The Changing nature of Risk

Erik Hollnagel Professor & Industrial Safety Chair MINES Paris e!h, C"C So#hia $nti#olis, %ran!e Professor II N N& rondhei', Nor(ay
Erik Hollnagel, 2010

E)'ail* erik+hollnagel,!r!+ens'#+fr

Ho( !an (e kno( that (e are safe-

$!!ident analysis

"isk assess'ent

E.#laining and Predi!ting (hat understanding (hat has 'ay ha##en ha##ened /a!tual !auses0 /#ossi1le !onse2uen!es0 Ho( !an (e kno( (hat did go (rongEli'ination or redu!tion of attri1uted !auses Eli'ination or #re3ention of #otential risks Ho( !an (e #redi!t (hat 'ay go (rong-

In order to a!hie3e freedo' fro' risks, 'odels, !on!e#ts and 'ethods 'ust 1e !o'#ati1le, and 1e a1le to des!ri1e 4reality5 in an ade2uate fashion+
Erik Hollnagel, 2010

hree ages of industrial safety

Hale & Ho3den /16680

Things can go rong

$ge of te!hnology
1870 1600

!ecause technology fails

1670

2000

1:;6 Industrial "e3olution

1869 "ailroad Safety $##lian!e $!t 1691 Industrial a!!ident #re3ention

I "e3olution

16;1 %ault tree analysis

Erik Hollnagel, 2010

"isks as #ro#agation of failures

?e!o'#osa1le, si'#le linear 'odels If a!!idents ha##en like this +++ he !ul'ination of a !hain of e3ents+ %ind the !o'#onent that failed 1y reasoning 1a!k(ards fro' the final !onse2uen!e+ +++ then risks !an 1e found like this +++ Pro1a1ility of !o'#onent failures %ind the #ro1a1ility that so'ething C1reaksD, either alone or 1y si'#le, logi!al and fi.ed !o'1inations+ Einary 1ran!hing

Hu'an failure is treated at the C!o'#onentD le3el+

Erik Hollnagel, 2010

hree ages of industrial safety

Things can go rong !ecause the human factor fails
$ge of hu'an fa!tors $ge of te!hnology
1870 1600 1670 2000

1:;6 Industrial "e3olution

1869 "ailroad Safety $##lian!e $!t 1691 Industrial a!!ident #re3ention

I "e3olution

16;1 %ault tree analysis

16:6 hree Mile Island

Erik Hollnagel, 2010

"isks as !o'1inations of failures

?e!o'#osa1le, !o'#le. linear 'odels Co'1inations of failures and !onditions

If a!!idents ha##en like this +++ Co'1inations of a!ti3e failures and latent !onditions+ Gook for ho( degraded 1arriers or defen!es !o'1ined (ith an a!ti3e /hu'an0 failure+

+++ then risks !an 1e found like this +++

Gikelihood of (eakened defenses, !o'1inations Single failures !o'1ined (ith latent !onditions, leading to degradation of 1arriers and defen!es+
Erik Hollnagel, 2010

hree ages of industrial safety

Things can go rong !ecause Organisations fail
$ge of safety 'anage'ent $ge of hu'an fa!tors $ge of te!hnology
1870 1600 1670 2000

1:;6 Industrial "e3olution

1869 "ailroad Safety $##lian!e $!t 1691 Industrial a!!ident #re3ention

2006 16;1 $% <<: %ault tree analysis 16:6 I hree Mile 2009 "e3olution Island Colu'1ia
Erik Hollnagel, 2010

