The Synthesis of Safety

Size: px

Start display at page:

Download "The Synthesis of Safety"

Jemimah Fleming
5 years ago
Views:

1 The Synthesis of Safety Erik Hollnagel Professor, University of Southern Denmark Chief Consultant Center for Quality, RSD (DK)

Safety = Zero harm The Anglo American Safety Principles set out the foundation of the desired culture, expected behaviours and performance standards

2 Safety = Zero harm The Anglo American Safety Principles set out the foundation of the desired culture, expected behaviours and performance standards within the organisation. Each Principle has two supporting elements which, we believe, will assist us in leading us on the journey towards Zero Harm.

3 The causality credo (1) Adverse outcomes happen because something has gone wrong. (2)Adverse outcomes therefore have causes, which can be found and treated. (3) All accidents are preventable (zero harm principle). Accident investigation Find the component that failed by reasoning backwards from the final consequence. Accidents result from a combination of active failures (unsafe acts) and latent conditions (hazards). Risk analysis Find the probability that components break, either alone or in simple combinations. Look for combinations of failures and latent conditions that may constitute a risk.

4 Different process Function (work as imagined) different outcome Success (no adverse events) Acceptable outcomes Hypothesis of different causes: Things that go right and things that go wrong happen in different ways and have different causes Malfunction, non-compliance, error Failure (accidents, incidents) Unacceptable outcomes

measurement of adverse events is central to safety.

5 Increasing safety by reducing failures Function (work as imagined) Success (no adverse events) Acceptable outcomes Identification and measurement of adverse events is central to safety. Malfunction, non-compliance, error Failure (accidents, incidents) Unacceptable outcomes Find-and-fix

Safety-I when nothing goes wrong Safety is the condition where the number of adverse outcomes (accidents / incidents / near misses) is as low as possible.

6 Safety-I when nothing goes wrong Safety is the condition where the number of adverse outcomes (accidents / incidents / near misses) is as low as possible. Safety Safetyisisdefined definedby byits itsopposite opposite by the lack of safety by the lack of safety (accidents, (accidents,incidents, incidents,risks). risks). We Wefocus focuson onthe theevents eventswhere where safety is absent, rather safety is absent, ratheron on those thosewhere wheresafety safetyisispresent. present. If we want something to increase, why do we use a proxy measure that decreases? Why is a HIGHER level of safety measured by a LOWER number of adverse outcomes?

7 Why only look at what goes wrong? Safety-I = Reduced number of adverse events := 1 failure in events Safety-II = Ability to succeed under varying conditions. Focus is on what goes wrong. Look for failures and malfunctions. Try to eliminate causes and improve barriers. Focus is on what goes right. Use that to understand everyday performance, to do better and to be safer. Safety and core business compete for resources. Learning only uses a fraction of the data available Safety and core business help each other. Learning uses most of the data available := nonfailures in events

8 Why is it safe to drive or walk? When we drive on the streets or move in a crowd, we continuously adjust to what other people do. Just as others continuously adjust to what we do or will do.

Performance variability is inevitable, ubiquitous, and necessary.

9 Performance adjustments are necessary Availability of resources (time, manpower, materials, information, etc.) may be limited and uncertain. People adjust what they do to match the situation. Performance variability is inevitable, ubiquitous, and necessary. Because of resource limitations, performance adjustments will always be approximate. Performance variability is the reason why everyday work is safe and effective. Performance variability is the reason why things sometimes go wrong.

10 Why do people vary in their work? AVOID anything that may have negative consequences for yourself, your group, or organisation COMPENSATE FOR MAINTAIN/CREATE conditions that are necessary to carry out the work. conditions that makes work difficult or impossible.

11 Same process different outcomes Function (work as imagined) Success (no adverse events) Acceptable outcomes Everyday work (performance variability) Malfunction, non-compliance, error Failure (accidents, Unacceptable outcomes incidents)

Increase safety by facilitating work Understanding the variability of

non-compliance, error Failure (accidents, Unacceptable outcomes

12 Increase safety by facilitating work Understanding the variability of everyday performance is the basis for safety. Function (work as imagined) Success (no adverse events) Acceptable outcomes Everyday work (performance variability) Malfunction, non-compliance, error Failure (accidents, Unacceptable outcomes incidents) Constraining performance variability to remove failures will also remove successful everyday work.

13 Safety II when everything goes right Safety-II: Safety is a condition where the number of successful outcomes (meaning everyday work) is as high as possible. It is the ability to succeed under varying conditions. Safety-II is achieved by trying to make sure that things go right, rather than by preventing them from going wrong. Safety Safetyisisdefined definedby byits its presence. presence. Individuals and organisations must adjust everything they do to match the current conditions. Everyday performance must be variable in order for things to work. The Thefocus focusisison oneveryday everyday situations where situations wherethings things go right as they should. go right as they should. Acceptable outcomes Performance variability Unacceptable outcomes

14 What should we be looking for? When we notice something that has gone wrong In order to understand WHY this happened... it is a safe bet that it has gone right many times before and that it will go right many times in the future. we need to understand HOW this happens!

