Professional Documents
Culture Documents
erik.hollnagel@gmail.com
How can it
be done?
What can
go wrong?
Prevention of
Protection against
unwanted events
unwanted outcomes
Unwanted outcome
Unexpected event
LIFE
PROPERTY
MONEY
Normal
performance
Accidents, incidents,
Erik Hollnagel, 2011
Possible
outcomes from
loss of control
Elimination
Preventive of
initiating conditions
Protection against
outcomes
Erik Hollnagel, 2011
A railway company shall maintain records of the following information for the
purpose of assessing its safety performance:
Accident and incident investigation reports and a description of the corrective
actions taken for accidents and incidents that meet the reporting criteria.
Accident rates expressed as follows:
Employee deaths, disabling injuries and minor injuries, per 200,000 hours
worked by the employees of the railway company.
Train and grade crossing accidents that meet the reporting criteria, per
million train miles.
At the request of the Minister, a railway company shall collect, maintain and
submit to the Minister specified performance or safety data for the purpose of
monitoring the effectiveness of its safety management system and its safety
performance.
Erik Hollnagel, 2011
2: Immediate facts of
the occurrence
3: Decision to
investigate
6: Reconstruction of
the occurrence
5: Complete factual
information
4: Further factual
information gathering
7: Occurrence
scenario
8: Analysis
9: Causal factors
10: Recommendations
14: Publication
and monitoring
12: Consultation
Human failure
Organisational
failure
Act of god
Erik Hollnagel, 2011
Starting from
the effect, you
can reason
backwards to
find the cause
Starting
from the
cause, you
can reason
forwards to
find the
effect
1900
1950
2000
FAA
Maintenance
oversight
Certification
Aircraft
Interval approvals
Interval approvals
High workload
Aircraft
design
Procedures
End-play
checking
Mechanics
Redundant
design
Expertise
Controlled
stabilizer
movement
Jackscrew
up-down
movement
Excessive
end -play
High workload
Procedures
Lubrication
Jackscrew
replac ement
Limited
stabilizer
movement
Horizontal
stabilizer
movement
Lubrication
Limiting
stabilizer
movement
Allowable
end-play
Equipment
Aircraft pitch
control
Grease
Expertise
Technology
20
10
0
1960
1965
1970
1975
1980
1985
1990
1995
2000
2005
2010
HAZOP
FMEA Fault tree FMECA
1900
1910
1920 1930
1940 1950
1960 1970
1980
1990
2000 2010
Erik Hollnagel, 2011
1900
1950
2000
FAA
Maintenance
oversight
Certification
Aircraft
Interval approvals
Interval approvals
High workload
Aircraft
design
Procedures
End-play
checking
Mechanics
Redundant
design
Expertise
Controlled
stabilizer
movement
Jackscrew
up-down
movement
Excessive
end -play
High workload
Procedures
Lubrication
Jackscrew
replac ement
Limited
stabilizer
movement
Horizontal
stabilizer
movement
Lubrication
Limiting
stabilizer
movement
Allowable
end-play
Equipment
Aircraft pitch
control
Grease
Expertise
RCA, ATHEANA
Human factors
human error
50
HEAT
40
30
20
Swiss Cheese
Technology
HPES
10
0
1960
1965
1970
1975
1980
1985
1990
1995
2000
2005
2010
HAZOP
Root cause
1900
1910
Domino
1920 1930
HCR
THERP
CSNI
FMEA Fault tree FMECA
1940 1950
1960 1970
HERA
1980
AEB
TRACEr
1990
2000 2010
Erik Hollnagel, 2011
MTO digram
Nylon sling
Weight: 8 tons
Load lifted
Causal
analysis
Barrier
analysis
Pipe hit
operator
Operator head
injuries
Sling
damaged
Operator
crossed barrier
Hard hat
possibly not
worn
No prework check
Instructions
not followed
Sling broke
Load swung
Lack of SJA
and checks
Breach of
rules accepted
Barrier ignored
1900
1950
200
0
FAA
Maintenance
oversight
Certification
Aircraft
Interval approvals
Interval approvals
High workload
Aircraft
design
Procedures
End-play
checking
Mechanics
Redundant
design
Expertise
Controlled
stabilizer
movement
Jackscrew
up-down
movement
Excessive
end -play
High workload
Procedures
Lubrication
Jackscrew
replac ement
Limited
stabilizer
movement
Horizontal
stabilizer
movement
Lubrication
Limiting
stabilizer
movement
Allowable
end-play
Equipment
Aircraft pitch
control
Grease
Expertise
Organisation
90
80
70
60
RCA, ATHEANA
Human factors
human error
50
TRIPOD
HEAT
40
MTO
Swiss Cheese
30
20
Technology
HPES
10
0
1960
1965
1970
1975
Root cause
1900
1910
1980
1985
1990
Domino
1920 1930
STEP
HERA
HCR
AcciMap
AEB
THERP
HAZOP
MERMOS
CSNI
FMEA Fault tree FMECA
TRACEr
CREAM
MORT
1995
2000
1940 1950
2005
2010
1960 1970
1980
1990
FRAM
STAMP
2000 2010
Erik Hollnagel, 2011
STAMP
Organisational drift
TRIPOD
Erik Hollnagel, 2011
10-4 := 1 failure in
10.000 events
Safety = Ability to
succeed under varying
conditions.
