The technical genesis of machine failures leading to occupational accidents

~nter I~altonat/OUr !ld[ Oi

Industrial Ergonomics ELSEVIER

InternationalJournal of IndustrialErgonomics 19 (1997) 361-376

The technical genesis of machine failures leading to occupational accidents Tomas Backstr6m *, Marianne D6iSs National Institute for Working Life, S-171 84 Solna, Sweden

Received 22 January 1995; accepted 28 February 1996

Abstract This paper is concerned with machine failures that occur in automated installations that lead to occupational accidents. It is based on investigations of 76 cases of automation accidents. A conceptual apparatus has been developed which has the aim of describing the technical genesis of machine failures. Its extemal validity has been confirmed in large parts through its correspondence with concepts developed by other researchers. The apparatus has been applied to the automation accidents investigated. The factors, 'manifestation of fault', 'machine failure', and 'human intervention' have been utilized to describe 64 automation accidents involving machine failures. In nearly a third of the cases, the courses of events resulting in injury were similar: a work piece became stuck, or crookedly or incorrectly positioned; this led the machine to stop; the injury occurred while a person attempted to correct the position of the work piece. Four factors, 'origin of technical fault', 'history of fault', 'type of fault' and 'location of fault', have been employed in the investigation of 28 accidents, A majority of the technical faults were known to persons at the work site before the accident occurred, which suggests that opportunities are available for improving the handling of machine failures.

Relevance to industry The aspiration of the conceptual apparatus is to help industry: first to categorize machine failures accurately, to improve short-run remedy; second, to develop explanatory concepts, that will aid management of production problems. Further, advice is offered on measures aiming at reduction of accident risks at computer-controlled installations. Keywords: Accident;Automation;Failure; Fault; Industry; Safety

1. Introduction Machine failures can cause disturbances to production, material damage and accidents. This paper describes a study of machine failures that have had

* Corresponding author.

an impact on the process resulting in an automation accident, i.e. an accident where a person is injured by automated equipment. 1.1. Goals and purposes

The first goal of this paper is to describe a number of machine failures that have influenced automation accidents. Its second goal (which was

0169-8141/97/$17.00 © 1997 Elsevier Science B.V. All rights reserved. PII S01 69-8 141 (96)00017-0

362

T. BackstriSm, M. Dings/International Journal of Industrial Ergonomics 19 (1997) 361-376

conceived in the course of achieving the first) is to develop concepts for that part of the course of an accident event which is related to the equipment and to a machine failure. In the text book "Industrial accident prevention - A scientific approach" Heinrich (1931) divides the accident process in three phases: "First, the cause of the accident; second the accident; third, the injury." (op. cit. p. 39). This paper is concerned with the first phase in the Heinrich model, 'the cause of the accident'. The concepts developed are designed for use in further research and for promoting the development of automated production systems that offer greater personal safety. The type of generalization that can be made from the result is analytical generalization (Yin, 1989), i.e. the generalizable value of this paper lies in the concepts, not in the frequency distributions.

1.2. Machine failure A machine failure is something manifest, something that can be detected and recorded, e.g. by personnel in the vicinity of the equipment. The machine failure is a manifestation of a technological error, the word 'technological' being used in accordance with Pacey's definition as "the application of scientific and other knowledge to practical tasks by ordered systems that involve people and organizations, living things and machines" (Pacey, 1983). Technology includes a cultural, an organizational and a technical aspect; i.e. both technical faults and human errors can manifest themselves as machine failures. The data presented here are primarily technical by nature, and largely concern the technical factors that lie behind accident occurrence. Other factors that have interacted in the accident process are either not touched upon at all or only treated summarily. The development of a more complete model that takes into account other than technical factors is planned for the future. That the focus of this paper is on the technical part of the accident process certainly does not mean that other parts are less important. In the relevant literature, classifications are quite frequently presented of how large a proportion of accidents can be attributed to technical effects or human errors, respectively. The authors of these articles succumb to the temptation of seeking a

main cause underlying each accident, despite the consensus which now prevails in accident research that an accident is caused by interacting technical, human and organizational factors. The different phases of the technical side to machine failure can be presented using a three-universe model, which is an adaptation of the four-universe model originally developed by Avizienis (1982). The first universe is the component universe, which contains semi-conductor devices, mechanical elements, sensors, power supplies, and other physical entities that make up an installation. The second universe is the equipment universe, which contains information flow and movements of machine parts inside equipment (Avizienis divides this universe into the logical and the informational). The third is the user's unit;erse, which contains the behavior of equipment that is detectable from outside. Johnson (1989) divides the chain of undesired events into three factors: fault, error, and failure. An undesired event in the component universe is what Johnson calls a fault, "a physical defect, imperfection, or flaw that occurs within some hardware or software component" (Johnson, 1989). In this paper, such an event will be referred to as a technical fault, in order to distinguish it from faults concerned with cultural or organizational aspects of technology. The fault can be latent, or it can manifest itself as an undesired event in the equipment universe; Johnson calls this an error. In this paper, it will simply be called a manifestation of fault. When a manifestation of fault manifests itself in the user's universe, this will be called a machine failure (see Fig. 1). As an example we can imagine a part of a production system were a sensor is supposed to give a clear signal to the controlling computer when a work piece is in a specific spot, ready to be machined. When the computer receives the clear-signal it starts a machine motion to pick up the work piece and place in the machine. A chain of events leading to a machine failure starts with a fault in the component universe:

Universe:

Undesired event:

Component

Equipment

User's

universe

universe

universe

Fault

-> Manifestation of fault => Machine failure

Fig. 1. Concepts used for undesired events in three different universes.

T. Backstri3m, M. DtOs / International Journal of Industrial Ergonomics 19 (1997) 361-376

either a technical fault, e.g. the work piece is deformed, or a human error, e.g. a person handling work pieces placed one of them upside-down. This fault manifests itself in the equipment universe: the work piece gets incorrectly positioned and no clearsignal is given. At last a machine failure occurs in the user's universe: no pick-up motion is executed and after a while the machine stops. The manifestation of a technical fault can be permanent (caused by irreversible changes in components), transient (caused by external interference of a short duration, followed by reversion), or intermittent (caused by permanent component defects which require the presence of a rarely occurring combination of factors for their manifestation). It is posited that the factors, cause, duration, value and extent can be used to classify technical faults. (Avizienis, 1982).

