Professional Documents
Culture Documents
Erik Hollnagel
Professor & Industrial Safety Chair
MINES ParisTech Crisis and Risk Research Centre
Sophia Antipolis, France
E-mail: erik.hollnagel@crc.ensmp.fr
Erik Hollnagel, 2009
C
T
FAA
Maintenance
oversight
Accident
model / risk
model
O
I
Certification
R
T
Aircraft
Interval approvals
Interval approvals
Aircraft
design
High workload
Redundant
design
Expertise
Controlled
stabilizer
movement
C
Jackscrew
up-down
movement
I
Excessive
end-play
High workload
Procedures
Lubrication
Jackscrew
replacement
R
Limited
stabilizer
movement
C
Horizontal
stabilizer
movement
Lubrication
Limiting
stabilizer
movement
Allowable
end-play
T
Equipment
Procedures
End-play
checking
Mechanics
What may
happen?
Aircraft pitch
control
Grease
Expertise
How should
we respond?
Things can
go wrong
because
technology fails
Age of technology
1850
1769
Industrial
Revolution
1900
1893
Railroad Safety
Appliance Act 1931
Industrial
accident
prevention
1950
IT
Revolution
2000
1961
Fault tree
analysis
Erik Hollnagel, 2009
HAZOP
FMEA Fault tree FMECA
1900 1910
1920 1930 1940 1950 1960 1970 1980 1990 2000 2010
Design principles:
Architecture and components:
Models:
Analysis methods:
Mode of operation:
Structural stability:
Functional stability:
Due to a combination of
equipment malfunctions, design
problems and worker errors
Human factors as a critical part of plant safety (operator
training and staffing requirements, instrumentation and
controls, instructions and procedures.
Erik Hollnagel, 2009
1769
Industrial
Revolution
1900
1893
Railroad Safety
Appliance Act 1931
Industrial
accident
prevention
1950
IT
Revolution
2000
1961
1979
Fault tree Three Mile
analysis
Island
Erik Hollnagel, 2009
Root
cause
1900 1910
HAZOP
Domino
HCR
THERP
CSNI
FMEA Fault tree FMECA
HERA
AEB
TRACEr
1920 1930 1940 1950 1960 1970 1980 1990 2000 2010
Technical
Human Factors
Erik Hollnagel, 2009
Design principles:
Architecture and components:
Models:
Analysis methods:
Mode of operation:
Structural stability:
Functional stability:
Unknown, inferred
Partly known, partly unknown
Mainly analogies
Ad hoc, unproven
Vaguely defined, complex
Variable
Usually reliable
Erik Hollnagel, 2009
Chernobyl, 1986
Challenger, 1986
Age of technology
1850
1769
Industrial
Revolution
1900
1893
Railroad Safety
Appliance Act 1931
Industrial
accident
prevention
1950
2000
2009
1961
AF 447
Fault tree
analysis 1979
IT
Three Mile 2003
Revolution
Island Columbia
Erik Hollnagel, 2009
Root
cause
1900 1910
Domino
STEP
HERA
HCR
AcciMap
AEB
THERP
HAZOP
MERMOS
CSNI
FMEA Fault tree FMECA
TRACEr
CREAM
MORT
1920 1930 1940 1950 1960 1970 1980 1990 2000 2010
Technical
Human Factors
Organisational
Erik Hollnagel, 2009
Design principles:
Architecture and components:
Models:
Analysis methods:
Mode of operation:
Structural stability:
Functional stability:
High-level, programmatic
Partly known, partly unknown
Semi-formal,
Ad hoc, unproven
Partly defined, complex
Stable (formal), volatile (informal)
Good, hysteretic (lagging).
Erik Hollnagel, 2009
Starting
from the
cause, you
can reason
forwards to
find the
effect
Defence
Host
Agent
Environment
Output (effects) are proportional to input (causes) and predictable from knowledge
of the components. Technical systems are linear and event outcomes are tractable.
Erik Hollnagel, 2009
Complex relations between input (causes) and output (effects) give rise to
unexpected and disproportionate consequences. Socio-technical systems are
non-linear and event outcomes are intractable.
Erik Hollnagel, 2009
Organisation
90
80
70
Human
factors
human
error
60
50
40
30
20
Technology
10
0
1960
1965
1970
1975
1980
1985
1990
1995
2000
2005
2010
Safety = (1 - Risk)
By 2020 a new safety paradigm will have been widely adopted in European industry.
Safety is seen as a key factor for successful business and an inherent element of
business performance. As a result, industrial safety performance will have
progressively and measurably improved in terms of reduction of
- reportable accidents at work,
The measurements
- occupational diseases,
are all negative or
- environmental incidents and
unwanted outcomes.
- accident-related production losses.
It is expected that an incident elimination culture will develop where safety is
embedded in design, maintenance, operation and management at all levels in
enterprises. This will be identifiable as an output from this Technology Platform
meeting its quantified objectives.
Erik Hollnagel, 2009
Design
Downstream
Maintenance
Upstream
Technology
Erik Hollnagel, 2009
Design
Maintenance
Upstream
Technology
A vertical
extension
to cover
the entire
system,
from technology
to organisation
Work is underspecified.
Systems and technologies
are tightly coupled and
intractable.