"isks as non)linear !o'1inations

Non)de!o'#osa1le, non)linear 'odels
T C
FAA

%un!tional resonan!e analysis 'odel

T C
FAA

C I Maintenance o ersight O I
Aircraft design knowledge

Maintenance o ersight

O I
Aircraft design knowledge

If a!!idents ha##en like this +++

Certification

R T
Inter al a!!ro als

Aircraft

P T

R C

High workload

C
Procedures

Inter al a!!ro als

Aircraft design

O
Redundant design

&nd%!la( checking

O
Allowable end%!la(

R
Controlled stabili"er #o e#ent

Li#iting stabili"er #o e#ent

R
Li#ited stabili"er #o e#ent

M echanics

T
&)ui!#ent High workload &'!ertise &'cessi e end%!la(

$ackscrew u!%down #o e#ent

O I R P

Procedures Lubrication

Hori"ontal stabili"er #o e#ent

Lubrication

Aircraft !itch control

R
G rease

$ackscrew re!lace#ent

+++ then risks !an 1e found like this +++

Certification

R T
Inter al a!!ro als

Aircraft

P T

R C

High workload

C
Procedures

Inter al a!!ro als

Aircraft design

O
Redundant design

&nd%!la( checking

O
Allowable end%!la(

R
Controlled stabili"er # o e#ent

Li#iting stabili"er #o e#ent

R
Li# ited stabili"er # o e#ent

Mechanics

T
&)ui!#ent High workload &'!ertise &'cessi e end%!la(

$ackscrew u!%down #o e#ent

O I R P

Procedures Lubrication

Hori"ontal stabili"er #o e#ent

Lubrication

Aircraft !itch control

R
Grease

$ackscrew re!lace#ent

P
&'!ertise

R
&'!ertise

&ne.#e!ted !o'1inations /resonan!e0 of 3aria1ility of nor'al #erfor'an!e+ Syste's at risk are intra!ta1le rather than tra!ta1le+

&ne.#e!ted !o'1inations /resonan!e0 of 3aria1ility of nor'al #erfor'an!e+ he esta1lished assu'#tions therefore ha3e to 1e re3ised
Erik Hollnagel, 2010

Ho( do (e kno( that so'ething is safeECHN>G>HI H&M$NS >"H$NIS$ I>NS

%or'al, e.#li!it Standardised, 3alidated Mode of o#eration* Bell)defined Stru!tural sta1ility* High /#er'anent0 %un!tional sta1ility* High

?esign #rin!i#les* $r!hite!ture and !o'#onents* Models* $nalysis 'ethods*

Clear and e.#li!it Ano(n

&nkno(n, inferred Mostly unkno(n Mainly analogies S#e!ulati3e, un#ro3en Faguely defined Faria1le &sually relia1le

Progra''ati! Partly unkno(n Se'i)for'al, $d ho!, un#ro3en Goosely defined Se'i)sta1le Hood /lagging0+
Erik Hollnagel, 2010

"ange of e3ent out!o'es

>ut!o'e

Positi3e

Serendipity Normal outcomes (things that go right)

Good luck
Neutral

Incidents Accidents

Near misses

Negati3e

Disasters
Fery lo(

Mishaps
Fery high Predi!ta1ility
Erik Hollnagel, 2010

%re2uen!y of e3ent out!o'es

>ut!o'e

Positi3e

Serendipity

Normal outcomes (things that go right)

Good luck
Neutral

Incidents Accidents

Near misses

Negati3e

Disasters
Fery lo(

*+.

Mishaps

*+*+,

Fery high Predi!ta1ility

Erik Hollnagel, 2010

Eeing safe 3ersus 1eing unsafe

>ut!o'e

Serendipity

Safe Normal outcomes Functioning (things that go (invisible) right)

Near misses

Positi3e

Good luck
Neutral

Negati3e

Unsafe Accidents Functioning (visible)

Disasters
Fery lo(

Incidents

*+.

Mishaps

*+*+,

Fery high Predi!ta1ility

Erik Hollnagel, 2010

Bhy only look at (hat goes (rongSafety K "edu!ed nu'1er of ad3erse e3ents+ %o!us is on (hat goes (rong+ Gook for failures and 'alfun!tions+ ry to eli'inate !auses and i'#ro3e 1arriers+ Safety and !ore 1usiness !o'#ete for resour!es+ Gearning only uses a fra!tion of the data a3aila1le 10)< *K 1 failure in 10+000 e3ents Safety K $1ility to su!!eed under 3arying !onditions+ %o!us is on (hat goes right+ &se that to understand nor'al #erfor'an!e, to do 1etter and to 1e safer+ Safety and !ore 1usiness hel# ea!h other+ Gearning uses 'ost of the data a3aila1le

1 ) 10)< *K 6+666 non) failures in 10+000 e3ents

Erik Hollnagel, 2010

%ailures or su!!essesBhen so'ething goes (rong, e+g+, 1 e3ent out of 10+000 /10E)<0, hu'ans are assu'ed to 1e res#onsi1le in 80)60L of the !ases+ Bhen so'ething goes right, e+g+, 6+666 e3ents out of 10+000, are hu'ans also res#onsi1le in 80)60L of the !ases-

Bho or (hat are res#onsi1le for the re'aining 10)20LIn3estigation of failures is a!!e#ted as i'#ortant+

Bho or (hat are res#onsi1le for the re'aining 10)20LIn3estigation of su!!esses is rarely undertaken+
Erik Hollnagel, 2010