1.3. Machine failures and accidents There are many studies of accidents in automated or mechanized production whose results suggest that the accident process is often influenced by some kind of machine failure. The handling of disturbances to production is a common occupational task being performed when accidents occur at both industrial robots and other automated installations (BackstriSm and Harms-Ringdahl, 1984; Burton, 1988; Carlsson et al., 1983; Coleman, 1983; DiSiSs and BackstriSm, 1993; D~5~Ss and BackstriSm, 1994; HS.kkinen, 1989; Jarvinen et al., 1991; Laflamme, 1993; OSHD, 1983; Vannas et al., 1993). This in itself is an indicator of the importance of machine failures. From a search of the literature, three articles were found that had a focus on the relation between machine failures and accidents in existing automated production installations. Some of the results reported in these articles are described here. Disturbances in flexible manufacturing systems (FMS) have been investigated (Kuivanen, 1990). Kuivanen reports that 74% of such disturbances were caused by technical factors, and the remainder by human error. Most machine failures were classified as caused by the control system, largely sensor problems. Electronic equipment accounted for the second largest group of failures, and system programs for the third. Kuivanen also studied the various conse-

363

quences of the disturbances. Half had a negative effect on safety, and accidents occurred in 1-2% of cases. Just over 80% of the disturbances had a negative impact on production. Material damage was sustained on more than every tenth occasion of disturbance. Kuivanen's study treated 145 production disturbances at a relatively newly installed FMS consisting of 20 units, grouped in three machine cells, and with automated materials-handling facilities. Reports on robot-related problems were analyzed (Sugimoto, 1985). Sugimoto states that the m a n robot system is very unstable. Just over half of the "causes for troubles related to the industrial robots" involved "failure of electrical system". In these cases, and using his terminology, it was usually 'poor contact' or 'control circuits' that turned out to be the 'main description of trouble'; and to a lesser extent 'wire breakage of cable', 'internal and external sensors' or 'noise'. The most common 'relationships between robot trouble and manipulator operation' were found to be 'unnatural operation' (31%), 'unexpected start of operation' (28%) and 'irrespective of operation' (17%). Sugimoto conducted a special investigation of 'unexpected start of operation', since this 'relationship' was assumed to increase the accident risk most considerably. The largest category of 'causes' of unexpected start was 'human error, etc.' (38% of cases), while 'failure of electrical system' was the second largest category (24%). Sugimoto analyzed reports of 300 robot-related problems from 190 Japanese factories with 4,341 industrial robots. Occupational-injury reports of automation accidents have also been analyzed (BackstriSm and Harms-Ringdahl, 1984). In 19% of cases a technical fault was referred to in the report. In two-thirds of cases the fault was electrical, in the others mechanical. Electrical faults were to be found, for example, in circuit breakers, control devices and measuring devices. This study treats a sample of 177 automation accidents from the national accident register in Sweden. With regard to how a machine failure affects personal safety, it is important to look at what triggers off malfunctioning and what opportunities there are to discover the problem in time. If the machine failure consists in a hazardous machine movement,

364

T. Backstrgm, M. Dri4s/ lnternational Journal of Industrial Ergonomics 19 (1997) 361-376

and if it is triggered off by human activity in the risk zone, this is usually more dangerous than when the trigger mechanism is independent of human activity. If there is an opportunity to discover a manifestation of fault before any machine failure occurs, and if there are means to counteract the manifestation before it gets active in the user's universe, it will have a lesser effect on personal safety than when the machine failure arises wholly unexpectedly (Backstr~Sm and Harms-Ringdahl, 1986). This line of thinking is related to the systematic approach to accident prevention adopted by deviation theorists (Harms-Ringdahl, 1993; Kjell~n, 1983; Kjell~n, 1984).

2. Definitions A machine is an assembly of linked parts or components, at least one of which moves, which are joined together for a specific application, in particular for the processing, treating, moving or packing of material. In this paper automated equipment refers to a machine (or a part of a machine or a number of machines joined together) which, without the direct intervention of a human being, can initiate a machine movement or change its direction, or alter operating function. Thus, it requires some kind of sensor device (involving position sensors, microswitches, etc.) or some form of sequential control (e.g. a computer program). It is not sufficient that the equipment is capable of stopping by itself (e.g. as a result of an over-heating cut-out). Automated equipment that is occasionally manually controlled is also encompassed by the definition. An accident is defined as a process ending with an unintended sequence of events, where the final event occurs suddenly and results in an injury to a human being. By an automation accident is meant an accident where automated equipment has controlled (or should have controlled) a harmful energy. Stating that the equipment has controlled (or should have controlled) the harmful energy, usually means that the energy which injured the person has come from the machine itself. For example, the injury has resulted from the force of a machine movement.

A technical fault is defined as "a physical detect, imperfection, or flaw that occurs within some hardware or software component" (Johnson, 1989). The fault may arise from a short-circuit, or may be because the component is defective, worn or incorrectly mounted. It occurs in the component universe, comprising the physical entities that make up the equipment. By manifestation o f fault is meant an error or a deviation from accuracy or correctness that occurs in the equipment universe. It is the manifestation at machine level of a fault on component level, and it is not discovered by an ordinary user. As manifestations of a fault are not counted installations or changes to equipment where an intended effect has been achieved, e.g. the deliberate removal of a safety device. A machine failure is the non-performance of a machine action that should have been performed, or the performance of a machine action that should not have been performed. It occurs in the user's universe and is something that can be detected and recorded, e.g. by personnel in the vicinity of the equipment. Machine failures can cause disturbances to production, material damage and accidents, giving rise to personal injury.

3. Materials and methods The first goal of the paper is descriptive by nature. The second goal consists in an analytic generalization from the cases investigated. No statistical generalizations are made; the paper does not contain any inference concerning another population made on the basis of empirical data collected from the cases selected. For the distinction between statistical and analytical generalizations, see (Yin, 1989). The selection of cases was designed to achieve maximum breadth, with regard, for example, to kind of operation, and type and age of equipment. The selection was to be a collection of examples of automation accidents sufficiently large and heterogeneous to encompass at least one example of a majority of the factors affecting an accident. On the other hand, it was not important to obtain a sample that was representative of any larger population.

