It’s vacation time for me, so nothing from me about fireworks, cookouts, or any other seasonally-themed risks until next week (assuming that one of my personal assumptions of risk doesn’t kill me), but I will throw one thought to Chris on the way out as he cites me, then ponders amusement ride control effectiveness.

It seems that Rye Playland, a popular New York amusement park, promised to add a second attendant to a ride in which a young child had been killed in 2004. The county-owned facility did not do so, but nonetheless had a second attendant on hand during a shift changeover. Unfortunately, one attendant turned on the ride while the other was still assisting some customers. The latter attendant was thrown from the ride and killed.

The controls that had originally been put in place at the park had failed and led to a fatal accident. Unfortunately, it seems that the system had another design flaw–it assumed that there were only two types of actors in the system at ride start time: A passenger or the operator.

The passengers, it was assumed, were strapped in and (I’ll assume) their safety harnesses checked by the operator, prior to his or her moving to the operator’s console to start the ride. Unfortunately, the presence of an unexpected person in the system (the second operator) allowed that person to be in an unanticpated state, for which that second person paid with their lives.

So Chris suggests (and I agree):

Maybe a two-switch, two-person solution is worth investigating in this case.

But only if the rest of the system is examined to consider how this alters other assumptions, which is rarely is.

Systems of controls are unique to the system. They incorporate assumptions and expectations about the state of different components through the lifecycle of the process. When a more-or-less identical system recurs often enough, the controls get published as a “Best Practice,” which then becomes a checklist, which is then measured for “compliance,” the reasoning for the recommendation having long since been lost.

Unfortunately, by the time something makes it to checklist state, the information necessary to determine whether the checklist is appropriate for the system is long gone. Of course, if someone is using checklists in the first place, there’s probably not a lot of assessing risk and analyzing for control effectiveness going on anyway.