Our readers know we often cull lessons learned from root
cause analyses done in industries other than health care. Most often those have
come from RCA’s involving serious incidents in the airline or transportation
fields but we’ve also learned from incidents like the BP gulf oil spill.
The report on GM’s investigation into events surrounding its
recent recall of automobiles because of a faulty ignition switch that had been
a likely contributing factor in many accidents, including at least 13 reported
fatalities, offers many valuable lessons for healthcare organizations. Interestingly,
many of the lessons are about diagnostic error in addition to the more
traditional lessons about system and organizational root causes.
GM hired outside help, former US Attorney Anton R. Valukas from Jenner and Block LLP, to find out how and why
it took GM so long to recall the Chevrolet Cobalt and several other models. The
investigators were given unfettered access to documents and witnesses. GM then
made public the full 325-page report of the investigation and analysis (Valukas
2014).
To briefly summarize the overall scenario, a faulty ignition
switch was approved in 2002 despite it not meeting GM’s own specifications. The
torque required to move the key in the ignition switch (eg.
from “OFF” to “ACC” or “RUN”) was too low, meaning that in some circumstances
the switch could easily and inadvertently be moved from “RUN” to “ACC”. Such a
move resulted in loss of power to the vehicle, in turn leading to loss of power
steering and power brakes. In addition, airbag deployment is not possible once
the switch is out of the “RUN” mode. After introduction of the faulty switch
into multiple auto lines (most notably the Chevrolet Cobalt), GM began
receiving complaints about “moving stalls”, i.e. the cars would suddenly lose
power while driving. This resulted in multiple accidents and many fatalities.
Most of the fatalities and serious injuries might have been prevented if the airbags
had deployed. For almost a decade, GM did not understand the connection between
the switch and the failure of airbag deployment and characterized the moving
stalls as “customer inconvenience” rather than as safety issues. To complicate
matters, a new switch introduced in 2008 models actually corrected the problem
but that switch change was poorly documented in GM records. Because of that, GM
investigators focused their attention away from the faulty switch as a cause
for the failed airbag deployments. Though several outside investigators
identified the switch/airbag connection as a likely cause of accidents, it was
not until a plaintiff’s expert identified the disparity between ignition
switches in the pre- and post-2008 models that the connection was recognized.
GM finally issued a recall of affected autos in 2014, a decade after issues
were first noted.
One thing that comes out early in the report is that much at
GM is done in silos. That is,
engineers may be focused on just one piece or part or system and not fully
understand how that piece/part/system interacts with all the other parts and
systems of the vehicle. Sound familiar? In healthcare we often find silo
mentalities where healthcare personnel focus their thinking on their particular
department, often without understanding the roles and functions of all other
departments and how they interact with them.
In 1997 the ignition switch was designed to communicate with
other car components, be less prone to failure and fire, and be less expensive.
GM wanted a “corporate common” switch that could be used across multiple
platforms/lines. Parameters for the technical specifications for the switch
were developed by a GM engineer. Over the next several years there were at
least 2 transitions of the engineer responsible for oversight of the ignition
switch specifications. In healthcare, we know such transitions as “handoffs” or “handovers” and understand
them as events very vulnerable to error. Handoffs entail both transfer of
information and transfer of responsibility. During one such transition at GM it
was noted that the specifications for the torque to move the ignition switch
between settings were not being met by the prototype switch. Several potential
options for changes in design to meet the specs were apparently discussed but
it is unclear whether any were implemented. It appears GM really left the
internal design and construction of the switches to the supplier and just cared
that they met the GM specifications.
In early 2002, as the date for launch of the Saturn Ion
neared, the GM engineer now in charge of the ignition switch (whom we will
refer to as RD) noted that the switches often failed to meet the torque
specification requirements. But the switch also had multiple other problems,
particularly on the electrical rather than mechanical side. In fact, RD often
referred to it as “the switch from hell” and seemed very concerned about the
electrical issues. Was this a “salient
distracting feature” (see our January 14, 2014 Patient Safety Tip of the
Week “Diagnostic
Error: Salient Distracting Features”)? Did the focus on the electrical
issues so dominate the evaluation that the mechanical (torque) issue was
overlooked?