T. Backstrtm, M. DOts / International Journal of lndustrial Ergonomics 19 (1997) 361-376

Automation accidents are relatively rare events. A reasonable procedure for enabling special investigations to be conducted on a sufficiently large selection was to pick out a number of work sites, and then include all the automation accidents at the companies concerned in the study. Thus, at 21 work sites in Swedish manufacturing industry persons, appointed by the companies involved, were assigned the task of investigating all automation accidents on their site over a two year period (June 1988-May 1990). The investigators detected and investigated 76 automation accidents in total. The investigations were conducted using a specially developed survey instrument (see section 3.2). The investigators, most of whom were safety engineers, were given a couple of hours training. The training consisted of an explanation of the concepts automated equipment and automation accident by looking at local examples of such ones and an introduction to the investigation instrument by the researchers and the investigator together doing a simulated investigation of one of the past automation accidents at the work site. The strategy of preventing accidents through targeted and comprehensive accident investigations has been evaluated previously. Further information on the investigators' work and the perceived benefits of their investigations has been published in DiS~Sset al., 1994. 3. I. The work sites covered by the study The selection of work sites for the study was made with the help of representatives of employer and employee organizations and was based on two

criteria: the company should have a high degree of production automation and also possess an in-house occupational health services unit that included a safety engineer. These criteria were regarded as important in two respects: first, there had to be a motive for participation; second, sufficient resources had to be available to implement the tasks that the research project demanded. At some of the larger work sites only certain departments were included. These were selected in consultation between the researchers and the contact person at the company. The criterion for selection was that departments with a high degree of automation should be included. The focus is on engineering industry, which we regarded as being in the front-line in Sweden with regard to technical production development and installation safety. In order to also having access to examples of accidents from many dissimilar forms of activities, the work sites were chosen from the following industrial sectors: engineering industry (10 sites, of which 5 from the car industry); steel and metal (2 sites); wooden-products industry (2), chemicals industry (2); food industry (3); sawmill (1); and porcelain manufacturing (1). The sizes of the workforces at the participating work sites ranged from 75 to around 6,500. The number of employees in selected departments per work site varied from 40 to around 3,000. At six work sites, no automation accidents to investigate were discovered during the period (see Table 1). Some of the work sites were exclusively involved with long production runs, i.e. the series production of a large number of parts of the same product type. Others were involved solely with short-series production, i.e. the manufacturing of a small number of

Table 1 Numbers of participating work sites monitored, and numbers that investigated automation accidents over the two-year period by sector Sector Car and truck industry Engineering industry, other than above Steel and metal Wooden-products industry Chemicals industry Food industry Saw mill Porcelain manufacturing Total

365

No. of participating work sites

Of which No. that investigated accidents

5 5 2 2 2 3 1 1

5 4 1 2 1 2 0 0

21

15

366

T. Backstri~m, M. D66s / lnternational Journal of Industrial Ergonomics 19 (1997) 361-376

products of a certain kind, followed by a small number of parts of a different product type, etc. Further, individual-piece production took place at some of the departments included in the study, i.e. a change in product type after the manufacture of each part. Some work sites operated forms of 'mixed production', with manufacturing series of different lengths. In the departments examined within the confines of the project there were over 1,000 automated installations for machining of different kinds, and around 200 each for deforming, joining and cleaning. The bulk of materials conveying and handling in the course of production was performed by automated equipment. In addition, there was a smaller number of automated machines for surface treatment, packeting and testing. During 1989, 14,732 employees (all covered by collective agreement) worked within the selected departments, and 1,033 accidents were reported. Three-quarters of the persons covered by the study worked on vehicle-manufacturing sites, and roughly the same proportion of automation accidents occurred on these sites (BackstriSm and D~55s, submitted).

3.2. Description of the study material For this study many different sources of information have been utilized for each accident. All accidents have been investigated using a structured form with fixed response alternatives (the investigation chart, see below), and at least one open, unstructured description of each accident has been obtained. The descriptions were prepared by a variety of persons. In 83% of cases there is a short description (of around 40 words) written by a job supervisor, a safety representative, the injured person, or some other person concerned. In 60% of cases there is a longer text (of around 1 page) prepared by one of the investigators. In certain cases there are also longer freely written texts, obtained from the injured person, officers of the Labour Inspectorate, or others. In addition, in 70% of cases there are photographs of the place of injury (typically 3 photographs per accident). In just under half the cases drawings are available of the workplace, the machine, or parts of the machine. The investigation chart, containing 150 questions

in five sections, was filled in by the investigator. For the first three sections ( " T h e where and when of the accident", "Important explanatory factors", and "Situational factors"), most responses were obtained by means of the investigator conducting a structured interview with the injured person. For Section 4, "Influencing factors", use was made of the investigator's own knowledge and experience. Almost all the questions in the first four sections were fixed-response items. In the 5th and final section, "Actions", the investigator answered openended questions concerning what measures should be taken in the light of the accident (DSiSs and BackstriSm, 1990; DSiSs et al., 1994). The data from the investigation chart which were used for the factors describing technical faults come from a part of section "Important explanatory factors", where questions were posed concerning whether there was anything deviant about the way in which the equipment performed immediately before or on the occasion of accident (technical malfunctions, incorrect settings or aberrant operations). These questions specifically prompted a " y e s " or " n o " response. A " y e s " response triggered six follow-up questions: "What sort of fault was involved?", "Where was the fault located?", "What were the functional implications of the fault?", "How did the fault arise?", "Had the fault been noticed previously?", and "How often had the injured person been involved in machine deviations in general, with this and similar equipment?". These questions had fixed response alternatives. The alternatives that have been used are presented as categories in Section 4.3.1.

3.3. Method for developing the conceptual apparatus Four of the questions in the investigation chart comprise the first part of our conceptual apparatus: "What sort of fault was involved?" generated the denotation Type of technical fault, "Where was the fault located?" Location of fault, "How did the fault arise?" Origin of fault, and "Had the fault been noticed previously?" History of fault. These concepts were developed in three stages in the course of the development of the investigation chart. First, a number of loosely structured investigations of au-

