accident causation - notes
TRANSCRIPT
Accident Causation
1.0 Basic Theories of Accident Causation
Accident causation models were originally developed in order to assist people who had to
investigate occupational accidents, so that such accidents could be investigated effectively.
Knowing how accidents are caused is also useful in a proactive sense in order to identify
what types of failures or errors generally cause accidents, and so action can be taken to
address these failures before they have the chance to occur.
The Domino Theory
In 1931, the late H.W. Heinrich (Heinrich et al, 19801) presented a set of theorems known as
‘the axioms of industrial safety’. The first axiom dealt with accident causation, stating that ‘the
occurrence of an injury invariably results from a complicated sequence of factors, the last one
of which being the accident itself.’
Alongside, he presented a model known as the ‘domino theory’ as this accident sequence
was likened to a row of dominoes knocking each other down in a row. The sequence is:-
• Injury, caused by an;
• Accident, due to an;
• Unsafe act and/or mechanical or physical hazard, due to the;
• Fault of the Person, caused by their;
• Ancestry and Social Environment.
1 Heinrich HW, Peterson D & Roos N (1980), Industrial Accident Prevention, 5th Edition, Mcgraw Hill, New
York
The accident is avoided, according to Heinrich, by removing one of the dominoes, normally
the middle one or unsafe act. This theory provided the foundation for accident prevention
measures aimed at preventing unsafe acts or unsafe conditions.
The first update of the Domino Theory was presented by Bird & Loftus [ Heinrich et al, 1980;
Bird & Germain, 19862]. This update introduced two new concepts;
• The influence of management and managerial error;
• Loss, as the result of an accident could be production losses, property damage or
wastage of other assets, as well as injuries.
This model (known as the International Loss Control Institute or ILCI model) is shown in the
figure below:
2 Bird FE & Germain GL (1986), Practical Loss Control Leadership, International Loss Control Institute,
Loganville, Georgia.
The domino model has been noted as a one-dimensional sequence of events. Accidents are
usually multi-factoral and develop through relatively lengthy sequences of changes and
errors’. This has led to the principle of multiple causation.
According to Peterson 3(1978), behind every accident there lies many contributing factors,
causes and sub-causes. The theory of multiple causation is that these factors combine
together, in random fashion, causing accidents. So, during accident investigations, there is a
need to identify as many of these causes as possible, rather than just one for each stage of
the domino sequence.
The accident model is in reality an amalgam of both the domino and multi-causality theories,
such as that shown below.
ROOT CAUSE (Lack of Control)
BASIC CAUSE IMMEDIATE CAUSE
INCIDENT LOSS
• cause a • cause b • cause c
⇒ ⇒
• cause d • cause e
⇒ ⇒
• cause f ⇒ ⇒
3 Peterson D (1978), Techniques of Safety Management, 2nd Edition, Mcgraw Hill
Conclusion
• All accidents whether major or minor are caused, there is no such thing as an accidental
accident!!
• Very few accidents, particularly in large organisations and complex technologies are
associated with a single cause.
• The causes of accidents are usually complex and interactive.
2.0 The Role of Human Error in Accidents
Introduction
Although the role that human error plays in accident causation has been accepted for many
years, it is only recently that a lot of concerted effort has been put into detailed research into
human error in accidents.
During the past two decades the UK has suffered a large number of tragic disasters. These
include:
London Underground Fire at Kings Cross (1987) 31 people killed
Capsize of the Herald of Free Enterprise Ferry (1987) 189 people killed
Rail Crash at Clapham Junction (1988) 35 people killed and 500 injured.
Piper Alpha Oil Rig Explosion (1988) 167 people killed
Beyond the technical issues two common points emerged strongly from the inquiries into
these accidents, which are:
• The influence of human error in the chain of events leading to the accident;
• Failures in the management and organisation of safety.
People can cause or contribute to accidents (or mitigate the consequences) in a number of
ways (HSE, 19994):
• Through a failure a person can directly cause an accident. However, people tend not to
make such errors deliberately. We are often ‘set up to fail’ by the way that our brain
processes information by our training, through the design of equipment and procedures
and even through the culture of the organisation that we work for.
• People can make disastrous decisions even when they are aware of the risks. We can
also misinterpret a situation and act inappropriately as a result. Both of these can lead to
the escalation of an incident.
• On the other hand we can intervene to stop potential accidents. Many companies have
their own anecdotes about recovery from a potential incident through the timely actions
of individuals. Mitigation of the possible effects of an incident can result from human
resourcefulness and ingenuity.