During validation testing every sample set had at least some
switches that fell below the torque specification. RD discussed potential
design changes with the supplier engineer, who noted that he could probably fix
the torque issue but was concerned that might introduce some other problems.
Apparently it was decided not to alter the switch at that time. This is
probably an example of an ETTO
(efficiency-thoroughness trade-off) as we discussed in our September 15,
2009 Patient Safety Tip of the Week “ETTO’s:
Efficiency-Thoroughness Trade-Offs”. At any rate, RD eventually approved
the switch despite the fact that it did not meet the specifications for
required torque.
Interestingly, the Valukas report
just focuses on the approval of this one item without going into detail about
the approval process in general. If we were doing the RCA we would have asked
“how often are approvals given when parts do not meet specification
requirements?” not just for this one engineer but for all GM engineers. We
would want to know whether the GM culture had adopted “normalization of deviance”. In our July 5, 2011 Patient Safety Tip
of the Week “Sidney
Dekker: Patient Safety. A Human Factors Approach” we noted the Challenger
disaster, in particular, brought to light the importance of concepts like
“normalization of deviance” where successes despite problems lead to the
acceptance of such problems as “normal” and therefore tolerable. We would also
want to know how GM audited for such practices (the Valukas
report simply states that it appears RD was the only one who ever reviewed the
results showing the switch had failed to meet the specs).
Shortly after launch of the Saturn Ion and Chevrolet Cobalt
with these ignition switches complaints began to appear about the switch
inadvertently moving out of the “RUN” position, causing moving stalls. After
reviews this problem was classified as a “customer inconvenience” rather than a
safety issue, apparently because it was felt that a driver could still maneuver
the vehicle even if the power steering and ABS braking system were not
functioning. It appears GM engineers did not appreciate that the power failure
also prevented deployment of airbags, which would have made it a clearcut safety issue. The report on numerous occasions
notes how difficult it is to change an
issue classification once it is originally made. Hence, for a decade this
was never seen as a safety issue.
There were also numerous complaints that, particularly in
cold weather, the ignition switch would not “crank’ or start. The report notes
that this issue was an embarrassment to RD and that he seemed to focus more on
that problem than the stall problem.
In 2004 the Cobalt was put into production with the same
switch. GM workers drive such cars as part of the “captured test fleet” (CTF)
to assess the cars. Apparently there were instances in which the switch was
inadvertently turned off, leading to moving stalls but the drivers did not
consider this to be a significant safety issue so it was not officially
reported as a safety issue. But the CTF data collected from the Ion and Cobalt
did note that the switch was “vulnerable” to being bumped by a knee and
shutting the engine off. Again, this is a prime example of someone knowing that something is wrong but not
speaking up about it. That happens in healthcare all the time. Often it is
because they do not feel the problem is significant. At other times they fear
speaking up may lead to other problems.
In the summer and fall of 2004 more complaints about the
stalls arose and even attracted media attention and GM engineers could even
replicate the problem. But they still considered it an isolated problem and not
a safety issue. Throughout 2004 and 2005 multiple GM committees reviewed the
complaints and, again, they never were elevated above a severity level 3 (on a
scale of 1 to 4 with 1 being the most severe). Again, no one seemed to be aware
of the airbag issue. Again, silo
thinking was apparent. The airbags were part of the car that these
engineers did not oversee and it was apparent that few understood the overall
integration of the systems in the vehicles. GM did notify dealers, but not
consumers, about the problem of the switch easily moving out of the “RUN”
position and advised dealers to tell consumers with the problem to take
unnecessary items off their key chains to reduce the risk.