T. Backstr6m, M. Di~rs/ International Journal of lndustrial Ergonomics 19 (1997) 361-376

tomation accidents were conducted. The results of these and experiences from earlier studies (in particular BackstriSm and Harms-Ringdahl, 1986) provided a basis for selecting questions for a structured form with questions that prompted open responses. The provisional instrument obtained was then employed in the investigation of ten automation accidents. In the light of these investigations, a structured form with fixed response alternatives was then designed. This was tested by the investigators at the companies which were to be included in the current study. The companies tried out the form on an accident that had occurred on their premises, and were given an opportunity to make suggestions for changes. Thereafter, a decision was made on the final design of the instrument (DiSiSs and BackstriSm, 1990). In order to describe possible technical faults, the responses of the investigators to the above-mentioned questions on the structured investigation chart were employed. In the case of these data, simple frequency distributions have been computed. For the last part of our conceptual apparatus a secondary analysis of the full investigation material was conducted. The intention of the analysis was to determine the proportion of accidents that were affected by machine failures and to find concepts capable of describing the course of accident events in relation to machine failures. The point of departure for this work was to establish whether any machine failure had influenced the course of events, and thereafter to employ chain analysis to construct event chains for each individual accident. The chains obtained were then employed to categorize the machine failures in question. By 'employing chain analysis' it is meant that the accidents are analyzed as chains of mutually interacting events, a kind of analysis in part inspired by Benner's P-theory (Benner, 1975). On the basis of these chains of events, various proposals for factors and their categories were generated. These were tested in an iterative process until our goals in constructing the model were regarded as having been achieved to the greatest extent possible. These goals were as follows: to include as much information as possible on the machine failures uncovered by the investigations, to cover factors that would describe a chain of events, and to develop concepts that would encompass all the kinds of

367

accidents to be found in the material, and yet be unambiguous and mutually exclusive. The concepts developed form three factors in the chain of events: Manifestation of fault, Machine failure and Human intervention, plus one further factor outside the event chain, namely Initiation of machine movement. Judgment is required for the coding of machine failures; accordingly, the categories of the factors for individual accidents were determined by the researchers separately, on the basis of the entire material. The two researchers each coded the accidents on these factors, quite independently of each other. Cases where there was a divergence of opinion have been compared and re-coded jointly. If more than one machine failure was uncovered for any one accident, the categorization applies to the problem that manifested itself closest to the injury in time. In such cases, taking account of further machine failures would have meant that the chain of events became more complicated. The chain would have had branches or loops, with the same factor appearing several times in the description.

4. Results The presentation of the result is divided into three sections, describing the following: (1) the proportion of the selected automation accidents in which machine failures were involved; (2) a conceptual apparatus which can be employed for analyzing that part of the course of an accident event which is related to the equipment and to a machine failure; (3) the application of this conceptual apparatus to the automation accidents covered by the study. 4.1. The proportion of automation accidents in which machine failures were involved

The study material shows that some kind of machine failure affected the accident process in 64 of the 76 automation accidents, i.e. in 84% of cases. As well as the machine failures themselves, deficiencies in equipment design were detectable in at least 5% more of the investigated accidents. The high proportion of technical problems does not mean, of course,

T. BackstriSm,M. DriSs/ International Journal of Industrial Ergonomics 19 (1997) 361-376

368

Table 2 Manifestations of faults in automation accidents Manifestation

Percentage share (n = 64)

Work piece/part became stuck, or crookedly or incorrectly positioned Work piece/part came loose or was not held properly in position Machine part became stuck, jammed or caught in some other way Signal failure Machine movement despite stop, or despite manual control without any human being touching an operating device Other ways in which the fault manifested itself (machine movement due to return energy, leakage, etc.) Unknown how the fault manifested itself Total

36 3 16 14 9 8 14 100

that there were no organizational defects or h u m a n errors i n v o l v e d in the accident chain.

4.2. Conceptual apparatus f o r analyzing the course o f et~ents surrounding a machine failure The conceptual apparatus developed consists of factors and their categories. The factors form the structure for a chain of events (see Fig. 2). The chain

Origin of fault

I

Installation Maintenance work Wear

]

New fault Old fault, not discovered Discovered fault

I

+ History of fault

Type of fault

Faulty component Worn component Faulty connection

Location of fault

Sensor Valve Fixture i

Manifestation of fault I Part coming into crooked position Stuck machine part Machine movement despite "Stop" Machine failure [ ]

Machine stopped Deviant machine movement Potential production problem i

Human intervention I Get production going Adjusting/reparing No intervention Injury Fig. 2. Chain of factors describing the process from the emergence of a technical fault through to how it is handled, with examples of the categories of each factor.

does not describe the entire course of the accident, but only that part of it which is related to the e q u i p m e n t and to a m a c h i n e failure. Moreover, not only technical faults can give rise to m a c h i n e failures but also h u m a n errors (such as erroneous machine setting). In this paper, however, we have confined ourselves to the technical side. Fig. 2 shows examples of the various categories s u b s u m e d under the factors. All categories of each factor are listed in the text in Section 4.3.1, respectively displayed in Tables 2 - 4 . The chain starts with four factors that describe the technical fault: ' O r i g i n of fault', which describes the occasion on which the fault arose or factors which affected its c o m i n g into being; 'History of fault', which describes any previous actions taken in relation to the fault; ' T y p e of fault', which specifies the m a n n e r in which the part of the e q u i p m e n t did not function as it should have done; and ' L o c a t i o n of fault', which specifies the part of the e q u i p m e n t in which the fault was to be found. F o l l o w i n g the description of the technical fault, there are two further factors c o n c e r n e d with the

Table 3 Machine failures affecting automation accidents Machine failure

Percentage share (n = 64)

Machine stopped Deviant or unexpected machine movement Potential production problem Total

55 20 25 100

369

72 Backstri~m, M. Dg6s / International Journal of Industrial Ergonomics 19 (1997) 361-376

technical part of the chain of events: 'Manifestation of fault', which describes how an underlying fault, such as a technical fault, expresses itself as a disturbance to the functioning of a machine component (Table 2); 'Machine failure', which describes the consequence of the manifestation of fault for the functioning of a larger part of the equipment (Table 3). Normally, it is through a machine failure that personnel discovers that there is a problem with the equipment's functioning. When they turn their attention to the equipment they uncover the manifestation of fault, and then direct their intervention towards it. The final factor in the chain, 'Human intervention', describes the activity (if any) to which the classified machine failure gave rise, and which was performed on the occasion of injury (Table 4). In the cases of the machine failures described in this paper, such an intervention is followed by a person sustaining an injury. It is envisaged, however, that the conceptual apparatus might be employed for all kinds of machine failures, whatever their consequence, which is why it will not always include an injury event. In cases where the machine failure was a deviant or unexpected machine movement, the factor 'Connection between intervention and machine movement' describes the relationship between human intervention and the initiation of that machine movement. For other machine failures, this factor is less important, and factor categories have not been presented for just this reason.

