures, it is very important that it is
equally addressed in the assessment criteria. In
most cases, a sort of OR-gate in all techniques
could be used to imply that certain events are
assumed to be plausible at a particular stage in
the analysis; as more evidence becomes available,
the number of OR-gates will be reduced. It is also
possible that additional notation can be imported
from other techniques (i.e. MORT, Johnson, 1980)
which utilise dotted lines for assumed events or
actions and, subsequently, turn them into solid
lines as more evidence is available.
Another aspect of the accident analysis process
is that some evidence may be contradictory; wit-
nesses sometimes o!er contradictory accounts of
what happened in the course of the accident. Al-
though it is possible to develop di!erent graphs for
di!erent accounts, it would be desirable to emerge
them into a single graph; this would make easier the
resolution of inconsistencies. With respect to this
aspect of modelling, the three techniques appeared
to be rather weak. There is a need to use special
notation for inconsistent accounts within the
345
same graph. Johnson (1998), for instance, uses
a special notation within Petri Nets for represent-
ing inconsistencies. Petri Nets are also useful in
resolving inconsistencies when access is provided
to special software tools. For this reason, Petri
Nets were given a higher score than the other
techniques.
The "nal criterion in the conduct of accident
analysis refers to the extent that the techniques
facilitate the co-operation between di!erent ana-
lysts. This criterion re#ects how user-friendly
a technique can become. FTA and STEP seemed
to be very comprehensible due to the simple and
familiar graphical symbols used. On the other
hand, Petri Nets appeared to be less comprehen-
sible because of the technical notation and codes
used in their graphs; in addition, the bipartite graph
could result in more complicated diagrams.
6.3. Aspects of accident prevention
The ultimate aim of accident analysis is to identify
factors in the work context that caused the accident
and to develop prevention measures. These objec-
tives can be better achieved when an insight is of-
fered about the nature of critical events, the failures
of the technical and human agents that gave rise to
these events, and the error recovery paths that were
inhibited in the course of the accident.
All three techniques were useful in identifying the
critical events that led to the accident scenario. It is
conceivable that the use of special notation (i.e.
thick solid lines or colour-coded lines) could have
provided a better overview of the critical events.
Di!erences between the techniques were found,
however, with respect to the modelling of error
recovery paths. Although FTA can model failures
in detecting or recovering errors by utilising AND-
gates, the limitations in showing concurrency and
dependencies make FTA di$cult to use for model-
ling error recovery; in this respect, the other tech-
niques were superior. In particular, Petri Nets were
found very useful in modelling error recovery paths
and verifying their accuracy (see Fig. 6).
Since the modelling of error recovery could a!ect
the analysis of the context of work, it would be
anticipated that STEP and Petri Nets would score
higher than FTA. However, this limitation of FTA
346 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
was traded-o! by its capability to provide compre-
hensible overviews of the technical, interface and
human factors associated to critical events and
human errors (Johnson, 1999). This may explain
why techniques focusing on the analysis of the
context of work (i.e. MORT) have employed
notations similar to the fault trees. For this reason,
FTA was awarded a higher score than the other
techniques but the assessment may change in
other cases where error modelling reveals a great
deal of information about the context of work.
Finally, the techniques were compared in terms of
the support provided in developing prevention
measures. In general, all techniques were judged to
be very valuable for accident prevention. More
accurate judgments, however, should be made in
the context of speci"c accident scenarios since the
other criteria may in#uence the process of accident
prevention.
7. Concluding remarks
Accident investigation in safety-critical systems
is a demanding cognitive activity which requires
the integration of three types of analysis: (i) critical
events and technical failures that led to the acci-
dent, (ii) erroneous human actions that failed to
control or exacerbated the initial events, and
(iii) causes of failures and errors at both the work-
place and organisational levels. The complexity of
modern industrial systems has resulted in the devel-
opment of accident analysis techniques focusing on
specialised aspects of the analysis. Although it is
di$cult to "nd a single technique that would
integrate the di!erent types of analysis, accident
analysis techniques should provide appropriate
input to others investigating complementary as-
pects of the analysis. For instance, traditional sys-
tem engineering techniques should provide
appropriate input to human error analysis tech-
niques while both types of analysis should provide
input to techniques focusing on workplace and
organisational factors. To ful"l this requirement,
this article has proposed a taxonomy of new cri-
teria for the revision of system engineering tech-
niques in order to be applied successfully to
accident analysis. The proposed assessment criteria
are aimed not only at the investigation of the event
sequence but also at the facilitation of the accident
analysis process and the development of prevention
measures.
The assessment of the three accident analysis
techniques has shown that STEP and Petri Nets
appeared to be superior to FTA in analysing tem-
poral aspects of the accident sequence. FTA should
be supplemented with cause}consequence diagrams
in order to cope with event dependencies and
cascade e!ects. The STEP technique can also be
improved by incorporating special notation to
show graphically `imprecisea timing of events and
the in#uence of continuous events. Petri Nets
appeared to cope well with temporal aspects of the
accident scenario but their graphs can become
unwieldy for complex scenarios; improvements
should focus on providing capabilities for multiple
levels of representation.
With respect to the second set of criteria, the
three techniques were found useful in modelling
assumptions in the course of the analysis and in
facilitating co-operation. However, there is a lot of
scope for improvement in the area of modelling
inconsistent accounts of events o!ered by di!erent
witnesses. Although backSTEP and Petri Nets
were valuable in resolving inconsistencies, it would
be desirable to expand their notation so that incon-
sistencies are incorporated in their graphs. The
accident analysis process is a high workload activ-
ity requiring analysts to maintain a mental track of
the event interactions, their own assumptions, and
the witnesses' inconsistencies. Software packages
that provide simulation of events can be very valu-
able in the course of the analysis. In this sense, the
Petri Net software that was utilised was very useful
in keeping track of the event interactions and in
verifying the analysis. Finally, the three techniques
scored high in terms of their facilitation of the
accident prevention process. Petri Nets and STEP
were found superior to FTA for modelling error
recovery paths but FTA compensated by providing
better facilities for modelling the e!ects of work-
place and organisational factors. There is still
a great scope for improvement in modelling error
recovery paths as this topic has attracted a lot of
research attention in recent years (Rizzo et al., 1994;
Zapf et al., 1994; van der Schaaf, 1995).