• The degree of loss of life can be reduced by the emergency response of operators and
crew. Emergency planning and response including appropriate training can significantly
improve rescue situations.
The Traditional Concept of Human Error
Traditionally the promotion of safety has been largely reactive, concentrating on accident
investigation with the primary aim of avoiding repeat events. In part this arose from too simple
an approach to accident causation based on the apparent importance placed on the concept
of a single primary cause; either an unsafe act or an unsafe condition (as a result of the
domino theory). If the former were the case, responsibility was clear and blame could be
apportioned. If the latter then a technical solution could be sought. In part this also arose from
the fact that a reactive approach, based on a single primary cause was also an easy
approach to handle.
4 HSE (1999), Reducing Error and Influencing Behaviour, HS(G)48, HSE Books
Taking a “blame” approach to human error in accidents provides little of use in terms of future
accident prevention. For example, if a man made a mistake which resulted in an accident
and we work on the basis of a “blame” approach then there are only three options available to
us:
• We accept that human error is inevitable, shrug wer shoulders, tell him to be a bit more
careful and carry on as before with wer fingers crossed.
• Alternatively, we can say as he was responsible, we should discipline him, perhaps even
sack him.
• The third option is a half-way house whereby we give him the benefit of the doubt and
decide that he might need retraining. However, if all we have found out about the
accident was that he was the “cause” we have learnt nothing new on which to base the
retraining. We will almost certainly therefore be reduced to repeating the training which
we know has already failed!
Unfortunately this is a pretty reasonable description of the approach to human error in
accidents that has existed in most industrial organisations for years. If accidents are to be
prevented in the future it is no use whatsoever to “blame” people for their mistakes unless we
have a detailed understanding of what caused the mistakes. Only by understanding all the
issues which have caused (or could cause) an accident can we identify the way to prevent
future accidents
Organisational & Managerial Failures
The relevance of managerial and organisational factors has been graphically revealed in the
inquiry reports into the major disasters that occurred in the UK at the end of the 1980’s. Prior
to these disasters, senior managers of such organisations propounded the pre-eminence of
safety (HSC, 19935). They believed in the efficacy of the regulatory system, in the adequacy
of their existing programmes and in the confidence of the skills and motivation of their staff.
5 HSC (1993) Organising for Safety, 3rd Report of the Human Factors Study Group of the Advisory
Committee on the Safety of Nuclear Installations, HSE Books.
The inquiry reports reveal that their belief in safety was a mirage, their systems inadequate,
and operator errors and violations commonplace. The inquiry reports stated that ultimate
responsibility lay with complacent directors and managers who had failed to ensure that their
good intentions were translated into a practical and monitored reality. Moreover the
weaknesses were so starkly revealed were not matters of concern to the regulatory agencies
before the accidents.
The best way to justify the importance which was placed on these points by the various
inquiries is to consider a series of quotations taken from the official reports. The first
quotation is taken from the report into the King’s Cross fire on the London Underground6:
Inquiry into the King’s Cross Underground Station Fire
Many of the shortcomings in the physical and human state of affairs at King’s Cross on 18 November 1987 had in fact been identified before by internal inquiries into escalator fires.....The many recommendations had not been adequately considered by senior managers...London Underground’s failure to carry through the proposals resulting from earlier fires......was a failure which I believe contributed to the disaster at King’s Cross.
I have said unequivocally that we do not see what happened on the night of 18 November 1987 as being the fault of those in humble places.
These two comments place the primary responsibility squarely on management inaction
and/or ineffectiveness in light of previous incidents which clearly suggested that a
catastrophic fire within an underground station was indeed plausible. This is shown quite
clearly in the conclusions to the inquiry which state, in part:
6 Department of Transport (1988), Investigation into the Kings Cross Underground Fire, London:HMSO
Inquiry into the King’s Cross Underground Station Fire
Although I accept that London Underground believed that safety was enshrined in the ethos of railway operation, it became clear that they had a blind spot....
I believe this arose because no one person was charged with overall responsibility for safety. Each director believed he was responsible for safety in his division, but that it covered principally the safety of staff. The operations director, who was responsible for the safe operation of the system, did not believe he was responsible for the safety of lifts and escalators which came within the engineering director’s department. Specialist safety staff were mainly in junior positions and concerned solely with safety of staff.
A similar theme is highlighted in the report into the capsize of the Herald of Free Enterprise7.