In early 2005 potential solutions were discussed but none
involved change in the switch itself. The report describes problems with the
committees reviewing the problems. There was never an “owner” or person
responsible for the problem and the committee
structure allowed for individuals to easily disavow responsibility. They
describe the “GM salute” in which
individuals cross their arms and point to others. For non-safety issues an
acceptable business plan was required that: (1) solved the issue (2) was
cost-effective and (3) had acceptable lead time to implement changes.
Non-safety issues had to clear numerous financial hurdles. Many of the committee
meetings addressing the stall issue ended with the “GM nod” in which heads nodded, knowing that no action would be
taken. Think about your healthcare organization. How many issues are discussed
ad nauseum by committees that shield individuals from
responsibility and accountability and subsequently don’t get anything done?
In 2004 the NHTSA (National Highway Traffic Safety
Administration) was reviewing moving stalls industry-wide. A GM committee again
addressed the issue and asked what would happen if a moving stall occurred.
They addressed steering, brakes, and warnings but not airbag deployment. No one
seemed to be aware that airbags would not deploy during such stalls.
Interestingly, the system design to prevent airbag deployment when the car is
not moving came about because of unintended airbag deployment accidents when
cars were parked or not moving. So the current problem is actually an unintended consequence of a prior
solution to another problem. That is a reminder in healthcare to always
consider and monitor for unintended consequences when we implement changes to
fix problems.
It appears during this time that GM also did not have good tracking systems or
reporting systems for complaints or industry-wide issues. In healthcare we
know that having such reporting systems, particularly those that also capture
near-misses, are essential to identifying problems that need to be addressed
before untoward outcomes occur.
In 2005 both short-term and long-term potential solutions to
the switch problem were considered. A short-term fix was approved and consisted
of a change in the key head design. Customers who had complaints were offered a
plug insert but this was still only for those who complained. After some more
negative press coverage, another GM performance improvement team re-evaluated
the issue and again concluded it did not merit a recall. Apparent rationale was
that the episodes were infrequent and the drivers still had control over
steering and brakes. Again they failed to understand the airbag issue. So GM
still considered this a “convenience” issue rather than a safety issue. Though
they made over 10,000 such plugs apparently only 430 were ever requested! And
new cars continued to be produced without even this temporary fix. Also of note
was that the technical services bulletin issued by GM to dealers did not
mention the word “stall”. That term had specifically been excised from the
early drafts, presumably because it was considered a “hot” item that might
attract attention of the NHTSA.
In 2006 engineer RD approved a new switch. While one type of
document (Form 3660) noted the mechanical change improving the torque issue,
the work order mentioned only changes to the electrical components of the
switch and there was no change made in the part number. This was a critical event, since the issue of
moving stalls disappeared in models produced after this new switch was in
place. When subsequent investigations looked to see why the problem appeared to
disappear with 2008 and subsequent models they ruled out a problem with the
switch because their document searches focused on the work order and engineer
RD did not recall making any change. The report indicates that GM policy would
have required a change in part number. Again, if we were doing the RCA at this
point we’d be asking “was such failure to change the part number an isolated
occurrence or in fact had this become something more widely accepted in the
culture at GM?”, in essence another form of “normalization of deviance”.
In mid-2006 GM was publicly stating there was no safety
issue. Note that once a public position
is taken on an issue one seldom changes his/her mind, even when confronted with
contradictory evidence. The powerful influence of public commitment cannot
be overestimated. In our September 28, 2010 Patient Safety Tip of the Week “Diagnostic
Error” we mentioned anchoring
becomes a more significant problem once a diagnosis or other decision has been
declared publicly. Many of you may have done an exercise in executive training
where a scenario is presented in which you must state a position publicly. You
are then given a bit of disconfirming evidence and a chance to change your
decision. Almost no one changes their decision! (The scenario is actually a
poorly disguised parallel of the Challenger disaster).
