ACCIDENTS AND BARRIERS

Erik Hollnagel
Graduate School of Human-Machine Interaction
University of Linköping, LIU/IKP/HMI, S-581 83 Linköping, Sweden
eriho@ikp.liu.se

Abstract
This paper discusses the barrier concept starting from a basic distinction between barrier
functions, defined as the specific manner by which the barrier achieves its purpose, and
barrier systems, defined as the organisational and/or physical foundation for the barrier
function. Four different types are proposed, called material, functional, symbolic, and
immaterial barrier systems respectively. A basic distinction between barrier functions is
whether they are preventive or protective. This reflects whether the barrier function is
intended to work before the occurrence of an accident or after it has happened. It is
furthermore possible to describe a number of generic barrier functions, such as: containing,
restraining, keeping together, dissipating, preventing, hindering, regulating, indicating,
permitting, communicating, monitoring, and prescribing. There is no simple one-to-one
correspondence between barrier functions and barrier systems, nor between barrier functions
and their use as either preventive or protective barriers. The paper also introduces the specific
discussion of the retrospective and prospective use of barriers.

Keywords
Accidents, failures, barriers, prevention, design, organisations.

1. INTRODUCTION
Accidents are frequently characterised either in terms of the events and conditions that led to
the final outcome or in terms of the barriers that have failed. A barrier, in this sense, is an
obstacle, an obstruction, or a hindrance that may either (1) prevent an action from being
carried out or an event from taking place, or (2) prevent or lessen the impact of the
consequences, for instance by slowing down the uncontrolled release of matter and energy,
limiting the reach of the consequences or weakening them in other ways, cf. Figure 1. Barriers
are important for the understanding and prevention of accidents. Firstly, the very fact that an
accident has taken place means that one or more barriers have failed – i.e., that they did not
serve their purpose or that they were missing. Secondly, once the aetiology of an accident has
been determined and the causal pathways identified, barriers can be used as a means to
prevent that the same, or a similar, accident takes place in the future.
 Accident
Initiating event
(incorrect action)

Protection (safety Protection

Prevention (control barriers): barriers): (boundaries):
Active or passive barrier Active barrier Passive barrier
functions that prevent the functions that deflect functions that minimise
initiating event from occurring. consequences consequences

Figure 1: Use of barriers.

The notion of a barrier can be considered both in relation to a method or a set of guidelines for
identifying barriers and in relation to a way of systematically describing or classifying
barriers. The two aspects are, of course, not independent, since the method for analysis
necessarily must refer to a classification scheme, regardless of whether the analysis is a
retroactive or a proactive one (Hollnagel, 1998). As a starting point, a barrier function can
be defined as the specific manner by which the barrier achieves its purpose, whereas a
barrier system can be defined as the substratum or foundation for the barrier function, i.e.,
the organisational and/or physical structure without which the barrier function could not be
accomplished. The use of the barrier concept should be based on a systematic description of
various types of barrier systems and barrier functions, for instance as a classification system.
This will help to identify specific barrier systems and barrier functions and to understand the
role of barriers, in either meaning, in the history of an accident.

Despite the importance of the barrier concept, the accident literature only contains a small
number of studies (Kecklund et al. 1996; Leveson, 1995; Svenson, 1991 & 1997; Taylor,
1998 and Trost & Nertney, 1985). The classifications proposed by these studies have been
quite diverse, partly because of the lack of a common conceptual background, and partly
because they have been developed for specific purposes within quite diverse fields. The most
successful attempt of developing a theory of barriers has been the work of Svenson (1991),
which also was the basis for the field studies of Kecklund et al (1996).

2. DESCRIPTORS OF BARRIER SYSTEMS

An analytical description of barriers can be based on several different concepts, such as the
barriers’ origin, their purpose, their location, and their nature. Of these, only the concept of
the barrier nature is rich enough to support an extensive classification. The nature of barriers
is principally independent of their origin, their purpose (e.g., as preventive or protective), and
their location. By their nature barrier systems can range from physical hindrances (walls,
cages) to ethereal rules and laws. A classification of barrier systems can be based on the
following four main categories.
• Material barriers physically prevent an action from being carried out or the consequences
from spreading. Examples of material barriers are buildings, walls, fences, railings, bars,
cages, gates, etc. A material barrier presents an actual physical hindrance for the action or
event in question and although it may not prevent it under all circumstances, it will at least
slow it down or delay it. Furthermore, a material barrier does not have to be perceived or
interpreted by the acting agent in order to serve its purpose.

