safetymodels&accidentmodelssimplesequentialaccidentmodel h.heinrich’sdominomodel (1930)...
TRANSCRIPT
Safety models & accident models
Eric Marsden
Mental models
▷ A safety model is a set of beliefs or hypotheses (often implicit)about the features and conditions that contribute to the safety ofa system
▷ An accident model is a set of beliefs on the way in whichaccidents occur in a system
▷ Mental models are important because they impact systemdesign, operational decisions and behaviours
2 / 18
Accidents as “acts of god”
▷ Fatalism: “you can’t escape your fate”
▷ Defensive attitude: accidents occur due to circumstances“beyond our control”
▷ Notion that appeared in Roman law: reasons that couldexclude a person from absolute liability• e.g. violent storms & pirates exempted a captain from
responsibility for his cargo
3 / 18
Simple sequential accident model
H. Heinrich’s domino model(1930)
Assumptions:
▷ Accidents arise from aquasi-mechanical sequence ofevents or circumstances, thatoccur in a well-defined order
▷ An accident can be preventedby removing one of the“dominos” in the causalsequence
4 / 18
Simple sequential accident model
The “safety pyramid” or “accident triangle”(H. Heinrich, 1930 and F. Bird, 1970)
Assumptions:
▷ Each incident is an “embryo” of an accident(the mechanisms which cause minorincidents are the same as those that createmajor accidents)
▷ Reducing the frequency of minor incidentswill reduce the probability of a majoraccident
▷ Accidents can be prevented by identifyingand eliminating possible causes
5 / 18
Simple sequential accident model
According to this model, safety is improved by identifyingand eliminating “rotten apples”
▷ front-line staff who generate “human errors”
▷ whose negligent attitude might propagate to otherstaff
Some accidents (in particular in high-risk systems) have more complicated origins…
6 / 18
On “human error”
‘‘ for a long time people were saying mostaccidents were due to human error and this istrue in a sense but it’s not very helpful. It’s abit like saying that falls are due to gravity…
— Trevor Kletz
A useful alternative concept to human error isperformance variability.
7 / 18
Is it relevant to count errors?
▷ Counting errors produces a quantitative assessment of the “safety level” of a system
▷ Allows inter-comparison of systems
▷ Can constitute the point of departure for a search for the underlying causes of incidents
number of errors safety level
quantity quality
inverse relationship
This simplistic model is very criticized
8 / 18
Is counting errors relevant?
Who is more dangerous?
▷ 700 000 doctors in the USA
▷ between 44 000 and 98 000people die each year from amedical error
→ between 0.063 and 0.14accidental deaths per doctorper year
▷ 80 million firearm owners inthe USA
▷ responsible for ≈1 500accidental deaths per year
→ 0,000019 accidental deaths perfirearm owner per year
The probability that the human error of a
doctor kills someone is 7500 times higher
than for a firearm owner. [S. Dekker]
9 / 18
Is counting errors relevant?
▷ 700 000 doctors in the USA
▷ between 44 000 and 98 000people die each year from amedical error
→ between 0.063 and 0.14accidental deaths per doctorper year
▷ 80 million firearm owners inthe USA
▷ responsible for ≈1 500accidental deaths per year
→ 0,000019 accidental deaths perfirearm owner per year
The probability that the human error of a
doctor kills someone is 7500 times higher
than for a firearm owner. [S. Dekker]
9 / 18
Is counting errors relevant?
▷ 700 000 doctors in the USA
▷ between 44 000 and 98 000people die each year from amedical error
→ between 0.063 and 0.14accidental deaths per doctorper year
▷ 80 million firearm owners inthe USA
▷ responsible for ≈1 500accidental deaths per year
→ 0,000019 accidental deaths perfirearm owner per year
The probability that the human error of a
doctor kills someone is 7500 times higher
than for a firearm owner. [S. Dekker]
9 / 18
Is counting errors relevant?