In 2006 the legal department at GM, in conjunction with some
representation from engineering and other departments, began addressing some cases
of fatalities or serious injuries in which airbags did not deploy. They failed
to make any connection with the defective ignition switch. But in 2007 two
separate outside investigations into an accident did make a connection. Keith
Young, an astute Wisconsin state trooper investigating a fatal crash in which airbags
did not deploy, noted the ignition switch was in the “ACC” position and
postulated that was why the airbags failed to deploy. He also noted that there
had been reports on the NHTSA website about switch issues. And a team of
researchers at Indiana University commissioned by NHTSA to look at the airbag nondeployment issue came to the same conclusion. GM
apparently did not learn of the Indiana University report until 2012. It did
apparently have in its files the state trooper’s report as early as 2007 but it
is not clear who, if anyone, ever actually reviewed that report at GM. It’s
also unclear from the Valukas report what the NHTSA
did with the Indiana University report.
Apparently GM did not routinely monitor the NHTSA website.
That is similar to the issue of hospitals lacking systems for routinely
monitoring websites for recalls and other patient safety issues (see our
February 26, 2013 Patient Safety Tip of the Week “Insulin
Pen Re-Use Incidents: How Do You Monitor Alerts?”).
In 2007 NHTSA had expressed interest in the issue of airbag nondeployment but never formally requested GM information. GM
did take another look and had one engineer develop a spreadsheet to begin
tracking such events but, again, there was no sense of urgency nor clear
instructions what to do with that data nor a timeframe for reporting.
In 2009 another review of airbags noted in one such case
that the sensing and diagnostic modules (SDM) did not deploy the airbags
because the algorithms were disabled at the start of the event with 2 possible
causes: (1) loss of battery power or (2) the SDM received a power mode signal status
of “OFF”. The Valukas report notes this should have
been an “aha” moment but the engineers focused more on the electrical system.
They were unaware of the previous issues related to the torque of the ignition
switch. Instead, they developed a theory (the “contact bounce” theory) in which
a sudden jarring event caused the electrical components in the switch to “open
up” and send a signal that the switch had moved from “RUN” to “ACC”. However,
field engineers could not replicate this problem in field testing. But one fact
that seemed to lend credence to this theory was that many of the crashes with nondeployment were “off-road” accidents where such jarring
bumps were likely.
The above issues raise several concepts we’ve discussed in
our many articles on diagnostic error such as confirmation bias, ignoring
disconfirming information, anchoring, and early closure. The fact that many
accidents were “off-road” probably injected confirmation bias into this theory. The disconfiming evidence (that the field tests could not replicate the problem) were
ignored or at least failed to sway opinion in another direction. And these may
have led to anchoring/early closure
that moved investigators away from looking at the ignition switch torque issue.
The Valukas report summarizes the
2006-2010 events as having multiple failures, including the failure to change
the part number, failures to share information, failure to gather basic facts,
and failure to understand the overall design or the vehicles.
In 2011 the GM legal department began receiving claims and warnings
that GM might be liable for punitive damages. This led to more
multidisciplinary meetings but they often again ended with the “GM nod” (i.e.
nothing would be done).
Two of the GM investigators continued with the working
theory of “contact bounce”. They were bothered by the fact that there had been
no problems in models from 2008 and later and that in half the cases tracked
the switch was in the “RUN” position. That led them away from the ignition
switch torque issue as a causative factor. The Valukas
report notes some difficulty the investigators may have had in tracking cases.
One of the data bases (TREAD) was apparently very difficult to use and the GM
investigators did not have access to that part that had fatalities. They thus
may have missed some of the cases of fatalities that had occurred in 2003-2004
Ion models. And there was also a question of some “privileged” information not
being readily available to the GM investigators.
Note that the report raises considerable questions about the
legal atmosphere at GM. While all formal documents emphasize the obligation to
come forward with anything that might impact safety, many GM employees were
reluctant to do so. Also, many did not take formal notes at some meetings
because they were under the impression that the legal department discouraged
such. Again, that’s something we see in hospitals all the time, i.e. that a
policy may say one thing but actions say another. And actions and culture typically trump policy.
