Erik Hollnagel Industrial Safety Chair, cole des Mines de Paris, France E-mail: erik.hollnagel@cindy.ensmp.fr
Professor, University of Linkping, Sweden E-mail: eriho@ida.liu.se
Safety as a non-event
SAFE SYSTEM = NOTHING UNWANTED HAPPENS Prevention of unwanted events Unexpected event Daily operation (Status quo) Reduce likelihood. Reduce consequences. Accidents, incidents Protection against unwanted outcomes Unwanted outcome
Safety management must prevent/protect against both KNOWN and UNKNOWN risks. Safety management requires THINKING about how accidents can HAPPEN
Erik Hollnagel 2006
* outcomes are not proportional to inputs, and cannot be derived from a simple combination of inputs
Erik Hollnagel 2006
Hazards-risks: Due to component failures (technical, human, organisational), hence looking for failure probabilities (event tree, PRA/HRA). Consequence: Accidents are prevented by finding and eliminating possible causes. Safety is ensured by improving the organisations ability to respond.
Erik Hollnagel 2006
Hazards-risks: Due to degradation of components (organisational, human, technical), hence looking for drift, degradation and weaknesses Consequence: Accidents are prevented by strengthening barriers and defences. Safety is ensured by measuring/sampling performance indicators.
Erik Hollnagel 2006
Maintenance oversight
O I
Aircraft design knowledge
Certification
R T
Interval approvals
Aircraft
P T
R C
T
High workload
C
Procedures
Interval approvals
Aircraft design
O
Redundant design
End-play checking
O
Allowable end-play
R
Controlled stabilizer movement
R
Limited stabilizer movement
Mechanics
R T C
T
Equipment High workload Expertise
I
Excessive end-play
Procedures
Lubrication
Lubrication
R
Grease
Jackscrew replacement
P
Expertise
Hazards-risks: Emerges from combinations of normal variability (socio-technical system), hence looking for ETTO* and sacrificing decision
Thoroughness Trade-Off Consequence: Accidents are prevented by monitoring and damping variability. Safety requires constant ability to anticipate future events.
Erik Hollnagel 2006
* ETTO = Efficiency-
Disturbance
Setpoint
Process
Output
Sensor
Key concepts:
Process model (nature of activity) Measurements (performance indicators, output) Possibilities for control (means of intervention) Nature of threats (disturbances, noise)
Erik Hollnagel 2006
Performance
Performance indicators
Probability (p)
Known (safe)
There is an infinite number of ways in which something can go wrong. The problem is to find those that are unlikely yet potentially serious.
Consequence
Erik Hollnagel 2006
Regular threats
(Westrum, 2006)
Events that occur so often that the organisation can learn how to respond.
Medication errors that only affect a single patient. Transportation accidents (collision between vehicles) Process or component failure (loss of mass, loss of energy)
p = 0.01
Regular threats are covered by standard methods (HAZOP, Fault Trees, FMECA, etc.)
Cost
Their likelihood and severity (cost) are so high that they must be dealt with. Solutions can be based on standard responses, typically elimination or barriers
Irregular threats
(Westrum, 2006)
One-off (singular) events, but so many, so rare, and so different that a standard response is impossible.
p
Apollo 13 moon mission accident. Epidemics (BSE, N5H1) Simultaneous loss of main and back-up systems.
p = 0.01
Irregular threats are imaginable but usually completely unexpected. They are discounted by standard methods.
Cost
Their likelihood is so low that defences are not cost effective, even if consequences are serious. Solutions require interaction and improvisation. Standard responses are insufficient.
Unexampled events
(Westrum, 2006)
Events that are virtually impossible to imagine and which exceed the organisations collective experience
Chernobyl New Orleans flooding (2005) Attack on the WTC (9/11).
p
Even when unexampled events are imaginable, they are normally discounted as impossible. Their likelihood is so low that defences are not viable, even if consequences are catastrophic. Solutions require the ability to cope, i.e., dynamically to self-organize, formulate and monitor responses.
Erik Hollnagel 2006
p = 0.01
Cost
Reactive organisation
Scrambling Surprise! for action
Accident
Accident
Erik Hollnagel 2006
Accident
Some examples
Type of organisation Reactive (brittle, no resilience) Interactive (robust, partial resilience) Examples Mont Blanc Tunnel fire (March 26 1999) Swedish government after Tsunami (December 26 2004) Homeland Security and FEMA after Hurricane Katrina (August 29 2005) The aviation industry Nuclear power plants Hospitals Toyota (as innovative manufacturer) People of London after bombing, July 7 2005 Israeli hospitals (bus bombings)
Interactive Exceptions that must be (attentive) regimented. Uncertainty about the future. Proactive (resilient) A need constantly to update definitions of the difference between success and failure. A recognition that models and plans are likely to be incomplete or wrong, despite best efforts.
Disturbance
+ Compensatory
control (feedback)
Process
Output
Sensor
You cannot drive a car by looking in the rear-view mirror! The main tool for looking ahead should NOT be to look back
Erik Hollnagel 2006
Environment
(external variability)
Performance
10
Components of resilience
Dynamic developments
Up da tin g
a Le rn
ing
11
12