4.3. Application of conceptual apparatus One purpose of this presentation is to show all the categories of each factor. Another purpose is to draw attention to events which have had a decisive influence on the selected automation accidents.

4.3.1. Technical faults in automation accidents In 28 of the 64 automation accidents involving machine failures the investigator reported that the equipment performed deviantly because it was faulty. At this point, a subordinated section of the questionnaire was employed further to investigate the technical fault. Responses to these questions are presented here. All technical faults did not provide reason to classify the equipment as performing deviantly (see above). There were, for example, faults that had led to recurring disturbances to the materials flow, which the investigator usually did not regard as aberrant performance on the part of the equipment. For the factor 'Origin of fault' the following categories were used by the investigator: the fault had been present the whole time, from installation; arose during maintenance work; emergence affected by the equipment's settings; arose through impact of the environment (e.g. electromagnetic interference); arose through normal wear; unknown. In just under half of the cases it was unknown for the investigator how or when the fault first arose. Implications of this are developed in Section 5. The technical fault may previously have been latent (not affected machine functioning) or intermittent (affected functioning now and again). When a fault is described in this paper, it is always a manifest fault, i.e. one that affected functioning in a noticeable way on the occasion of the accident in question. For the factor 'History of fault' the following categories were used: the fault had not appeared previously; the fault had/could have been present without being discovered; the fault had been present and discovered; intermittent fault. In just over half of the cases the fault had previously been known to be present. At different phases of the handling of ma-

Table 4 Different kinds of immediate human intervention prompted by machine failure in automation accidents affected by machine failures Human intervention Getting production going (e.g. correcting position of product, freeing jammed machine part) Adjusting, mending, repairing Other intervention prompted by the machine failure (e.g. searching by hand, showing, checking) No intervention prompted by the analyzed machine failure (e.g. supervising, occupied with different failure) Total

Percentage share (n = 64) 53 14 11 22 100

370

T. BackstrOm, M. DiSiSs/ International Journal of Industrial Ergonomics 19 (1997) 361-376

chine failures, deficiencies had been found which had led to an accident occurring before the fault was remedied. In two cases, the fault had not even been reported by the operator to others in the organization and, in two further cases, the fault had been repaired but not sufficiently well to prevent its re-occurrence. In another eleven cases supervisors allowed production to continue despite being aware of the fault. Usually, attempts had been made to remedy it, but these had not fully succeeded. For the factor 'Type of fault' the following categories were used: faulty component; faulty connection; computer-program error; electromagnetic interference; jamming component and worn component. Jamming and worn components created problems in ten of the 28 accident events. Faulty components did so in six cases. For the factor 'Location of fault' the following categories were used: sensor; software; valve; other part of the control system; machining tool; holding fixture (jig); other mechanical device; parts of the safety system. In just under half of the cases it was the equipment's control system that did not function as it should have. This might, for example, have been due to problems with sensors, but also resulted, for example, from faulty components, software error, electromagnetic interference or a faulty connection. In a slightly fewer number of cases the problem was with various mechanical components, such as holding fixtures (jigs) that had jammed. A quarter of the items of equipment that were involved in automation accidents had been relatively newly installed, being less than two years old. More than a third were over ten years old. In the case of installations less than two years old faults of the control system predominate (6 out of 7 accidents). Equipment over ten years old showed relatively fewer faults of the control system (4 out of 11).

4.3.2. Manifestation of faults and machine failures in automation accidents For 64 of the 76 automation accidents a machine failure had been specified in the investigation report. The most common way in which an error manifested itself was as a disturbance to the materials flow in the form of a work piece becoming stuck or getting into a crooked position (see Table 2). Another relatively common way for the error to manifest itself

was for a machine part to become stuck, jammed or get caught in some way, or that the machine stopped for another or unknown reason. The group of signal failures contains, among other things, cases of sensor impulses which failed to take place, with the result that the machine stopped in the wrong position. Nine percent of the technical faults manifested themselves through the appearance of machine movements despite the automated machinery being stopped, or, after having been set to manual operation, without any human being touching an operating device. Manifestations of fault appeared as machine failures. In over half of the cases the machine stopped (see Table 3). Sometimes the problem led to deviant machine movements, either movements despite the fact that the machine had been stopped, or a movement that took place at the wrong phase in the machine cycle. In a quarter of cases the problem led the operator to judge that a production problem would soon arise, prompting intervention on his part to prevent this.

4.3.3. Human intervention prompted by the problem Detection of the machine failure usually prompted human intervention. Half of the accidents occurred when the injured person remedied some kind of acute problem in order to get production functioning normally again (see Table 4). The intervention generally consisted in removing, correcting the position of, or freeing a product or machine part that had become stuck or crookedly positioned. In 14% of cases the person was occupied with making adjustments, mending or repairing in relation to the technical fault. Other interventions related to the fault (e.g. searching for it by hand, showing it to someone else, or checking it) were being made in 11% of cases. In a further 22% of cases the problem did not give rise to any intervention; the person was occupied with something else but was still injured directly by its manifestation, such as by a deviant machine movement. 4.3.4. Connection between human intervention and machine movement In the 13 cases where the machine failure was a 'Deviant or unexpected machine movement' it is interesting to investigate the link between the injured person's intervention and the triggering of the machine movement. In six cases the aberrant machine

1". Backstr6m, M. D66s / lnternational Journal of Industrial Ergonomics 19 (1997) 361-376

just a coincidence that the person happened to be precisely where the unexpected machine movement was located.

movement was initiated by the injured person's intervention, often through activation of a sensor. In five cases some external cause made the intervention and the machine movement occur simultaneously and in the same place, i.e. the production sequence was such that the person's task in the risk zone had to be performed at the time that the deviant machine movement was about to occur. In two cases it was n Manifestationof fault

n

4.3.5. Chains of events typical of machine failures Fig. 3 shows the final part of the chain of events involved in automation accidents (as defined by the conceptual apparatus), namely the factors, 'Manife-

Machinefailure

n

23 Work piece stuck, ~ Stop - ~ = : or crookedly or in- 3 L - { ~ Potential prod.probl. correctly positioned Machine movement

Human intervention Get production going

~

Other intervention No intervention

Stop 10 Machine part stuck, , / ~ _ jammed or caught

Get production going

Potential p r o d ~ p r o ~ Machine movement

Stop 9 Signal error

~

~ 4 ' ~ - - ~ ~

Machine movement

9 manifestedUnkn°wn hoWitselffault

Get production going

Potential prod.probL ~

Other intervention ~

No intervention

Stop

Get production going

Potentialprod.probl.