In this disaster the most important single incident leading to the accident was the failure to
close the bow doors before the ship set sail.
Several Masters in the fleet had raised their concern on this issue with senior management
within the company as it was impossible to see, from the bridge, whether the doors were
closed. The replies from senior management to the Masters’ requests for an on-bridge
warning so incensed the Inquiry that the report quotes a number of replies verbatim, of which
this is one:
Inquiry into the capsize of the Herald of Free Enterprise
Do they need an indicator light to tell them whether the deck storekeeper is awake and sober? My goodness!!
The significance of this particular comment is not the amazing coincidence that the man
responsible for closing the doors was in fact asleep at the time, but that it indicates clearly the
attitude to safety of Senior Management. A serious concern with obviously horrendous
7 Department of Transport (1987) The Herald of Free Enterprise Formal Report, London:HMSO
implications, had been raised by senior and experienced members of the staff which could
have been remedied at a relatively reasonable cost. More generally, the report into the
capsize draws the following conclusion:
Inquiry into the capsize of the Herald of Free Enterprise
All concerned in management, from the members of the Board of Directors down to the junior superintendents, were guilty of fault in that all must be regarded as sharing responsibility for the failure of management. From the top to the bottom the body corporate was infected with the disease of sloppiness.
By implication such a comment, like those quoted from the King’s Cross Report above, is
looking beyond the events which immediately preceded the accident and highlighting the
operational circumstances and managerial attitudes which, in effect, predisposed the critical
events.
Exactly the same point is made in the report of the inquiry into the Clapham Junction rail
crash8, in this case however the report emphasises the point much more specifically:
Inquiry into the Clapham Junction Rail Crash.
The direct cause of the Clapham Junction accident was undoubtedly the wiring errors made by Mr. Hemmingway in his work in the Junction “A” relay room.
Later, the report goes on to state...
The concept of absolute safety must be a gospel spread across the whole workforce and paramount in the minds of management. The vital importance of this concept .. was acknowledged time and again in the evidence which the Court heard ...
But, subsequently it also states..
8Department of Transport (1988) Investigation into the Clapham Junction Railway Accident, London:HMSO
The concern for safety was permitted to co-exist with working practices which ... were positively dangerous ... The best of intentions regarding safe working practices was permitted to go hand in hand with the worst of inaction in ensuring that such practices were put into effect.
This is an unequivocal statement that while the accident occurred as a result of specific
errors by a specific individual, the report considers that the likelihood of such errors was
increased considerably by the organisational and managerial framework in which his work
was conducted.
The above comments can all be summed up effectively by a quotation from the inquiry into
the Piper Alpha Oil rig fire9:
Inquiry into the Piper Alpha Oil Rig Fire
I am convinced from the evidence ... that the quality of safety management .... is fundamental to off-shore safety. No amount of detailed regulations for safety improvements could make up for deficiencies in the way that safety is managed.
What then are the general conclusions which can be drawn from the above disasters which
are common to the various events while independent of the specific hazards and risks in
which the accidents occurred?
In essence they can be summarised as follows:
9 Department of Energy (1990) The Public Inquiry into the Piper Alpha Disaster, (2 vol), London:HMSO
• Not one of these organisations had, before the accidents, any serious reservations
about their safety procedures, organisation or management, yet there were clearly many
problems of which they were not aware.
• Errors made “at the sharp-end” (the immediate causes of an accident) must be seen in
the wider context of the organisation and management climate in which they were
committed. Additionally more thought needs to be given to the design of systems and
equipment to minimise the potential for human error. Both of these issues need to be
given much more serious consideration if repeat (or similar) incidents are to be avoided.
• Actions speak louder than words. The best of written safety policies, the most detailed
set of safety rules and procedures etc. are totally meaningless unless they are fully
resourced, rigorously implemented and kept under regular review.
• Commitment, positive safety attitudes and motivation together with constant vigilance
throughout the organisation (but led from the top), are essential to high safety standards.
• You cannot rely on external prescription to achieve safety.
3.0 Classification of Human Errors
The term ‘human error’ is wide and can include a great variety of human behaviour.
Therefore, in attempting to define human error, different classification systems have been
developed to describe their nature. Identifying why these errors occur will ultimately assist in
reducing the likelihood of such errors occurring.
The distinction between the hands on ‘operator’ errors and those made by other aspects of
the organisation have been described by Reason 10(1990) as ‘active’ and ‘latent’ failures.