• Functional (active or dynamic) barriers work by impeding the action to be carried out,
for instance by establishing a logical or temporal interlock. A functional barrier effectively
sets up one or more pre-conditions that have to be met before something can happen. These
pre-conditions need not be interpreted by a human, but may be interrogated or sensed by
the system itself. Functional barriers are therefore not always visible or discernible,
although their presence often is indicated to the user in one way or another and may require
one or more actions to be overcome. A lock, for instance, is a functional barrier, whether it
is a physical lock that requires the use of a key or a logical lock that requires some kind of
password or identification.

• Symbolic barriers require an act of interpretation in order to achieve their purpose, hence
an “intelligent” agent that can react or respond to the barrier. Whereas a functional barrier
works by establishing an actual pre-condition that must be met by the system, or the user,
before further actions can be carried out, a symbolic barrier indicates a limitation on
performance that may be disregarded or neglected. Alternative terms may therefore be
conceptual or perceptual barriers. While the railing along a road is both a physical and a
symbolic barrier, the reflective posts or markers are only a symbolic barrier: they indicate
where the edge of the road is, but unlike the railing they are insufficient to prevent a car
from going off the road. All kinds of signs and signals are symbolic barriers, specifically
visual and auditory signals. The same goes for warnings (texts, symbols, sounds), interface
layout, information presented on the interface, visual demarcations, etc.

• Immaterial barriers are not physically present or represented in the situation, but depend
on the knowledge of the user to achieve their purpose. Immaterial barriers are usually also
represented in a physical form such as a book or a memorandum, but are normally not
physically present when their use is mandated. Typical immaterial barriers are: rules,
guidelines, restrictions, and laws. In industrial contexts, immaterial barriers are largely
synonymous with organisational barriers, i.e., rules for actions that are imposed by the
organisation, rather than being physically, functionally or symbolically present in the
system.

It is clearly possible to realise several barrier systems and functions in the same physical
artefact or object. For instance, a door may have on it a written warning and may require a
key to be opened. Here the door is a physical barrier system, the written warning is a symbolic
barrier system, and the lock requiring a key is a functional barrier system. It may, in fact, be
the rule rather than the exception that more than one type of barrier is combined, at least for
the first three categories.
3. A CLASSIFICATION OF BARRIERS
The following Table 1, presents a classification of the barriers that are known from the
general literature. Each barrier is described with regard to its system, i.e., one of the four main
classes as defined above, and its function (or mode), i.e., the more specific nature of the
barrier. The list of barriers presented here is clearly not exhaustive, but hopefully sufficiently
extensive to be of some practical use.
Table 1: Barrier systems and barrier functions.
Barrier Barrier function Example
system
Material, Containing or protecting. Walls, doors, buildings, restricted physical
physical Physical obstacle, either to access, railings, fences, filters, containers, tanks,
prevent transporting something valves, rectifiers, etc.
from the present location (e.g.,
release) or into present location
(penetration).
Restraining or preventing Safety belts, harnesses, fences, cages, restricted
movement or transportation. physical movements, spatial distance (gulfs,
gaps), etc.
Keeping together. Cohesion, Components that do not break or fracture easily,
resilience, indestructibility e.g. safety glass.
Dissipating energy, protecting, Air bags, crumble zones, sprinklers, scrubbers,
quenching, extinguishing filters, etc.
Functional Preventing movement or action Locks, equipment alignment, physical
(mechanical, hard) interlocking, equipment match, brakes, etc.
Preventing movement or action Passwords, entry codes, action sequences, pre-
(logical, soft) conditions, physiological matching (iris,
fingerprint, alcohol level), etc.
Hindering or impeding actions Distance (too far for a single person to reach),
(spatio-temporal) persistence (dead-man-button), delays,
synchronisation, etc.
Symbolic Countering, preventing or Coding of functions (colour, shape, spatial
thwarting actions (visual, tactile layout), demarcations, labels & warnings (static),
interface design) etc.
Facilitating correct actions may be as effective as
countering incorrect actions.
Regulating actions Instructions, procedures, precautions / conditions,
dialogues, etc.
Indicating system status or Signs (e.g., traffic signs), signals (visual,
condition (signs, signals and auditory), warnings, alarms, etc.
symbols)
Permission or authorisation (or Work permit, work order.
the lack thereof)
Communication, interpersonal Clearance, approval, (on-line or off-line), in the
dependency sense that the lack of clearance etc., is a barrier.
Immaterial Monitoring, supervision Check (by oneself or another a.k.a. visual
inspection), checklists, alarms (dynamic), etc.
Prescribing: rules, laws, Rules, restrictions, laws (all either conditional or
guidelines, prohibitions unconditional), ethics, etc.