WYLFIWYF
Accident investigation can be described as expressing the principle of:
What You Look For Is What You Find (WYLFIWYF)
This means that an accident investigation usually finds what it looks for: the
assumptions about the nature of accidents guide the analysis.
Accident
Cause
Outcome
Effect
Available
information
Modifies
Human error
Latent conditions
Root causes
Technical malfunctions
Assumptions
Maintenance Causes
(schema)
Safety culture
...
Directs
Samples
Exploration Hypotheses
To this can be added the principle of WYFIWYL: What You Find Is What You Learn
Erik Hollnagel, 2011
Which
means
that
Or
Very low
Near
misses
Neutral
Mishaps
Very high
Negative
Probability
106
105
104
103
ents )
v
e
ay
ht
d
g
i
y
r
r
Eve that go
gs
n
i
h
t
(
ity
p
i
d
r en
e
S
uck
l
d
Goo
Incidents
Accidents
Disasters
Very low
102
a
e
N
e
ss
i
rm
ap
h
s
i
M
101
Neutral
Positive
Very high
Negative
Probability
Erik Hollnagel, 2011
106
105
104
103
ents )
v
e
ay
ht
d
g
i
y
r
r
Eve that go
gs
n
i
h
t
(
e
f
Sa ning
o
i
t
c
n
u
F
ity
p
i
d
r en
e
S
uck
l
d
Goo
Incidents
Unsafe
Accidents
Functioning
Disasters
Very low
102
a
e
N
e
ss
i
rm
ap
h
s
i
M
101
Neutral
Positive
Very high
Negative
Probability
Erik Hollnagel, 2011
Intractable
Tractable
Lo
w
Easy
Elaborate
Heterogeneous
processes
Hi
gh
Homogeneous
processes
Simple
Descriptions
Instability
Acceptable
outcomes
Performance
variability
Unacceptable
outcomes
Efficiency-Thoroughness Trade-Off
Thoroughness: Time to think
Recognising situation.
Choosing and planning.
Efficiency: Time to do
Implementing plans.
Executing actions.
If thoroughness dominates,
there may be too little time
to carry out the actions.
If efficiency dominates,
actions may be badly
prepared or wrong
Miss pre-conditions
Look for expected results
Network option
variety
(electricity
generation
resources)
High
Low
High
Just-in-time
(keep real-time capability)
Just-in-case
(be ready in case
something happens)
Low
Just-for-now
(firefighting)
Just-this-way
(constrain environment
to match options)
Part of the experience is to know when not to follow procedures ...there are bad
days when a procedure doesnt cover it, and then you have to use your wits.
Erik Hollnagel, 2011
Frequency
Everyday
performance
Accidents
LO
LO
Similarity
HI
The purpose of learning (from accidents, etc.) is to change behaviour so that certain
outcomes become more likely and other outcomes less likely.
Erik Hollnagel, 2011
Excellent: everyday
performance is usually
correct
Similarity / comparability:
How much do different
events have in common?
Opportunity to verify: Is it
possible to confirm that
the learning was correct?
It is ironical that we usually spend most of the effort on events that are the least
well suited for learning.
Erik Hollnagel, 2011
Engineering resilience
Solution: Enhance the
abilities to respond,
monitor, anticipate and
learn
Sa
fe
e
af
s
Un
Things that
go right
Things that
go wrong
Solution: Constrain
performance by rules,
procedures, barriers,
and defences.
Erik Hollnagel, 2011
Frequency,
characteristics
Rare events
(unexampled,
irregular)
Happens
exceptionally, each
event is unique
Accidents &
incidents
Happens rarely,
highly dissimilar
Successful
recoveries (near
misses)
Happens
occasionally, many
common traits
Context-driven
trade-offs.
Low, delayed
feedback
Normal performance
Performance
adjustments
Aetiology
Transfer of learning,
(verifiable)
Very low,
comparison not
possible
Very low, comparison
Causes and
difficult, little
conditions combined
feedback
Emergent rather
than cause-effect