10 Reason J (1990) Human Error, Cambridge University Press
Active Failures have an immediate consequence and are usually made by front-line people
such as drivers, control room and machine operators. These immediately preceed, and are
the direct cause, of the accident.
Latent failures are those aspects of the organisation which can immediately predispose
active failures. Common examples of latent failures include (HSE, 1999):
• Poor design of plant and equipment;
• Ineffective training;
• Inadequate supervision;
• Ineffective communications; and
• Uncertainties in roles and responsibilities.
Latent failures are crucially important to accident prevention for two reasons:
1. If they are not resolved, the probability of repeat (or similar) accidents remains high
regardless of what other action is taken;
2. As one latent failure often influences several potential errors, removing latent failures
can be a very cost-effective route to accident prevention.
Classifying Active Failures
In his classification of active failures Reason (1990) distinguishes between intentional and
unintentional error. Intentional errors are described as violations, whilst unintentional errors
are classified as either slips/lapses or mistakes. These types of human failure are shown in
the diagram below (HSE, 199911):
11 HSE (1999), Reducing Error and Influencing Behaviour, HS(G)48, HSE Books
Knowledge-based
Rule-based Slips of action
Lapses of memory
Violations Human Errors
Mistakes Skill-based errorsRoutine
Situational
Exceptional
Human Failures
Slips and Lapses: These occur in routine tasks with operators who know the process well
and are experienced in their work:
• They are action errors which occur whilst the task is being carried out;
• They often involved missing a step out of a sequence or getting steps in the wrong order
and frequently arise from a lapse of attention;
• Operating the wrong control through a lapse in attention or accidentally selecting the
wrong gear are typical examples.
Mistakes: These are inadvertent errors and occur when the elements of a task are being
considered by the operator.
They are decisions that are subsequently found to be wrong, although at the time the
operator would have believed them to be correct. There are two types of ‘mistake’ (HSE,
1999), rule based and knowledge based:
• Rule based mistakes occur when the operation in hand is governed by a series of rules.
The error occurs when an in appropriate action is tied to a particular event
• Knowledge based errors occur in entirely novel situations when you are beyond your
skills, beyond the provision of the rules and you have to rely entirely on adapting your
basic knowledge and experience to deal with a new problem.
Violations are any deliberate deviation from the rules, procedures, instructions and
regulations, which are deemed necessary for the safe or efficient operation and maintenance
of plant or equipment. Breaches in these rules could be accidental/unintentional or deliberate.
Violations occur for many reasons, and are seldom wilful acts of sabotage or vandalism. The
majority stem from a genuine desire to perform work satisfactorily given the constraints and
expectations that exist. Violations are divided into three categories: routine, situational and
exceptional (HSE,1999).
Routine Violations are ones where breaking the rule or procedure has become the normal
way of working. The violating behaviour is normally automatic and unconscious but the
violation is recognised as such, by the individual(s) if questioned. This can be due to cutting
corners, saving time. or be due to a belief that the rules are no longer applicable.
Situational Violations occur because of limitations in the employees immediate work space
or environment. These include the design and condition of the work area, time pressure,
number of staff, supervision, equipment availability, and design and factors outside the
organisations control, such as weather and time of day. These violations often occur when a
rule is impossible or extremely difficult to work to in a particular situation.
Exceptional Violations are violations that are rare and happen only in particular
circumstances, often when something goes wrong. They occur to a large extent at the
knowledge based level. The individual in attempting to solve a novel problem, violates a rule
to achieve the desired goal.
Latent Failures
Latent failures are the factors or circumstances within an organisation which increase the
likelihood of active failures. Consider some examples of latent failures in relation to the
example accidents given earlier:
King’s Cross Underground Station Fire
The latent failures here included:
While several minor escalator fires had occurred previously and had been investigated, apparently no one in the organisation seriously considered the fact that a major escalator fire was a possibility - consequently, as the inquiry states, little effective action had been taken on the warnings provided by the minor fires. Similarly the inquiry also reported that there were serious flaws in the managerial and organisational responsibilities and accountability for safety with virtually all aspects of the organisation thinking passenger safety was some one else’s responsibility.
The existence of these, and other similar, latent failures within the London Underground
operation significantly increased the probability of a major escalator fire, with hindsight it was
almost a matter of when rather than whether. It is also apparent, as suggested above, that
unless the remedial action taken encompassed these organisational/management latent
failures, that a repeat event was likely for, quite simply, the major influencing factors would
have remained in place to predispose a similar event.
