_ _fostering successes rather than reducing failures_hollnagel_presentation

8/8/2019 _ _Fostering successes rather than reducing failures_Hollnagel_presentation

1/30

Erik Hollnagel, 2008

Erik HollnagelProfessor & Industrial Safety ChairMINES ParisTech Crisis and Risk Research CentreSophia Antipolis, FranceEmail: [email protected]

How to be safe by fostering

successes rather than reducing

failures


2/30


Accidents, incidents,

The meaning of safety

Normalperformance

Unwanted outcomenexpected eventPrevention ofunwanted events Protection againstunwanted outcomes

SAFETY = FREEDOM UNACCEPTABLE RISKROMHow much riskis acceptable?

What cango wrong?

How can itbe done?

LIFEPROPERTYMONEY

How much risk isaffordablerom French Sauf =unharmed / except


3/30


Safety as reduction/elimination of riskThe common understanding of safety implies a distinction between:

What happenswhen there is nomeasurable change?

A normal state where everything works as it should and where the outcomes /products are acceptable (positive or as intended).

The purpose of safety (management) isto maintain a normal state bypreventing disruptions or disturbances.Safety efforts are normally driven bywhat has happened in the past, and aretherefore reactive.The level of safety is measured by theabsence of negative outcomes.

A failed state where normal operations are disrupted or impossible, and wherethe outcomes/products are unacceptable (negative or not as intended).


4/30


First there were technical failures

10

20

30

40

50

60

70

80

100

90

1960 1965 1970 1975 1980 1985 1990 1995

%Atbdca

2000

Technology, equipment

2005


5/30


and technical analysis methods

1900 1910 1920 1930 1940 1950 1960 1970 1980 1990 2000 2010

FMEAHAZOP

FMECAault tree


6/30


Then came the human factor

10

20

30

40

50

60

70

80

100

90

1960 1965 1970 1975 1980 1985 1990 1995

%Atbdca

2000

Technology, equipment

2005

Human performance


7/30


And human factors analysis methods

1900 1910 1920 1930 1940 1950 1960 1970 1980 1990 2000 2010

Root cause Domino FMEAHAZOP

FMECACSNITHERP

HCRHPES

Swiss Cheese

RCA, ATHEANA

Fault treeAEB

HEAT

HERA

TRACEr

Human Factorsechnical


8/30


Then came organisational failures ...

10

20

30

40

50

60

70

80

100

90

1960 1965 1970 1975 1980 1985 1990 1995

%Atbdca

2000

Technology, equipment Organisation

2005

Human performance

?

?

?

Which will be themost unreliablecomponent?


9/30


and organisational analysis methods

1900 1910 1920 1930 1940 1950 1960 1970 1980 1990 2000 2010

Root cause Domino FMEAHAZOP

FMECACSNITHERP

HCRSTEPHPES

Swiss CheeseMTO

TRIPODRCA, ATHEANA

AcciMapFRAMSTAMP

Fault treeCREAMMERMOS

AEB

MORT

HEAT

HERA

TRACEr

Human Factorsechnical Organisational Systemic


10/30


11/30


Safety = (1 - Risk)

By 2020 a new safety paradigm will have been widely adopted in Europeanindustry. Safety is seen as a key factor for successful business and an inherentelement of business performance. As a result, industrial safety performance willhave progressively and measurably improved in terms of reduction of- reportable accidents at work,- occupational diseases,- environmental incidents and- accident-related production losses.It is expected that an incident elimination culture will develop where safety isembedded in design, maintenance, operation and management at all levels inenterprises. This will be identifiable as an output from this Technology Platformmeeting its quantified objectives.

The measurementsare all negative orunwanted outcomes.