15 Stopping at a red light People drive in different ways, depending on multiple factors (age, gender, nationality, weather, vehicle, traffic environment, etc.) Most drivers stop at a red traffic light, but very few do it in the same way. We should look for usual actions under unusual conditions, rather than unusual actions under usual conditions.

Safety I: Failure is explained as a breakdown or malfunctioning of a system and/or its components (non-compliance,

16 Work as imagined work as done Work-as-imagined is what designers, managers, regulators, and authorities believe happens or should happen. Work-as-done is what people do and what actually happens. Safety I: Failure is explained as a breakdown or malfunctioning of a system and/or its components (non-compliance, violations). Safety II: Individuals and organisations must adjust to the current conditions in everything they do. Performance must be variable in order for things to work.

Performance adjustments in practice In practice, people

done, to save time, to avoid unnecessary use of resources,

shortcuts may even tacitly be encouraged.

17 Performance adjustments in practice In practice, people take the shortcuts they think are necessary to get the job done, to save time, to avoid unnecessary use of resources, etc. When it goes well, no one takes any notice and the shortcuts may even tacitly be encouraged. When it goes wrong, people are blamed for violating procedures and for being unsafe.

Problems with safety as risk reduction The focus on failures juxtaposes Work-As-Imagined and Work-As-Done and assume the former is correct (the blunt-end or management perspective).

18 Problems with safety as risk reduction The focus on failures juxtaposes Work-As-Imagined and Work-As-Done and assume the former is correct (the blunt-end or management perspective). Incidents are described by after-the-fact stories. In hindsight they seem to be easily preventable by relatively simple measures, such as more technology, new policies and procedures, or calls to increase vigilance or compliance of operators.

19 WAD WAI seen from the blunt end Limited time Limited resources Clear causes Accident model Limited information Clear conclusions Accident model The people who, directly or indirectly, are involved in the accident. The people who investigate the accident.

20 WYLFIWYF Accident investigation follow a What-You-Look-For-Is-What-You-Find (WYLFIWYF) principle. Accident investigations that look for causes, find causes. The assumptions about the nature of accidents (causality credo) constrain the analysis. We can be safe with a little more effort, a few more resources, a more refined set of recommendations from a knowledgeable inquiry, some new tools, an updated IT system, a better policy, and an improved safety culture. In other words, if WAD is made more like WAI. Human error Technical malfunction Organisational failure Incorrect design WAD WAI Bad maintenance Safety culture Latent conditions Violation, non-compliance

normally work and why that succeeds. Something that goes wrong, has usually gone right many times before. We can only be safe if we understand how work is done.

21 WYLFIWYF Looking at work-as-done also follows a What-You-Look-For-Is-What-You-Find (WYLFIWYF) principle. Safe and unsafe behaviours Happen in the same way Adjustments / improvisation can be useful People successfully balance competing goals Work studies should focus on how things normally work and why that succeeds. Something that goes wrong, has usually gone right many times before. We can only be safe if we understand how work is done. Neither WAI nor WAD are absolute references, but both serve useful purposes. There are no silver bullets - no simple solutions. We must lern how continuously to realign WAI with WAD. WAD WAI Best practice Culture of resilience Learning from experience Coping with complexity

22 Fatalistic view (Safety-I) Humans are fallible machines: accidents are a consequence of errors. The purpose of investigations is to find a clear mechanism for the adverse outcome that can be the basis for effective corrective action. The search is for components rather than functions, and for specific states ( work - fail ) rather than relations. Accidents and their causes - are treated one-by-one. Safety-I thinking reinforces a reactive culture, where accidents are dealt with as single instances according to the hypothesis of different causes. Accidents are reacted to case by case (normatively). Investigations are biased towards failures at the sharp end that provide acceptable explanations. Things that go right and things that go wrong happen in different ways When a (root) cause has been found, the investigation can be closed. While this appears to be efficient, it is counterproductive because it makes learning difficult.

23 Realistic view (Safety-II) Human performance variability is a necessary resource The purpose of investigations is to understand how work usually succeeds, and use that to improve the conditions for everyday work. The search is for functions rather than components, and for how functions depend on each other. Human performance is variable both at the sharp and the blunt end Performance adjustments (Efficiency-Thoroughness Trade-Off) are everywhere: in operations, in safety investigations, and in management. The pressure to find clear answers quickly has distorted our understanding of WAD. Things that go right and things that go wrong happen in the same way The purpose of safety management is to ensure that the conditions for everyday work are the best possible, rather than trying to eliminate failures and errors.

24 Thank you for your attention