The Capsize of the Herald of Free Enterprise
among the latent failures involved here are the following:
It was impossible for anyone to on the bridge to see whether the bow doors had been closed prior to setting sail and although there were organisational procedures in place the Officer in charge was, effectively, working on the basis of “faith” rather than any more positive feedback of information.
This design latent failure was compounded by the attitude of the senior management in the memos in reply to a request for an on-bridge warning device (quoted earlier). For a formal request concerning a major safety issue, from a senior operational manager, to be treated in such a way clearly indicates that there was apparently very little credibility given to potential safety issues.
Over 180 lives were lost largely as a result of latent failures by the ship’s designers who
overlooked, or ignored the potential implications of bridge officers not being able to be certain
that the bow doors were closed, compounded by the fact that senior management also
apparently considered the issue to be of little concern.
Other latent failures, common in industry are:
Attitudes to Safety: The safety culture of an organisation is established, in part, by the
attitudes to safety shown by management and supervisory staff. Unless managers lead by
example and visibly demonstrate their commitment to safety, no amount of hard work in the
preparation and establishment of rules and procedures and in providing training will have any
lasting effect.
Rules & Procedures: Rules and procedures provide the framework upon which safety
assurance is built and are claimed to be effective control measures. However this is little
more than an assumption rather than a proven reality. Studies have shown that safety rules
and procedures are often:
• Written negatively, concentrating on should not be done rather than on what should
be done;
• Impractical;
• In conflict with other rules
Training: Within training programmes, little consideration is given to evaluating its
effectiveness. It cannot be assumed that by simply attending a training course means that
one is adequately trained. Other common problems with training programmes include:
• Hazard awareness is often assumed rather than training;
• Training should concentrate on what is safe, rather than unsafe, what to do, rather
than what not to do.
• Training is not always consistent with the rules and procedures.
Equipment design & Maintenance: limitations in the standard of ergonomics applied to the
design of the equipment/plant increase the risk of human error. Whilst it is usual to associate
design limitations with unintentional errors, i.e. slips & mistakes, poor designs also create a
strong motivation for operators to violate safe working procedures.
Conclusion of Section
• Human Error is more than operator/pilot error. Everyone can make errors no matter how
well trained and motivated they are.
• It is useful to distinguish between active and latent failures. Active failures are those
hands on operator errors that immediately precede an accident. Latent failures are the
factors or circumstances within an organisation which increase the likelihood of active
failures. Latent failures lie hidden until they are triggered at some time in the future.
• In the domino theory or chain described earlier in the course active failures are
analogous to the immediate cause and latent failures analogous to the underlying or root
cause.
4.0 Strategies for Reducing Human Error
Reducing human error involves far more than taking disciplinary action against an individual.
There are a range of measures which are more effective controls including the design of the
equipment, job, procedures and training.
Actions for overcoming Active Failures
Slips and Lapses
Design improvement is the most effective route for eliminating the cause of this type of
human error. For example, typical problems with controls and displays that cause this type of
error include:
• Switches which are too close and can be inadvertently switched on or off;
• Displays which force the user to bend or stretch to read them properly;
• Critical displays not in the operators field of view;
• Poorly designed gauges;
• Displays which are cluttered with non-essential information and are difficult to read.
Mistakes
Training, for individuals and teams, is the most effective way for reducing mistake type
human errors. The risk of this type of human error will be decreased if the trainee
understands the need for and benefits from safe plans and actions rather than simply being
able to recite the steps parrot fashion. Training should be based on defined training needs
and objectives, and it should be evaluated to see if it has had the desired improvement in
performance.
Violations
There is no single best avenue for reducing the potential for deliberate deviations from safe
rules and procedures. The avenues for reducing the probability of violations should be
considered in terms of those which reduce an individuals motivation to violate. These include:
• Under-estimation of the risk
• Real or perceived pressure from the boss t adopt poor work practices;
• Pressure from work-mates to adopt their poor working practices;
• Cutting corners to save time and effort
Addressing Latent Failures
The organisation must create an environment which:
• reduces the benefit to an individual from violating rules.
• Reduces the risk of an operator making slips/lapses and mistakes.
This can be done by identifying and addressing latent failures.
Examples of latent failures include:
• Poor design of plant and equipment;
• Impractical procedures,
• Ineffective training;
• Inadequate supervision;
• Ineffective communications; and
• Uncertainties in roles and responsibilities.
One of the principal ways of systematically doing this is through a health and safety
management system. This is the subject of the next topic area in this course.