12/30


Complications of anaesthesiaPostoperative hip fracturePostoperative pulmonary embolism (PE)or deep vein thrombosis (DVT)Postoperative sepsisTechnical difficulty with procedureTransfusion reactionWrong blood typeWrong-site surgeryForeign body left in during procedureMedical equipment-relatedMedication errors

Operative and post-operativecomplications

Sentinel events

OECD Indicators for Patient SafetyVentilator pneumoniaWound infectionInfection due to medical careDecubitus ulcer

Hospital-acquired infections

Birth trauma - injury to neonateObstetric trauma vaginal deliveryObstetric trauma - caesarean sectionProblems with childbirthPatient fallsIn-hospital hip fracture or fall

Obstetrics

Other care-related adverse events


13/30


1. Fatal accidents (number)2. Total recordable injury frequency (TRIF)3. Lost-time injury frequency (LTIF)4. Serious HSE incident frequency (SIF)5. Accidental oil spill (number and volume)6. Emissions of CO2 and relative emissions of CO27. Emissions of NOx and relative emissions of NOx8. Energy consumption and energy efficiency9. Non-hazardous waste recovery rate10. Climate KPI11. Global warming potential (total quantity in CO2 equivalents)12. Sickness absence (percentage)13. Theft (number of instances and costs)14. Criminal damage (number of instances and costs)15. Violence and threats (number of instances and cost)16. Robbery (number of instances and costs)17. Special security incidents (number and cost)18. Work related illness (WRI)19. Actual and potential transportation personal injuries... ... ...

Corporate HSE Indicators

HSE = Health, safety, securityand environment


14/30


Theories and models of the negative

Technology and materials areimperfect so failures are inevitable

Accidents are caused by people,due to carelessness, inexperience,and/or wrong attitudes.

Organisations are complexbut brittle with limitedmemory and uncleardistribution of authority


15/30


Theory W: Traditional safety perspectiveSystems are well designed and scrupulously maintained,Things gorightbecause: Procedures are complete and correctPeoplebehaveas they are expected to as they are taught.Designers can anticipate every contingency.

Humans are a liability and performance variability is a threat.The purpose of design is to prevent adverse outcomes byconstraining performance variability.

CommonassumptionsAccidents are due to failures or malfunctions of components(human errors), equipment malfunctions.Risks can be represented by linear combinations or chains offailures or malfunctions. Example: Event tree - fault treeThe purpose of risk assessment is to determine in a systematic manner therelation between adverse outcomes (= severe accidents) and their causes.


16/30


17/30


My god, it's full of stars ...


18/30


... but most of it is Dark MatterAccording to current theories, the universeconsists of 5% ordinary matter, 25% darkmatter, and 70% dark energy. Dark matterand dark energy are the fudge factorsneeded to make cosmology consistent.

We can see the stars, but we need darkmatter to explain what we see.

In safety management people tend tonotice only what goes wrong (thestars). But to understand it we needalso to look at the unknownbackground = normal performance.

We can see what goes wrong, but we can only understandit against a background of normal performance.


19/30


Performance variability is necessary

Many socio-technical systems are intractable. Theconditions of work therefore never completelymatch what has been specified or prescribed.

Systems are so complex that work situations alwaysare underspecified hence partly unpredictableFew if any tasks can successfully be carried outunless procedures and tools are adapted to thesituation. Performance variability is both normal andnecessary.?

Individuals, groups, and organisations normallyadjust their performance to meet existing conditions(resources, demands, conflicts, interruptions).Because resources (time, manpower, information,etc.) always are finite, such adjustments willinvariably be approximate rather than exact.

PerformancevariabilitySuccess

Failure


20/30


Accounting for the sources and range of normal performance variability:Inherent variability(psychological /physiologicalphenomena).

Performance variability is inevitable

Organizationally inducedperformance variability(meeting demands,stretching resources).Socially induced variability(meeting expectations,informal work standards).

Ingenuity and creativity adaptability (overcomingconstraints andunderspecification).

Contextually induced performance variability (performanceconditions).


21/30


If thoroughness dominates,there may be too littletime to act.If efficiency dominates,actions may be badlyprepared or wrong

Neglect pending actionsMiss new events Miss pre-conditionsLook for expected results

Thoroughness: Time to thinkRecognising situation.Choosing and planning. Efficiency: Time to doImplementing plans.Executing actions.

Efficiency versus thoroughness

Time neededTime available


22/30


Efficiency-Thoroughness Trade-Off

One way of managingtime and resource limitations is tothink only one step back and/or one step ahead.

Confirm thatinput is correct Thoroughness

EfficiencyTrust that inputis correct

Consider secondaryoutcomes and side-effects

Assume someoneelse takes care ofoutcomes

For distributed work it is necessary to trust whatothers do; it is impossibleto check everything.