Other intervention

Stop ~

Other intervention

~

Machine movement - -

7 Other

Get production going

@ ~- No intervention

Machine movement

6 Machine movement despite"Stop" ~

Other intervention No intervention

~

Potentialprod.probl.

~Stop

371

(~

3 ~

No intervention

Get production going

Potential prod.probl. ~

Other intervention

Machine movement

No intervention

Fig. 3, 'Machine failure' and 'Human intervention' for different kinds of 'Manifestation of fault' (n = 64). The numbers refer to the number of accidents in each group.

372

T. Backstrrm, M. Drgs / lnternational Journal of Industrial Ergonomics 19 (1997)361-376

station of fault', 'Machine failure' and 'Human intervention'. In order to simplify the figure, the categories 'Adjusting, repairing, etc.' and 'Other intervention prompted by the problem' have been merged in the case of the factor 'Human intervention'. These two factor categories had similar distributions as functions of the two other factors in the figure. In the cases of four of the different kinds of fault manifestations it was possible to identify the following chains of events that were the most common. When a work piece became stuck, or crookedly or incorrectly positioned (23 cases = 36%, as shown in Table 2), the machine stopped, and the injury was sustained in remedying the problem. In general, this type of problem gave rise to two similar kinds of events: in order to get production going the piece was unjammed or its position corrected, whereupon the machine received a signal to start, giving rise to the machine movement that caused the injury, or there was insufficient time (for one reason or another) to unjam or correct the position of the piece before the person was injured by a machine movement that came more quickly and was more powerful than expected. The examples below are of both kinds: A cylinder head got into a crooked position in its jig. Its position was corrected. Correcting position triggered a sensor prompting a movement of the locating plate that trapped the person's finger. Inner packing material had become stuck in the packeting machine. The operator was about to remove it but his hand was trapped by the sudden backwards movement of a piston. Signal failure (9 cases) often led to machine stop, and the person was then injured in the course of intervening to restart production. Someone activates the sensor, the start signal is given, and machine movement and injury are a fact. In two cases the signal failure gave rise to a deviant or unexpected machine movement without the person having intervened as a result of the fault itself. An example of the former, more common kind: The conveying vehicle stopped in the wrong place. Climbed up to activate the sensor. On activation the vehicle moved backwards, trapping the operator's wrist between vehicle and conveyor track. When it was unknown how the fault had manifested itself (9 cases) the injury was frequently in-

curred in the course of working with a fault that had manifested itself further back in time, i.e. work that fell into the category 'Other intervention (e.g. adjusting, repairing, showing or checking)'. Machine setter and operator had made adjustments to correct a fault. The setter started the loading portal despite the fact that the operator was still in the risk zone. The portal struck the operator in the back. ('Unknown' with regard to which type of fault the adjustment concerned.) In cases where the machine failure was a 'machine movement despite stop' (6 cases) the injured person was, in a sense that sounds rather trivial, engaged on a different task than that of intervening in relation to that failure. Was about to adjust the turntable. The robot received a start signal (despite the safety gate being open), leading to a blow on the ear and ribs. The gear housing got into a crooked position. Closed down the hydraulics and took hold of the housing. A valve failure released a fixing cylinder, trapping the hand. For the other two types of manifestation of fault, shown in Fig. 3, the manifestation has not been followed by any typical chain of event; rather, the picture is more diffuse. The guided machine part got stuck. Tapped it free. When it came loose the hammer got caught and hit a finger. (An example of 'Machine part stuck, jammed or caught'.) Discovered incorrectly directed flushing tube. Stretched hand in to correct the direction when the unit was in the rear position. Arm was trapped when the unit moved forwards. (An example of 'Other ways in which the fault manifested itself'.) In the material we have analyzed, the machine failure 'Stop' has usually been followed by 'Get production going', the machine failure 'Potential production problem' by 'Adjusting, repairing, etc.', and the machine failure 'Deviant or unexpected machine movement' by 'No intervention' as a result of the problem (see Fig. 3). 5. Discussion and conclusions

In the case of the collection of automation accidents studied here, it is evident that machine failures play a significant role. The view that machine fail-

T. BackstrOm, M. D56s / lnternational Journal of Industrial Ergonomics 19 (1997) 361-376

ures giving rise to accident risks arise in automated production installations is supported by both Sugimoto (1985) and Kuivanen (1990). Machine failures have several different undesired effects. Kuivanen's focus, for example, is on disturbances to production and material damage, both of which are quite common, as well as on occupational accidents. Consequently, a company's ability to handle machine failures is important for several reasons. This suggests the need not solely for technical measures, but also for substantial changes with regard to all aspects of a technology, including culture and organization. The conceptual apparatus for machine failures described here is based on concepts in the works of Kuivanen, Sugimoto, and Backstri~m and HarmsRingdahl (1984), referred to earlier. The concepts, as they have been developed, can be regarded as a means of drawing attention to the multiplicity of factors of which account should be taken in investigations of automation accidents. It is argued that analyzing accidents does not involve solely the analysis of single or multiple factors but requires the construction of chains. As mentioned in the Section 1, however, this paper is concerned with just one set of factors, namely the technical; the other kinds of factors and chains of events that interact in accident processes are not treated here. The authors were not aware of the concepts employed by Johnson (for undesired events) or by Avizienis (for classifying faults) prior to developing the conceptual apparatus presented here. Despite this, there are strong affinities between their concepts and ours: Cause = Origin of fault, Duration -- History of fault, Value = Type of fault, Extent = Location of fault, Fault = Technical fault, Error -- Manifestation of fault, and Failure = Machine failure. That the apparatus developed here largely corresponds with those of previous research reinforces the external validity of all three models. Johnson's and Avizienis's models do not focus on accidents, while ours should be applicable not only to accidents but also to the description of machine failures in general. Accordingly, this paper should also make a contribution to the study of machine failures not directly aimed at increasing personal safety. Naturally, however, there are machine failures that the conceptual apparatus, at its current stage of development, is not capable of analyzing.