Erik Hollnagel, 2009
All principles of
functioning are known
Fully specified
Intractable system
(tightly coupled)
Complicacy
Comprehensibility
Stability
Partly specified
Some principles of
functioning are unknown
Underspecified
Erik Hollnagel, 2009
Outcome
Serendipity
Good luck
Normal outcomes
(things that go
right)
Neutral
Random events
Near misses
sa
Di
s
er
st
Negative
Incidents
Very low
Accidents
Mishaps
(outcomes that
should have been
eliminated)
Very high
Predictability
Erik Hollnagel, 2009
Outcome
Serendipity
Good luck
Neutral
Random events
Near misses
sa
Di
s
er
st
Negative
Normal outcomes
(things that go
right)
Very low
Incidents
Mishaps
Focus of safety management
(outcomes that
Accidents
should have been
eliminated)
Very high
Predictability
Erik Hollnagel, 2009
Outcome
Serendipity
Good luck
Neutral
Random events
Normal outcomes
(things that go
right)
Focus of resilience
engineering
Near misses
sa
Di
s
er
st
Negative
Incidents
Very low
Accidents
Mishaps
(outcomes that
should have been
eliminated)
Very high
Predictability
Erik Hollnagel, 2009
Outcome
Serendipity
Good luck
Near misses
sa
Di
s
er
st
Negative
Neutral
Random events
Normal outcomes
(things that go
right)
Focus of resilience
engineering
Very low
Incidents
Focus of safety
Accidents
management
Mishaps
(outcomes that
should have been
eliminated)
Very high
Predictability
Erik Hollnagel, 2009
Frequency of outcomes
Positive
Outcome
Serendipity
Good luck
Neutral
Random events
Near misses
cy
n
ue
q
e
Accidents
Fr
sa
Di
st
s
er
Negative
Normal outcomes
(things that go
right)
Very low
Incidents
Mishaps
(outcomes that
should have been
eliminated)
Very high
Predictability
Erik Hollnagel, 2009
Failures or successes?
When something goes wrong,
e.g., 1 event out of 10.000
(10E-4), humans are assumed
to be responsible in 80-90%
of the cases.
Investigation of failures is
accepted as important.
Investigation of
successes is rarely
undertaken.
Erik Hollnagel, 2009
Safety = Reduced
number of adverse
events.
Safety = Ability to
respond when
something fails.
Safety = Ability to
succeed under varying
conditions.
Improve ability to
respond to adverse
events.
Improve resilience.
Erik Hollnagel, 2009
Disasters
Accidents
Failures,
malfunctions,
violations,
error
mechanisms,
Normal actions
Slips, unsafe
acts
???
Anticipate long-term
threats and opportunities
Actual
Critical
Potential
Monitor short-term
developments and threats;
revise risk models
Erik Hollnagel, 2009
Anticipating: Finding
out and knowing what
to expect
Actual
Factual
Learning:
Knowing what has
happened
Critical
Potential
Monitoring: Knowing
what to look for
(indicators)
An increased availability and reliability of functioning on all levels will both improve
safety and enhance control, hence the ability to predict, plan, and produce.
Erik Hollnagel, 2009
THINK!
DO!
Work is carefully
planned and monitored
Work is paced by
technology and external
events.
Demands match
capacity
Control is kept.
Efficient performance
requires a balance between
thinking and doing.
Efficiency-Thoroughness Trade-Off
Thoroughness: Time to think
Recognising situation.
Choosing and planning.
Efficiency: Time to do
Implementing plans.
Executing actions.
If thoroughness dominates,
there may be too little time
to carry out the actions.
If efficiency dominates,
actions may be badly
prepared or wrong
Miss pre-conditions
Look for expected results
Time & resources needed
Time & resources available
Erik Hollnagel, 2009
Idiosyncratic
(work related)
Collective
(organisation)
Judgement under
uncertainty
Cognitive primitives
(SM FG)
Reactions to
information input
overload and
underload
Looks fine
Not really important
Normally OK, no need to check
Ive done it millions of time before
Will be checked by someone else
Has been checked by someone else
This way is much quicker
No time (or resources) to do it now
Cant remember how to do it
We always do it this way
It looks like X (so it probably is X)
We must get this done
Must be ready in time
Must not use too much of X
Negative reporting
Cognitive style
Confirmation bias
Reduce
redundancy
Meet production
targets
Reduce
unnecessary cost
Double-bind
Reject conflicting
information
Efficiency-Thoroughness Trade-Off
For distributed work it is necessary to trust what
others do; it is impossible
to check everything.
Consider secondary
Confirm that
outcomes and sideinput is correct
Thoroughness
effects
Efficiency
Assume someone
else takes care of
outcomes
Mutual optimism
I can allow
myself to be
effective because
the others will be
thorough
I can allow
myself to be
effective because
the others will be
thorough
I can allow
myself to be
effective because
the others will be
thorough
I can allow
myself to be
effective because
the others will be
thorough
I can allow
myself to be
effective because
the others will be
thorough
I can allow
myself to be
effective because
the others will be
thorough
Actual
Factual
Critical
Learning
Monitoring
Individual
ETTO rules
Potential
Looks fine
Not really important
Normally OK, no need to check now
Ive done it hundreds of times before
Will be checked by someone else
Has been checked by someone else
Actual
Factual
Critical
Learning
Monitoring
Potential
Reduce redundancy
Organisational or
Double-bind (DO and DONT)
collective ETTO rules
Reject conflicting information
Reduce unnecessary cost and effort
Meet production targets (safety first but )
Negative reporting (only report when something is wrong)
Erik Hollnagel, 2009
Efficiency
Thoroughness
Thoroughness
Efficiency
Actual
Factual
What, when continuously or
event-driven (successes or
failures), how (qualitative,
quantitative),
by individual or
by organisation?
Critical
Potential