It is not always easy or straightforward to classify a barrier. A wall is, of course, a physical
barrier system and a law is equally obviously an immaterial barrier system. But kind of barrier
system or barrier function is a procedure? The procedure by itself is an instruction for how to
do something, hence not primarily a barrier. Procedures may, however, include warnings and
cautions, as well as conditional actions. The procedure may exist as a physical document, but
it works because of its contents or meaning rather than because of its physical characteristics.
The warnings, cautions, and conditions of a procedure are therefore classified as a symbolic
barrier system, i.e., they require an act of interpretation in order to work.

Symbolic barriers are often used to complement immaterial barriers. For instance, road signs
supplement the general speed limits given by the traffic laws. Symbolic barriers may also
complement material barriers to encourage their use. Seat belts are material barriers, but can
only serve their purpose when they are used. In commercial aircraft, seat belt use is supported
by both static cautions and dynamic signals (seat belt sign), as well as a visual inspection. In
private cars the material barrier is only supported by the immaterial barrier, i.e., the traffic
laws, which often produces a less than satisfactory result.

4. ACCIDENT ANALYSIS AND SYSTEM DESIGN

In order for a classification to be useful, it must be closely integrated with a method. In the
case of barriers, there is actually a need of two different sets of methods, one considering the
identification of barriers in accident analysis, and the other the specifications of barriers for
system design.

In the case of accident analyses, barrier identification is generally carried out in a rather ad
hoc fashion. The common practice in risk analysis is to look for known barriers - similar to
the search for latent failure conditions, sneak paths, or failure modes - and this approach has
simply been applied to accident analysis as well. The principal disadvantage is that the barrier
analysis in this way is carried out on its own, rather than as an integral part of the general
accident analysis method. Although risk analysis has some similarities to accident analysis, it
is clearly not a complete accident analysis method by itself, since it does not address aspects
such as accounting for the interaction between the various elements of the socio-technical
system, or describing the common performance conditions. It is therefore necessary to find a
way of incorporating a systematic classification of barriers into common accident analysis
methods. The easiest solution is presumably to combine the generic fault tree analysis with a
barrier analysis to identify the risks emanating from the failure of barriers, which can be
described as input conditions to the logical gates.

For the purpose of system design, the main emphasis is normally on how to ensure that the
system functions as specified. While this clearly is an essential achievement, it is also
important to consider how the system may not function as specified, i.e., how it may fail.
Such analysis are common in the case of complex technological systems, e.g. as fault trees,
cause-consequence analyses, event trees, FMEA, HAZOP, etc., but are conspicuous by their
absence in the case of interactive systems - perhaps with the notable exception of HRA. It is,
however, of the utmost importance to use barriers as a pivotal element in system design, since
it is only by a inventive combination of barriers and facilitators that an effective and safe
system functioning can be achieved.
For event trees, barriers are uncomplicated to insert since they are represented simply as
failures – or rather, effective barriers are represented in terms of successes or very low failure
probabilities. It is then up to the designer later on to be more specific about the types of
barriers that may be needed to achieve the desired probability value. In that sense there is a
gradual transition to cause-consequence trees, which are more developed in the forward
direction than event trees. Here the introduction of the logical gates means that barriers
become more tangible and must be specified in greater detail.

Since barriers are included in a system to prevent undesirable events from occurring or to
protect against their consequences, it is important that potential barrier failures themselves can
be assessed, so that the weaknesses of the system are known. A tentative description of the
conditions that are required for adequate barrier functioning is shown in Table 2.

Table 2: Requirements for effective barrier functions.