In June 2012 a plaintiff’s lawyer notes the Indiana University
report. This apparently is the first time GM is made aware of that report. And
a GM investigator and electrical engineers visited a junkyard in working on
their theory that jarring led to some sort of electrical event (the “contact
bounce” theory). When they examined a Cobalt they were amazed at how
“extraordinarily easily” the ignition switch key turned. They put together a
home-made system to estimate torque and their measurements suggested that it
was possible a vehicle could hit a pothole and have the switch move out of the
“RUN” position.
In a May 2012 meeting a slide prepared by one of the GM
investigators concluded that airbag nondeployment was
likely related to the torque issue of the ignition switch. That was based on
how easy it was to turn the key, the prior technical service bulletins
regarding the switch torque issues, and review of the records from the sensor
module in some crash cases. Further, an explanation was put forth as to why the
switch was sometimes in the “RUN” position after the crash. The system has an
algorithm which is inactive during the initial 3 seconds after transitioning
from “OFF/ACC” to “RUN” (so it can run self-diagnostics). Since many of the
crashes occurred within 3 seconds of the loss of power, the reported position
of the switch on the sensor module would not have been reset from “RUN”.
Another trip to the junkyard was made so formal torque
measurements could be made. But torque values were similar in some 2007 and
2008 models so the investigator could not conclude that the switch had changed
in 2008. An investigator asked engineer RD again whether there had been a part
change and he said no. That investigator relied on RD’s statement and did not
access the Form 3660 (which would have shown the change). The work order did
not reflect a change in part.
In June 2012 a plaintiff’s expert concluded, based on the
state trooper/Indiana University reports and the previous GM technical service
bulletins about the torque issue, that airbag deployment would not occur when the
switch was in the “ACC” position. At a meeting of GM legal staff in July 2012 a
new attorney asked why there had been no recall and the response was that the
engineers did not know how to fix it, the incident rate was low, and
engineering “was looking into it”.
In the summer of 2012 an attempt was made to use a standard
engineering diagnostic, RedX, to determine how a 2007
Cobalt differed from a 2008 one. It was to compare a “best of the best” vs. a
“worst of the worst” performing vehicle. But they could not find a vehicle to
represent “worst of the worst” and did not complete the diagnostic.
Then, in April 2013, a plaintiff attorney at a deposition
presented “bombshell” photographic evidence that the switches indeed differed
between 2005 and 2008 models. GM subsequently confirmed that the torque was
below the design specifications and found X-ray evidence that the switches
differed. That led to a check of records of Delphi, the switch supplier, which
confirmed that GM engineer RD had approved the change in April 2006.
The analogy we wish to draw here is with diagnostic error in
healthcare. There was a failure and
unwillingness to re-evaluate. One of the things we’ve stressed in our many
columns on diagnostic error is the need to say “What might I be missing?” and go back and look at all the available
information again. Other questions to ask are “What am I putting too much weight on?” and “What am I not paying enough attention to?”.
Yet GM still did not issue a recall until early 2014. The Valukas report goes on to describe the reasons for delays
in the recall. These included requests for further analysis, focus on finding
root causes, and perhaps most importantly lack of awareness by senior officials
that any fatalities had been involved. It goes on to describe the corporate
culture and that the CEO, General Counsel and Board of Directors really did not
learn about this until January 2014. At Board meetings, safety issues were
reported in aggregate, not as individual cases and the fatalities were not
mentioned in those reports. Furthermore, it sounds like a lot of time was spent
on JD Powers and Consumer Reports ratings rather than on fundamental safety
issues. The report goes on to discuss a dichotomy of values: “when safety is an
issue, cost is irrelevant” vs. “cost is everything”.
Valukas goes on to describe a cultural resistance to raising issues.