 T. Kontogiannis et al. / International Journal of Industrial Ergonomics 25 (2000) 327}347
The assessment of the three accident analysis
techniques has revealed some scope for improve-
ment in the analysis of the temporal aspects of the
scenario, the accident analysis process and the de-
velopment of prevention measures. Further im-
provements would require the development of
more comprehensive models of error recovery and
organisational models of accident causation. These
models would set new requirements regarding the
types of information to be provided by accident
analysis techniques. Computer-supported tech-
niques would be in greater demand in future as the
needs for the analysis of technical and organisa-
tional systems would grow. Simulation of the acci-
dent sequence is a way forward for relieving the
workload of analysts in performing and verifying
their analysis.
References
Andrews, J.D., Moss, T.R., 1993. Reliability and Risk Assess-
ment. Longman, Harlow, UK.
Benner Jr., L., 1985. Rating accident models and investigation
methodologies. Journal of Safety Research 16, 105}126.
Embrey, D., Kontogiannis, T., Green, M., 1994. Guidelines
for Preventing Human Error in Process Safety. Center for
chemical process safety, American Institute for Chemical
Engineers, New York.
Ferry, T.S., 1988. Modern Accident Investigation and Analysis,
2nd Edition. Wiley, New York.
Hale, A.R., Glendon, A.I., 1987. Individual Behaviour in the
Control of Danger. Elsevier, Amsterdam.
Hendrick, K., Benner Jr., L., 1987. Investigating Accidents with
STEP. Marcel Dekker Inc., New York.
Hollnagel, E., 1998. Cognitive Reliability and Error Analysis
Methodology (CREAM). Elsevier Science, Kidlington, Oxford.
Johnson, C., 1998. Representing the impact of time on human
error and systems failure. Interacting with Computers 11 (3),
53}86.
Johnson, C., 1999. Visualizing the relationship between hu-
man error and organisational failure. Paper on Web site,
http://www.dcs.gla.ac.uk/&johnson/papers/fault } trees/
organisatinal}error.html.
Johnson, W.G., 1980. MORT: Safety Assurance Systems. Marcel
Dekker Inc., New York.
Kirwan, B., 1998. Human error identi"cation techniques for risk
assessment of high risk systems-PART 2: towards a frame-
work approach. Applied Ergonomics 29, 299}318.
347
Kontogiannis, T., 1996. Stress and operator decision making in
coping with emergencies. International Journal of Hu-
man}Computer Studies 45, 75}104.
Kontogiannis, T., 1997. A framework for the analysis of cogni-
tive reliability in complex systems: a recovery centred ap-
proach. Reliability Engineering and System Safety 58,
233}248.
Kontogiannis, T., 1999. User strategies in recovering from
errors in man machine systems. Safety Science 32,
49}68.
Leopoulos, V.N.I., 1984. Simulateur pour les Resaux de Petri
Temporises Research report 371, INRIA, France.
Leopoulos, V.N.I. and Tatsiopoulos, I.P., 1999. Hierarchial
integration of business modelling methodologies using
Petri Nets. Proceedings of the 5th International Conf-
erence of the Decision Sciences Institute, July 4}7, Athens,
Greece.
Love, L., Johnson, 1997. Accident fault trees. In: Thimbleby, H.,
O'Conaill, B., Thomas, P. (Eds.), People and Computers XII:
Proceedings of Human Computer Interaction'97. Springer,
Berlin; pp. 245}262.
Nielsen, D.S., 1974. Use of Cause-Consequence Charts in Practi-
cal Systems Analysis. Technical Report RISO-M-1743, Ros-
kilde, RISO National Laboratory, Denmark.
Proth, J., Vernadat, F., Harhalakis, G., Silva, M., Dicesare, F.,
1993. Practice of Petri Nets in Manufacturing. Chapman
& Hall, London.
Rasmussen, J., 1986. Information Processing and Human Ma-
chine Interaction: An Approach to Cognitive Engineering.
North-Holland, Amsterdam.
Reason, J.T., 1990. Human Error. Cambridge University Press,
Cambridge, UK.
Rizzo, A., Ferrante, D., Bagnara, S., 1994. Handling human
error. In: Hoc, J.M., Cacciabue, P.C., HollnageL, E.
(Eds.), Expertise and Technology: Cognition & Human
Computer Interaction. Lawrence Erlbaum Associates, NJ,
pp. 195}212.
Suokas, J. and Pyy, P., 1988. Evaluation of the Validity of Four
Hazard Identi"cation Methods with Event Descriptions.
Research report VTT 516, Technical Research Center of
Finland.
van der Schaaf, T.W., 1995. Human recovery of errors in man-
machine systems. Proceedings of the Sixth IFAC/IFIP/
IFORS/IEA Symposium on the Analysis, Design and Evalu-
ation of Man}Machine Systems, June 1995, Cambridge,
MA.
Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F., 1981.
Fault Tree Handbook. US Nuclear Regulatory Commission,
Washington, DC.
Zapf, D., Maier, G.W., Rappensperger, G., Irmer, C., 1994. Error
detection, task characteristics, and some consequences for
software design. Applied Psychology: An International Re-
view 43, 499}520.