373

Within the conceptual apparatus, four factors are used to describe technical faults: Origin of fault, History of fault, Type of technical fault, and Location of fault. These factors have not been further developed following the data collection that the paper is founded upon in other respects. This means that certain defects with regard to these factors are detectable. The factor Origin of fault seems to have been one of the hardest to investigate; in almost half of the cases, the investigator's response to the question in the schedule was "Unknown". But this can, of course, be due to poor formulation of either the question or the response options. The categories of this factor are mixed, describing either when the fault occurred or why it occurred. Moreover, the category Intermittent fault in the factor History of fault is not logically consistent with other categories within its factor; it describes a kind of fault, not previous actions taken in relation to a fault. Some of the other categories of this factor are not unambiguous and mutually exclusive. In other words, there are opportunities for further developing the model into one that would be more complete. One of our goals, in the ongoing analysis of automation accidents, is to proceed with further model development.

5.1. Use of the quantitative results A striving of the study has been to cover as wide a spectrum as possible of the machine failures that give rise to accidents. For this reason, different kinds of equipment, in different phases of development and from dissimilar production systems, in manufacturing industry have been deliberately included. Our data cannot be used to make statistical generalizations. If the conceptual apparatus is to be employed for such purposes, other sampling methods have to be applied, such as those used in the articles referred to (Backstr~m and Harms-Ringdahl, 1984; Kuivanen, 1990; Sugimoto, 1985). The quantitative results in this paper should be regarded simply as descriptions of examples of machine failures that have affected automation accidents. In accident investigations carried out in the workplace, possible machine failures are frequently incompletely examined. This applies also to our generally more in-depth material; despite the fact that the

374

T. Backstrgm, M. Dgi~s/ lnternational Journal of Industrial Ergonomics 19 (1997) 361-376

accidents were investigated extra carefully, there was no special focus on technical aspects per se. It would have been of benefit for the study if more data on each particular machine failure had been obtained. The investigation of machine failures, however, formed just one part of a comprehensive accident-investigation project, and the coverage of the instrument utilized was inevitably restricted as a result. Nevertheless, the range of the instrument was extremely wide, and each investigation took up a considerable amount of the time of the safety engineers who applied it. In some cases, moreover, it proved so difficult to further specify the problem that the investigator had neither the skills nor the tools to cope with such a task. In investigations of events that have already occurred there are always sources of error. There are many reasons for this. One is that the gatherer of information may inadvertently provide faulty data, e.g. as a result of post-hoc rationalizations. The reporting of machine failures, however, would not be expected to be a particular sensitive task, which is why sources of error resulting from the deliberate withholding of information (because such information might place the informant in a bad light) should not be considerable. On the other hand, reporting of the way in which a machine failure was handled, i.e. what kind of intervention took place, may be sensitive by nature. 5.2. Comparison o f our cases with earlier results

Despite the fact that no claim is made that our collection of examples of automation accidents is representative of any wider population, it may still be of interest to compare our findings with those of the three studies referred to in the Section 1 (BackstrSm and Harms-Ringdahl, 1984; Kuivanen, 1990; Sugimoto, 1985). Terminology varies, both between this paper and the others, and also between these three. This makes comparisons difficult to make. Kuivanen's factors, in our terms, correspond best to 'Location of fault' and 'Origin of fault'; Sugimoto's to 'Location of fault', 'Type of fault' and 'Machine failure'; BackstrSm's and Harms-Ringdahl's solely to 'Location of fault'. Thus, both Kuivanen, and BackstrSm and HarmsRingdahl have studied the beginning of the chain of

the events, as developed conceptually in this paper, while Sugimoto has investigated the middle of the chain. None of the articles referred to has analyzed the entire chain of events from the first appearance of a fault through to human intervention. There are also important differences between the objects of study addressed in the different papers. The technical faults in our study all affected an accident process, which was not the case in two of the other three studies. Kuivanen states that an accident occurred in 1-2% of the cases of technical problems he investigated. It is precisely this problem arena (Kuivanen's 1-2%t) that defines the area covered by our material. Further, a quarter of the installations in our study were over ten years old. In the case of Kuivanen's investigation the system had been relatively newly installed. Sugimoto's article was only concerned with problems with industrial robots, while Kuivanen's was restricted to FMS systems. The data for our paper come from many different kinds of equipment. The clearest difference between the findings presented in this paper and the results of the others concern location of fault. In our material approximately half of the investigated technical faults involved mechanical components. In the other studies electronic failures predominated; BackstrSm and Harms-Ringdahl give a proportion of one-third for mechanical faults, Sugimoto reports 8.5%, while the proportion is not specified in Kuivanen's article. These differences may be due to any one or all of the factors mentioned above: dissimilar terminology, different kinds of faults under study, different types of installations, and changes over time. It should be noted that our material includes a large proportion of older installations at a time when the technical development of production equipment has meant that increasing numbers of functions are being controlled electronically. A further conceivable hypothesis is that electronic failures are more common among younger installations, while mechanical faults appear later in the equipment's life cycle. Our data hint at trends which are compatible with both these hypotheses. It may also be the case that mechanical faults more frequently give rise to hazardous machine movements than electronic failures. Sugimoto found that half of all technical problems he investigated

T. Backstr6m, M. D66s / International Journal of Industrial Ergonomics 19 (1997)361-376 were caused by electronic faults, but this proportion fell to just a quarter in the case of the most hazardous subgroup, 'Troubles due to unexpected operation'. A further possibility is that the handling of mechanical failures tends to be more dangerous. It may be that human intervention following a mechanical failure is more likely to take place in proximity to dangerous machine movements than is the case for intervention prompted by an electronic fault. 5.3. Experiences o f machine failures from this study One way in which this type of study can be utilized is drawing attention to the events which have had a decisive influence on automation accidents. The collection of examples provides empirical evidence that there are hazardous events in automated production. Identifying these provides a basis for offering advice on what behaviors and attitudes might reduce accident risks at computer-controlled installations. No claim is made that such advice is comprehensive. The collection of examples is neither comprehensive nor representative; many important factors, even within the technical arena, are not covered, since they lie beyond the confines of the study. Examples include the design of safety devices and stop functions, and the man-machine-interface. Nevertheless, it can be stated that machine failures affected the accident process in most of the automation accidents investigated. Measures to increase equipment reliability are central to personal safety. In almost a third of cases of automation accidents the chain of events had a similar conclusion. A work piece became stuck, or crookedly or incorrectly positioned; this led the machine to stop; the accident occurred while a person attempted to correct the position of the work piece. There is a need for work routines and safety devices which make it possible safely to handle disturbances to the materials flow. But it is also important to attempt to remove such disturbances from the production process. A majority of the technical faults identified were already known before the accident occurred. To create routines and make resources available for reporting, and to take swift action when technical failures and disturbances occur are also central to personal safety in automated production.

