2018-01-13

Good news about Hawaii's ballistic missile warning service

It works!

Watching the 1pm (Hawaii) press conference, the Governor and the Administrator for Emergency Management are going through the expected self-flagellation. The Administrator commented "Our process is to have no more false alarms from now" and that now two people will be required to send out an alert.

The interesting questions, which the journalists don't seem to be asking:

  1. How many false alarms are acceptable - rather, what rate of false alarming is acceptable? Once in 30 years? Once in 10 years? Once a year?
  2. What are the benefits from a false alarm - e.g. testing the alert channel, prompting people to think about their emergency plans - and what are the costs - e.g. mental health events, car accidents, heart attacks, premature consumption of expensive whisky
  3. What actions taken to reduce the risk of false alarms increase the risk of a real alarm being delayed in sending?
Everything comes with a trade-off. The last question is probably the most important. If you only have 10 minutes from alert going out until missile impact (on the current plan), what happens if e.g. your requirement for two people to trigger the alert sending ends up causing a delay because one person isn't around? You just know it's going to happen:
"Hey Akamu, can you watch the console for the next few minutes, I just gotta go to ABC Stores to get some more chocolate macadamias?"
"Sure Alika, I don't want to call in Ula the backup guy if we don't really need to."

I'd like to see a public written postmortem about this incident. Redact names - replace them with roles e.g. "the coming-on-duty emergency alerts worker", "the going-off-duty emergency worker" - and explain:

  • what went wrong,
  • why it went wrong (following the 5 Whys technique),
  • what actions are being taken to remediate the risk, and
  • what do they aim to achieve in terms of the false alarm rate and the failure to alert probability?
Write it in a blameless fashion; assume good faith and basic competence by the people involved. If someone made a bad choice, or slipped and hit the wrong button, the problem isn't with the person - it's the process and technology that let them make that bad choice or press the button in a non-deliberate way.

One interesting question that was raised in the conference: why did some but not all of the sirens trigger? You'd want the process to be that both the sirens team and the alert message should monitor each others' output. If you're the siren operator and get the alert on your phone, the best strategy is to trigger the siren immediately to increase coverage of the alert. The impact of a false siren is much lower than impact of not playing the siren when a missile really is inbound because of the PACOM-to-sirens message channel failing. So maybe this was individual siren operator initiative - reward those folks, and make it standard procedure.

This is a great opportunity for the state government to demonstrate transparency and a commitment to making the systems objectively work better, rather than just playing to the press. Unfortunately, you just know that it's not going to happen like that.

No comments:

Post a Comment

All comments are subject to retrospective moderation. I will only reject spam, gratuitous abuse, and wilful stupidity.