4th IET Conference on System Safety 26-28 October 2009 Savoy Place, London
The Human Contribution to System Safety James Reason Professor Emeritus University of Manchester
Human performance: Two aspects Human as
Human as
hazard
hero
Slips • Lapses • Mistakes • Violations
• Adj djus ustm tmen ents ts • Co Comp mpen ensa sati tion ons s • Recoveries • Im Impr prov ovis isat atio ions ns
Human performance: Two aspects Human as
Human as
hazard
hero
Slips • Lapses • Mistakes • Violations
• Adj djus ustm tmen ents ts • Co Comp mpen ensa sati tion ons s • Recoveries • Im Impr prov ovis isat atio ions ns
Three models of error
Person model Legal model System model
Each has its Each its own own ‘theor ‘theory’ y’ of error error.. Each Each directs a particular type of remedy.
The person model
Sees errors as the product of wayward mental processes: forgetfulness, inattention, distraction, carelessness, etc. Remedial measures directed primarily at the ‘sharp end’ error -maker: naming, blaming, shaming, retraining, fear appeals, writing another procedure, etc. BUT this isolates errors from their context and has little or no remedial value.
The legal model
Responsible professionals should not make errors (duty of care). Such errors are rare but sufficient to cause adverse events. Errors with bad consequences are negligent or even reckless and deserve deterrent sanctions. BUT errors are frequent and mostly without bad consequences. Rarely sufficient alone. Though sometimes necessary to complete an accident-in-waiting.
The system model
Errors are commonplace: a universal fact of life, like breathing or dying. They are only occasionally necessary to cause adverse events. ‘Sharp-enders’ are more likely to be the inheritors than the instigators. Adverse events are the product of many causal factors. Remedial efforts directed at improving defences and removing error traps.
The varieties of unsafe acts
Slips, lapses, trips and fumbles Rule-based mistakes Knowledge-based mistakes Violations (often a sub-class of rulebased mistakes—but not always)
Rule - -based b ased mistakes
Misapplication of a good rule Application of a bad rule Failure to apply a good rule (violation)
How violations differ from errors
Errors are unintended. Violations are deliberate (the act not the occasional bad consequences). Errors arise from information problems. Violations are shaped mainly by attitudes, beliefs, group norms and safety culture. But violations can be mistaken —the failure to apply a good rule.
Violation types
Routine violations (corner -cutting) Optimising violations (for ‘kicks’)
Necessary violations (to get job done)
Three kinds of situation
Good rules Bad rules
No rules
Rule - -related related behaviours
Correct compliance Mistaken compliance (mispliance) Malicious compliance (malpliance) Mistaken circumvention (misvention)
Successful violation Mistaken improvisation
Correct improvisation
Lessons for management
Increase the benefits of compliance. Create a system that doesn ’t require violations in order to get the job done. Take home message: Most of the remedies are in the hands of system builders & managers rather than in the heads of ‘delinquent’ individuals.
Two kinds of accidents Individual accidents
Organizational accidents
Frequent Limited consequences Few or no defences Limited causes Slips, trips and lapses Short ‘history’
Rare Widespread consequences Many defences Multiple causes Judging and deciding Long ‘history’
The ‘ Swiss Swiss cheese ’ ’ model (1997) Some holes due to active failures
Losses
Hazards
Other holes due to latent conditions
Successive layers of defences, barriers, & safeguards
What? How? Why? WHAT? HOW?
&DXVHV ,QYHVWLJDWLRQ
WHY?
Human as hero
The human-as-hazard view dominates. Most human factors observations are derived from bad events. But human resilience has brought troubled systems back from the brink of disaster on a significant number of occasions.
Heroic recoveries organised under four headings
Training, discipline and leadership Sheer unadulterated professionalism Skill and luck Inspired improvisations
Training, discipline & leadership
The Light Division’s retreat at the battle of Fuentes de Onoro (1811). The withdrawal of the US 1st Marine Division from Chosin Reservoir (1950)
Sheer unadulterated professionalism
Capt Rostron and the rescue of the Titanic survivors (1911). Saving Apollo 13 (1970) Saving BAC 1-11 (1990) Surgical excellence (1995 -97) Saving BA 38 at LHR (2008) Landing on the Hudson River (2009)
Skill and luck
The Gimli Glider (1983) United 232 at Sioux City (1989)
Inspired improvisations
Gen. Gallieni and the Paris taxis (1914) Capt. Gordon Vette and the rescue of Jay Prochnow in S. Pacific (1978)
Light Division 1811
To Almeida
Main bulk of Wellington’s army
Direction of French attack on first day
Fuentes de Onoro (5 May 1811) Fuentes de Onoro To Villar Formoso
To Ciudad Rodrigo
F
N
Poco Velho 7th Division Light Division Turones
Cavalry action on third day
Dos Casas
The Gimli glider
On July 23 1983, an Air Canada 767, flying from Montreal to Edmonton, ran out of fuel due a variety of errors and system failures. When the engines stopped, the aircraft was 65 miles from Winnipeg and 45 miles from Gimli—to where it glided and landed safely.
The landing ‘Fortunately for all concerned, one of Capt. Pearson’ s skills is gliding . . . Without power, the aircraft had no flaps or slats to control rate and speed of descent. There was only one chance at landing (on a 7,200 ft disused military runway). As they approached Gimli, Capt. Pearson and F/O Quintal discussed the possibility of executing a side-slip . . .This the Capt. did on the final approach and touched down within 800 ft of the threshold.’ JUST 2 PARAGRAPHS IN A 104-PAGE REPORT
The landing at Gimli
General Gallieni and the Paris taxis
Ingredients of heroic recovery
Realistic optimism—the opposite of despair. Variable decision-making styles • Intuitive or recognition primed • Rule-based • Analytical • Creative thinking
Management styles also varied