375

A large proportion of the faults concerned mechanical components, which either jammed or were worn. Normal wear was a common cause of failure. The manifestations of faults (which are derived from a larger body of material) also suggest that it is often a minor problem with the equipment that contributes to an accident. All this suggests that regular, preventive maintenance directed towards reducing machine failures would reduce risks. In some cases the fault had been present since the equipment was installed. At installation it is clearly appropriate to conduct a functional check of the parts of the equipment that are of significance to personal safety. In a tenth of cases machine movements started despite the automated machinery being stopped or, after having been set to manual operation, without any human being touching an operating device. In a further tenth of cases the technical fault gave rise to deviant or unexpected machine movements in some other way. This suggests that the reliability of the control of hazardous machine movements should be reviewed. There also should be clear indications for personnel when a machine movement is securely stopped and when it is not.

Acknowledgements The authors wish to thank Professor Roland Akselsson, Institute of Technology in Lund, Sweden, Professor Gunnela Westlander, National Institute of Working Life in Sweden, and Professor Jorma Saari, University of Waterloo in Canada for their support and comments on the article, and Jon Kimber for a careful translation of the Swedish original.

References Avizienis, A., 1982. The four-universeinformations system model for the study of fault tolerance; Proc. 12th annual international symposium on fault tolerant computing. Santa Monica, CA, pp. 6-13. Backstrt~m, T. and D~5~ks,M. Absolute and relative frequencies of automation accidents at different kinds of equipment and for different occupational groups, submitted. Backstr~Sm, T. and Harms-Ringdahl, L., 1984. A Statistical Study of Control Systems and Accidents at Work. Journal of Occupational Accidents, 6: 201-210.

376

T. BackstrOm, M. Di~Us/ lnternational Journal of Industrial Ergonomics 19 (1997) 361-376

Backstrtim, T. and Harms-Ringdahl, L., 1986. Mot s~ikrare styrsystem - om personsakerhet vid automatiserad produktion (Towards safer control systems - on personal safety in automated production), No, TRITA-AOG 0040. The Occupational Accident Group, Royal Institute of Technology, Stockholm, Sweden (in Swedish). Benner, L.J., 1975. Accident investigations: Multilinear events sequencing methods. Journal of Safety Research, 7(2): 67-73. Burton, J., 1988. Industrial robotics: Hazards, accidents, safety applications and advanced sensor technology. Professional Safety, Nov.: 28-33. Carlsson, J., Harms-Ringdahl, L. and Kjellrn, U., 1983. Industrial robots and accidents at work, No. Trita-AOG-0026. The Occupational Accident Group, Royal Institute of Technology, Stockholm, Sweden. Coleman, P.J., 1983. Injury surveillance. A review of data sources used by the division of safety research. Scandinavian Journal of Work, Environment and Health, 9: 128-135. DOris, M. and BackstriSm, T., 1990. L ~ av olycksfallen. En utredningsmodell med exemplifierande resultat (Learning from accidents: an investigation model with some examples of results), Underst~kningsrapport No. 1990:1. Sweden's National Institute of Occupational Safety and Health (in Swedish). D/Si3s, M. and Backstri3m, T., 1993. Description of accidents in automated materials handling. In: W. S. Marras, W. Karwowski, J.L. Smith and L. Pacholski (Eds.), Ergonomics of materials handling and information processing at work. Taylor and Francis, London, pp. 653-656. D55s, M. and Backstr~Sm, T., 1994. Production disturbances as an accident risk. In: P.T. Kidd and W. Karwowski (Eds.), Advances in Agile Manufacturing. Integrating Technology, Organization and People; Proc. 4th International Conference on Human Aspects of Advanced Manufacturing and Hybrid Automation, lOS Press, Amsterdam, pp. 375-378. Di35s, M., Backstr~Sm, T. and Samuelsson, S., 1994. Evaluation of strategy. Preventing accidents with automated machinery through targeted and comprehensive investigations conducted by safety engineers. Safety Science, 17: 187-206. Harms-Ringdahl, L., 1993. Safety analysis. Principles and practice in occupational safety. Elsevier Applied Science. London. Heinrich, H.W., 1931. Industrial accident prevention - a scientific approach. McGraw-Hill Book Company, New York.

H~dcinen, K., 1989. Simulation of the production disturbances involving human intervention at danger zones (work paper). Department of Safety, Institution of Occupational Health, Vandaa, Finland. Johnson, B.W., 1989. Design and analysis of fault-tolerant digital systems. Addison-Wesley Publishing Company, Reading, MA. Jarvinen, J., Karwowski, W. and Lepist~5, J., 1991. Industrial robot-related accidents in Finland. In: Y. Queinnec and F. Daniellou (Eds.), Designing for Everyone; Proc. 1lth Congress of the International Ergonomics Association 1. Taylor and Francis, pp. 471-473. Kjellrn, U., 1983. The deviation concept in occupational accident control - theory and method, No. Trita-AOG-0019. The Occupational Accident Group, Royal Institute of Technology, Stockholm, Sweden. Kjellrn, U., 1984. The deviation concept in occupational accident control - 1. Definition and classification. Accidents Analysis and Prevention, 16 (4): 286-306. Kuivanen, R., 1990. The impact on safety of disturbances in flexible manufacturing systems. In: W. Karwowski and M. Rahimi (Eds.), Ergonomics of Hybrid Automated Systems 2. Elsevier, Amsterdam, pp. 951-956. Laflamme, L., 1993. Technological improvement of the production process and accidents: an equivocal relationship. Safety Science, 16: 249-266. OSHD, 1983. Study on accidents involving industrial robots. Occupational Safety and Health Department, Labor Standards Bureau, Ministry of Labor, Tokyo, Japan. Pacey, A., 1983. The culture of technology. Basil Blackwell, Oxford, England. Sugimoto, N., 1985. Subjects and problems of robot safety technology. In: K. Noro (Ed.), Proc. 5th UOEH International Symposium, Occupational Health and Safety in Automation and Robotics. Taylor and Francis, 1987, pp. 175-195. Vannas, V., Per~il~i, M. and Mattila, M., 1993. Risk identification in FMS implementations. In: R. Nielsen and K. Jorgensen (Eds.), Advances in Industrial Ergonomics and Safety 5. Taylor and Francis, pp. 577-582. Yin, R.K., 1989. Case study research; design and methods. SAGE Publications. Newbury Park, USA.