23/30


Theory Z: Revised safety perspectiveLearn to overcome design flaws and functional glitchesAdjust their performance to meet demandsInterpret and apply procedures to match conditionsCan detect and correct when things go wrong

Humans are therefore an asset without which the properfunctioning of modern technological systems would beimpossible.

Increasing complexity have made modern technologicalsystems intractable, hence underspecified.

Things gorightbecausepeople:

Revisedassumptions Accidents are due to unexpected combinations of actionsrather than action failures. Example: ETTO.Risks can be represented by dynamic combinations ofperformance variability. Example: Functional Resonance.


24/30


Theory Z: Safety by management

Success (noaccidents orincidents)Normal function(performancevariability)

Failure(accidents,incidents)

PhysiologicalfactorsPsychologicalfactorsSocial factorsOrganisationalfactorsEnvironmental

factors Dampen

Amplify

Individual, team,organisation(sharp end, blunt end) Performancevariability is neededfor normalfunctioning(successes)

Failures cannot beprevented byeliminatingperformancevariabilitySafety is achieved by managing unwanted combinations ofperformance variability without adversely affecting successes


25/30


All outcomes (positiveand negative) are due toperformance variability..

From the negative to the positiveNegative outcomes arecaused by failures andmalfunctions.

Safety = Reducednumber of adverseevents.

Eliminate failuresand malfunctions asfar as possible.

Safety = Ability torespond whensomething fails.

Improve ability torespond to adverseevents.

Safety = Ability tosucceed undervarying conditions.

Improve resilience.


26/30


Resilience and safety managementResilience is the intrinsic ability of a system to adjust its functioning prior to,during, or following changes and disturbances, so that it can sustain requiredoperations even after a major mishap or in the presence of continuous stress.A practice of Resilience Engineering / Proactive Safety Management requires thatall levels of the organisation are able to:

Learn from past events,understand correctlywhat happened and why

FactualMonitor threatsand revise riskmodels

Critical

Anticipate threats,disruptions anddestabilizing conditionsPotential

Respond to regular andirregular threats in aneffective, flexible manner, Actual


27/30


Resilience = being better atResponding: Knowingwhat to do, beingcapable of doing it.

Resilience engineering measures how safe a system is by what it is able to do,hence measures of the positive rather than the negative.

Learning:Knowing what hashappened

FactualMonitoring:Knowing what tolook for (attention)

Critical

Anticipating: Findingout and knowing whatto expect

PotentialActual


28/30


Should be eliminated orcontained or otherwiseresponded toMay be eliminated orcontained or otherwiseresponded to

As Low As Reasonably Practicable

ALARP orTolerability region(tolerable risk)

Broadlyacceptable region(negligible risk)

Unacceptable region(intolerable risk) Must be eliminated orcontained at any cost

Might be assessedwhen feasible

Will be eliminated orcontained, if not too costlySave

ratherthaninvest

INVEST!

SAVE!


29/30


As high as reasonably practicableWhich events? How were

they found? Is the listrevised? How is readinessensured and maintained?

What, when (continuously orevent-driven), from what(successes or failures), how(qualitative, quantitative), byindividual or by organisation?

FactualHow are indicators defined? Lagging /leading? How are they measured? Areeffects transient or permanent? Who lookswhere and when? How, and when, are theyrevised?

Critical

What is our model of the future?How long to we look ahead? Whatrisks are we willing to take? Whobelieves what and why?

PotentialActual


30/30


Conclusion: Two approaches to safetyEfforts to maintain or improve safety focus on what can gowrong and result in adverse outcomes.Theories, models, and methods aim to explain or predict howthings can go wrong - with varying degrees of success.Some also propose solutions, focusing M, T, and O issues again with varying degrees of success.

Eliminate the negative (common safety approach, Theory W)

Effort

Fue

In resilience engineering, efforts to maintain or improvesafety looks at what goes right, as well as on whatshould have gone right.Theories, models, and methods aim to describe howthings go right, but sometimes fail, and how humans andorganisations cope with internal and externalintractability and unpredictability.

Accentuate the positive (resilience engineering, Theory Z)

Effort

Su

_ _fostering successes rather than reducing failures_hollnagel_presentation

Documents