▷ 700 000 doctors in the USA
▷ between 44 000 and 98 000people die each year from amedical error
→ between 0.063 and 0.14accidental deaths per doctorper year
▷ 80 million firearm owners inthe USA
▷ responsible for ≈1 500accidental deaths per year
→ 0,000019 accidental deaths perfirearm owner per year
The probability that the human error of a
doctor kills someone is 7500 times higher
than for a firearm owner. [S. Dekker]
9 / 18
Epidemiological accident model
accident
event incident
tech
nica
l bar
rier
s
from "Human Error" (James Reason)
safe
ty m
anag
emen
t sy
stem
s an
d pr
oced
ures
shar
p-en
d w
orke
rs
coop
erat
ion
James Reason’s Swisscheese model
Assumption: accidents are produced by a combination of active errors (poor safetybehaviours) and latent conditions (environmental factors)
Consequences: prevent accidents by reinforcing barriers. Safety management requiresmonitoring via performance indicators.
10 / 18
Bow-tie modelca
uses
impa
cts
topevent
preventivebarriers
protectivebarriers
11 / 18
Bow-tie modelca
uses
impa
cts
topeventno
flowto
receiver
noflow
fromcom
ponentB
noflow
intocom
ponentB
noflow
fromcom
-ponentA1
noflow
fromsource1
component
A1blocks
flow
noflow
fromcom
-ponentA2
noflow
fromsource2
component
A2blocks
flow
componentB
blocksflow
fault tree event tree
11 / 18
Loss of control accident model
PREVENTION
RECOVERY
ACCIDENT MITIGATION
Destabilization point
Figure source: French BEA
14 / 18
Drift into failure
economic failure
unacceptableworkload
unsafe
space of possibilities
Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.
managementpressure forefficiency
Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
gradient towardsleast effort
Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.
drift towards failure
These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.
A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.
effect of a“questioningattitude”
safety margin
Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.
These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.
Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)
15 / 18
Drift into failure
economic failure
unacceptableworkload
unsafe
space of possibilities
Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.
managementpressure forefficiency
Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
gradient towardsleast effort
Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.
drift towards failure
These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.
A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.
effect of a“questioningattitude”
safety margin
Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.
These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.
Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)
15 / 18
Drift into failure
economic failure
unacceptableworkload
unsafe
space of possibilities
Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.
managementpressure forefficiency
Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
gradient towardsleast effort
Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.
drift towards failure
These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.
A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.
effect of a“questioningattitude”
safety margin
Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.
These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.
Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)
15 / 18
Drift into failure
economic failure
unacceptableworkload
unsafe
space of possibilities
Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.
managementpressure forefficiency
Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
gradient towardsleast effort
Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.
drift towards failure
These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.
A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.
effect of a“questioningattitude”
safety margin
Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.
These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.
Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)
15 / 18
Drift into failure
economic failure
unacceptableworkload
unsafe
space of possibilities
Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.
managementpressure forefficiency
Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
gradient towardsleast effort
Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.
Management will provide a “costgradient” which pushes activitytowards economic efficiency.
Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.
drift towards failure
These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.
A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.
effect of a“questioningattitude”
safety margin
Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.
These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.
Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)
15 / 18
Non-linear accident model
Systemic models
▷ FRAM (Hollnagel, 2000)▷ STAMP (Leveson, 2004)
Assumption: accidents result from an unexpected combination and the resonance of normalvariations in performance
Consequences: preventing accidents means understanding and monitoring performancevariations. Safety requires the ability to anticipate future events and react appropriately.
16 / 18
Image
credits
▷ Sodom and Gomorrah burning (slide 26): Picu Pătruţ, public domain, viaWikimedia Commons
▷ Dominos (slide 27): H. Heinrich, Industrial Accident Prevention: A ScientificApproach, 1931
For more free content on risk engineering,visit risk-engineering.org
17 / 18
Feedback welcome!
Was some of the content unclear? Which parts were most useful toyou? Your comments to [email protected](email) or @LearnRiskEng (Twitter) will help us to improve thesematerials. Thanks!
@LearnRiskEng
fb.me/RiskEngineering
This presentation is distributed under the terms of theCreative Commons Attribution – Share Alike licence
For more free content on risk engineering,visit risk-engineering.org
18 / 18