Failure analysis

The accident was due to human-machine mismatch , namely, operating in a latent exceptional situation .

• An operators' slip , resulting in the system being in an exceptional situation
• Failure to detect that the situation was exceptional.

Design mistakes

The sources for this misfortune were:

• The design enabled the operators to unintentionally disconnect the rudder from the wheel at the helm
• The design did not provide alarms about the supertanker being in the exceptional situation.

  Guidelines about rules defining proper scenarios, and keeping with the rules

  Guidelines about assuring the operator's awareness of the system situation

Sources for the design mistakes

The operational rules were implicit . The design did not constrain the supertanker to operate according to navigation rules .

• The design did not provide means to set the primary operation modes . Therefore, there were no means available enabling decide whether disconnection the wheel should be prohibited, or treated as exceptional.
• Because the design did not enable identifying the exceptional situation, there was no way to provide the alarm when it was required.

  Guidelines about the alarm design

  Guidelines about protecting from operator's mistakes

Updated on 17 Apr 2016.