The rate of reporting misconduct was low compared to other industries and
companies. There was often a fear of retaliation. Despite the stated policy
that it’s everyone’s responsibility to report safety issues, there were
specific guidelines on how to write about safety issues (not to be judgmental
or speculate). And we mentioned that many did not take notes at meetings
because they thought the lawyers wanted it that way.
Valukas cites the lack of
ownership and/or accountability, overreliance on committees to make decisions,
silo thinking, delays while looking for root causes, the “GM salute” and the
“GM nod” among other detrimental features.
The Valukas report makes numerous
recommendations, many of which GM has already begun implementing. These deal
with promoting a culture of safety, change in management and reporting
structure, need to identify ownership and responsibility at the individual
level, communications between GM groups and communication with the NHTSA, role
of the legal department and its interaction with other departments, better
interaction with suppliers, better access to information and tracking in both
GM and industry databases, better documentation and record keeping, better
structure to performance improvement projects, training, audit, oversight and
compliance, and others.
One gets the overall image of a bureaucratic behemoth gone amok
and unaware of many issues. Yet we see the same faulty processes in many of our
healthcare organizations.
GM made a big deal about dismissing 15 employees as a result
of the investigation and many in Congress have been calling for “more heads to
roll”. We’re not sure what criteria they used to determine who should be fired.
Clearly most of the issues here were organizational, cultural, and system
issues. In fact, it’s quite likely that some of those fired would be the ones
least likely to ever make similar mistakes in the future. An article in the New
York Times (Vlasic
2014), using information from interviews with multiple parties in addition
to the Valukas report, was very critical of the role
of the GM legal department, noting that the secrecy promoted by the lawyers
obscured the flaw both inside and outside the company.
Interestingly, one thing we never see any reference to is a FMEA (failure mode and effects analysis).
We would have thought that FMEA would be part and parcel of the activities of
any company in the automobile industry. Yes, a switch sounds like too small a
part around which to merit a FMEA. But, in fact, this small switch interacted
with multiple other components and systems in an extremely complex fashion.
When we do FMEA’s in healthcare we are usually amazed at the potential
vulnerabilities we uncover.
The Valukas report is 325 pages
long and some of the terminology gets technical at times. Nevertheless, it is
worth reading. You’ll find yourself saying “hey, that sounds just like something
that happens in our organization!”. You’ll readily
appreciate the system issues that led to this prolonged failure to recognize
and implement a simple change that could have saved many lives and other
serious outcomes. But you’ll also begin to appreciate that many of the basic
concepts we see leading to diagnostic error also come into play when we are
attempting to unravel puzzling non-medical issues.
Some of our previous
columns with lessons learned from root cause analyses (RCA’s) done in other
industries to demonstrate by analogy what can go wrong in various healthcare
settings:
August 28, 2007 “Lessons
Learned from Transportation Accidents”
October 2, 2007 “Taking
Off From the Wrong Runway”
May 19, 2009 “Learning
from Tragedies”
May 26, 2009 “Learning
from Tragedies. Part II”)
August 24, 2010 “The
BP Oil Spill - Analogies in Healthcare”
April 5, 2011 “More
Aviation Principles”
April 26, 2011 “Sleeping
Air Traffic Controllers: What About Healthcare?”
April 16, 2013 “Distracted
While Texting”
January 7, 2014 “Lessons
From the Asiana Flight 214
Crash”
Some of our prior
columns on diagnostic error:
References:
Valukas AR. Report to Board of
Directors of General Motors Company Regarding Ignition Switch Recalls. Jenner
and Block 2014; May 29, 2014
http://www.nhtsa.gov/staticfiles/nvs/pdf/Valukas-report-on-gm-redacted.pdf
Vlasic B. G.M. Lawyers Hid Fatal Flaw, From Critics and One
Another. New York Times 2014; June 6, 2014
Print “PDF
version”
http://www.patientsafetysolutions.com/