Barrier Barrier function Pre/condition for proper functioning
system
Material Physical. Reliable construction, possibly regular
maintenance.
Functional Mechanical Reliable construction, regular maintenance.
Functional Logical Verified implementation, adequate security.
Functional Spatio-temporal Reliable construction, regular maintenance.
Functional Monitoring Reliable performance of monitor
Symbolic Interface design Valid design specification, verified
implementation, systematic updating
Symbolic Information High-quality interface design, reliable functioning.
Symbolic Signs, signals and symbols Regular maintenance, systematic modification,
Symbolic Lack of permission or High compliance by users.
authorisation
Immaterial Communicative, interpersonal Nominal working conditions (no stress, noise,
distraction, etc.).
Immaterial Rules, cautions, warnings, High compliance by users.
prohibitions

In order to include the concept of barriers in accident analysis and accident prevention, it is
necessary to combine the barrier concept with the notion of error modes. Hollnagel (1998)
identified eight basic error modes for human actions, which later were extended to cover
systemic failure modes as shown in Table 3 (cf. Hollnagel, 1999).
 Table 3: Human and systemic error modes.
Human error mode Systemic error mode
Timing Action performed too early or too Position reached too early or too late.
late Equipment not working as required.
Duration Action performed too briefly or for Function performed too briefly or for too long.
too long System state achieved too briefly or held for too
long
Distance Object/control moved too short or System or object transported too short or too far
too far
Speed Action performed too slowly or too System moving too slowly or too fast
fast Equipment not working as required.
Direction Action performed in the wrong System or object (mass) moving in the wrong
direction direction
Force / Action performed with too little or System exerting too little or too much force.
power / too much force. Equipment not working as required.
pressure
System or component having too little or too
much pressure or power.
Object Action performed on wrong object Function targeted at wrong object
Sequence Two or more actions performed in Two or more functions performed in the wrong
the wrong order, order,
Quantity and None System/object contains too little or too much or is
volume too light or too heavy.

In order to be able to select the right barrier during system design, it is necessary to assess the
efficiency of each barrier system relative to the failure or error modes. Consider, for instance,
the error mode of distance. Here a material barrier can be highly efficient in preventing a
movement from being taken too far (although not for preventing too short a movement). A
functional barrier may also be highly efficient, but both symbolic and immaterial barriers are
likely to be of little use.

The analyses made so far have indicated that immaterial barriers normally are rather
inefficient, even though they are cheap and fast to implement. This corresponds to the
ordering of approaches to hazard elimination in the MORT technique (Knox & Eicher, 1983),
where immaterial barriers, such as the development of special procedures to handle the
situation, come last. The other barrier systems may be efficient in different ways, and in
practice the establishing of an effective barrier requires a combination of several barrier
systems. Guidelines and principles for how this is to be done will be developed in a recently
started project.

5. REFERENCES
Hollnagel, E. (1998). Cognitive reliability and error analysis method. Oxford, UK: Elsevier
Science.

Hollnagel, E. (1999). Accident analysis and barrier functions. Halden, Norway: Institute for
Energy Technology.
Kecklund, L. J., Edland, A, Wedin, P. & Svenson, O. (1996). Safety barrier function analysis
in a process industry: A nuclear power application. Industrial Ergonomics, 17, 275-284.

Knox, N. W. & Eicher, R. W. (1983) MORT user’s manual (DOE 76/45-4). Idaho Falls,
Idaho: EG&G Idaho, Inc.

Leveson, N. (1995). Safeware. System safety and computers. Reading, MA: Addison-Wesley
Publishing Company.

Svenson, O. (1991). The accident evolution and barrier function (AEB) model applied to
incident analysis in the processing industries. Risk Analysis, 11(3), 499-507.

Svenson, O. (1997). Safety barrier function analysis for evaluation of new systems in a
process industry: How can expert judgment be used? In: Proceedings of Society for Risk
Analysis Europe Conference, Stockholm, June 15-18, 1997.

Taylor, R. J. (1988). Analysemetoder til vurdering af våbensikkerhed. Glumsø, DK: Institute

for Technical Systems Analysis.

Trost, W. A. & Nertney, R. J. (1985). Barrier analysis (DOE 76-45/29). Idaho Falls, Idaho:
EG&G Idaho, Inc.

Bibliographic Data

Proceedings of the European Conference on Cognitive Science Approaches to Process

Control (CSAPC), 21-24 Sep, 1993, Villeneuve, France. (p. 175-180).