Safety models & accident models Eric Marsden <eric.marsden@risk-engineering.org>
▷ A safety model is a set of beliefs or hypotheses (ofuen implicit) about the features and conditions that contribute to the safety of a system ▷ An accident model is a set of beliefs on the way in which accidents occur in a system ▷ Mental models are important because they impact system design, operational decisions and behaviours 2 / 18 Mental models
▷ Defensive atuitude: accidents occur due to circumstances “beyond our control” ▷ Notion that appeared in Roman law: reasons that could exclude a person from absolute liability • e.g. violent storms & pirates exempted a captain from responsibility for his cargo 3 / 18 Accidents as “acts of god” ▷ Fatalism: “you can’t escape your fate”
H. Heinrich’s domino model (1930) Assumptions : ▷ Accidents arise from a quasi-mechanical sequence of events or circumstances, that occur in a well-defjned order ▷ An accident can be prevented by removing one of the “dominos” in the causal sequence 4 / 18 Simple sequential accident model
Tie “ safety pyramid ” or “accident triangle” (H. Heinrich, 1930 and F. Bird, 1970) Assumptions : ▷ Each incident is an “embryo” of an accident (the mechanisms which cause minor incidents are the same as those that create major accidents) ▷ Reducing the frequency of minor incidents will reduce the probability of a major accident ▷ Accidents can be prevented by identifying and eliminating possible causes 5 / 18 Simple sequential accident model
According to this model, safety is improved by identifying and eliminating “rotuen apples” ▷ front-line stafg who generate “human errors” ▷ whose negligent atuitude might propagate to other stafg Some accidents (in particular in high-risk systems) have more complicated origins… 6 / 18 Simple sequential accident model
‘‘ for a long time people were saying most accidents were due to human error and this is true in a sense but it’s not very helpful. It’s a bit like saying that falls are due to gravity… — Trevor Kletz A useful alternative concept to human error is performance variability . 7 / 18 On “human error”
▷ Allows inter-comparison of systems ▷ Can constitute the point of departure for a search for the underlying causes of incidents number of errors safety level quantity quality inverse relationship Tiis simplistic model is very criticized 8 / 18 Is it relevant to count errors? ▷ Counting errors produces a quantitative assessment of the “safety level” of a system
doctor kills someone is 7500 times higher The probability that the human error of a than for a firearm owner. [S. Dekker] 9 / 18 the USA firearm owner per year → 0,000019 accidental deaths per accidental deaths per year ▷ responsible for ≈1 500 ▷ 80 million firearm owners in Who is more dangerous? per year accidental deaths per doctor → between 0.063 and 0.14 medical error people die each year from a ▷ between 44 000 and 98 000 ▷ 700 000 doctors in the USA Is counting errors relevant?
doctor kills someone is 7500 times higher The probability that the human error of a than for a firearm owner. [S. Dekker] 9 / 18 ▷ responsible for ≈1 500 firearm owner per year → 0,000019 accidental deaths per accidental deaths per year the USA ▷ 700 000 doctors in the USA ▷ 80 million firearm owners in per year accidental deaths per doctor → between 0.063 and 0.14 medical error people die each year from a ▷ between 44 000 and 98 000 Is counting errors relevant?
doctor kills someone is 7500 times higher The probability that the human error of a than for a firearm owner. [S. Dekker] 9 / 18 ▷ responsible for ≈1 500 firearm owner per year → 0,000019 accidental deaths per accidental deaths per year the USA ▷ 700 000 doctors in the USA ▷ 80 million firearm owners in per year accidental deaths per doctor → between 0.063 and 0.14 medical error people die each year from a ▷ between 44 000 and 98 000 Is counting errors relevant?
9 / 18 ▷ 80 million firearm owners in firearm owner per year → 0,000019 accidental deaths per accidental deaths per year ▷ responsible for ≈1 500 ▷ 700 000 doctors in the USA the USA per year accidental deaths per doctor → between 0.063 and 0.14 medical error people die each year from a ▷ between 44 000 and 98 000 Is counting errors relevant? doctor kills someone is 7500 times higher The probability that the human error of a than for a firearm owner. [S. Dekker]
10 / 18 James Reason’s Swiss monitoring via performance indicators . Consequences : prevent accidents by reinforcing barriers. Safety management requires behaviours) and latent conditions (environmental factors) Assumption : accidents are produced by a combination of active errors (poor safety cheese model Epidemiological accident model systems and procedures sharp-end workers technical barriers safety management n o i t a r e accident p o o c event incident from "Human Error" (James Reason)
causes impacts top event preventive barriers protective barriers 11 / 18 Bow-tie model
11 / 18 event tree impacts top event causes fault tree no fl ow to receiver no fl ow from component B no fl ow into component B component B blocks fl ow no fl ow no fl ow from com- from com- ponent A1 ponent A2 Bow-tie model no fl ow from component no fl ow from component A1 blocks A2 blocks source1 source2 fl ow fl ow
12 / 18 Bow tie diagram
13 / 18 Bow-tie: example
Figure source: French BEA 14 / 18 Loss of control accident model Destabilization point P REVENTION R ECOVERY M ITIGATION A CCIDENT
migrate towards the limits of a gradient in the direction of deviance” means that deviations “questioning efgect of a then standard ways of working. progressively become acceptable, established during system design from the safety procedures A process of “normalization of safety margin boundary into unacceptable safety. system’s activity crosses the Accidents occur when the acceptable (safe) performance. push work to Tiese pressures attitude” Mature high-hazard systems reduced workload. boundary of safe performance to Figure adapted from Risk management in a dynamic society , J. Rasmussen, Safety Science, 1997:27(2) are triggered is the safety margin . boundary at which safety barriers of safe performance and the the minimally acceptable level the right. Tie difgerence between Tiese shifu the perceived apply the defence in depth design sensitive to safety issues. chronic unease , making them more questioning attitude and their aimed at reinforcing people’s also put in place programmes independent safety barriers. Tiey principle and implement multiple drifu towards failure 15 / 18 economic failure Actors experiment within the system is shaped by constraints: Human behaviour in any large effjciency pressure for management space formed by these constraints. operations, feasible workload. feasible workload. Actors profjtable operations, safe system is shaped by constraints: Human behaviour in any large space of possibilities unsafe workload unacceptable profjtable activity, safe operations, experiment within the space the effjciency of their work, with workload. Actors experiment Workers will seek to maximize towards economic effjciency. gradient” which pushes activity Management will provide a “cost constraints. within the space formed by these economic, safety, feasible formed by these constraints. system is shaped by constraints: Human behaviour in any large least efgort gradient towards towards economic effjciency. gradient” which pushes activity Management will provide a “cost Drifu into failure
Recommend
More recommend