%ro' the negati3e to the #ositi3e

Negati3e out!o'es are !aused 1y failures and 'alfun!tions+ $ll out!o'es /#ositi3e and negati3e0 are due to #erfor'an!e 3aria1ility++

Safety K "edu!ed nu'1er of ad3erse e3ents+

Safety K $1ility to res#ond (hen so'ething fails+

Safety K $1ility to su!!eed under 3arying !onditions+

Eli'inate failures and 'alfun!tions as far as #ossi1le+

I'#ro3e a1ility to res#ond to ad3erse e3ents+

I'#ro3e resilien!e+

Erik Hollnagel, 2010

Prin!i#le of a##ro.i'ate adNust'ents

Syste's are so !o'#le. that (ork situations al(ays are unders#e!ified P hen!e #artly un#redi!ta1le %e( P if any P tasks !an su!!essfully 1e !arried out unless #ro!edures and tools are ada#ted to the situation+ Perfor'an!e 3aria1ility is 1oth nor'al and ne!essary+

Many so!io)te!hni!al syste's are intra!ta1le+ he Su!!ess !onditions of (ork therefore ne3er !o'#letely 'at!h Perfor'an!e (hat has 1een s#e!ified or #res!ri1ed+ 3aria1ility Indi3iduals, grou#s, and organisations nor'ally %ailure adNust their #erfor'an!e to 'eet e.isting !onditions /resour!es, de'ands, !onfli!ts, interru#tions0+ Ee!ause resour!es /ti'e, 'an#o(er, infor'ation, et!+0 al(ays are finite, su!h adNust'ents (ill in3aria1ly 1e a##ro.i'ate rather than e.a!t+
Erik Hollnagel, 2010

Effi!ien!y) horoughness rade)>ff

horoughness* i'e to think "e!ognising situation+ Choosing and #lanning+ If thoroughness do'inates, there 'ay 1e too little ti'e to !arry out the a!tions+ Negle!t #ending a!tions Miss ne( e3ents Effi!ien!y* i'e to do I'#le'enting #lans+ E.e!uting a!tions+ If effi!ien!y do'inates, a!tions 'ay 1e 1adly #re#ared or (rong Miss #re)!onditions Gook for e.#e!ted results

i'e & resour!es needed i'e & resour!es a3aila1le

Erik Hollnagel, 2010

So'e E > heuristi!s

Cogniti3e /indi3idual0
Oudge'ent under un!ertainty Cogniti3e #ri'iti3es /SM P %H0 "ea!tions to infor'ation in#ut o3erload and underload Cogniti3e style Confir'ation 1ias

Idiosyn!rati! /(ork related0

Gooks fine Not really i'#ortant Nor'ally >A, no need to !he!k I53e done it 'illions of ti'e 1efore Bill 1e !he!ked 1y so'eone else Has 1een !he!ked 1y so'eone else his (ay is 'u!h 2ui!ker No ti'e /or resour!es0 to do it no( Can5t re'e'1er ho( to do it Be al(ays do it this (ay It looks like Q /so it #ro1a1ly is Q0 Be 'ust get this done Must 1e ready in ti'e Must not use too 'u!h of Q

Colle!ti3e /organisation0
Negati3e re#orting "edu!e redundan!y Meet C#rodu!tionD targets "edu!e unne!essary !ost ?ou1le)1ind "eNe!t !onfli!ting infor'ation

Erik Hollnagel, 2010

Intended ta.i@takeoff #ath $!tual ta.i@takeoff #ath

Erik Hollnagel, 2010

N SE analysis and !on!lusions

+++ the #ro1a1le !ause of this a!!ident (as the flight !re('e'1ers5 failure to use a3aila1le !ues and aids to identify the air#lane5s lo!ation on the air#ort surfa!e during ta.i and their failure to !ross)!he!k and 3erify that the air#lane (as on the !orre!t run(ay 1efore takeoff+ Contri1uting to the a!!ident (ere the flight !re(5s non#ertinent !on3ersation during ta.i, (hi!h resulted in a loss of #ositional a(areness, and the %ederal $3iation $d'inistration5s /%$$0 failure to re2uire that all run(ay !rossings 1e authoriJed only 1y s#e!ifi! air traffi! !ontrol /$ C0 !learan!es+
/T012 3,++452 Atte#!ted takeoff fro# wrong runwa(6 Co#air Flight 7*8*6 1o#bardier CL%.++%,1*86 /-9*CA6 Le'ington6 :entuck(6 August ,46 ,++. 3Aircraft Accident Re!ort /T01;AAR%+4;+752 <ashington6 =C> /ational Trans!ortation 0afet( 1oard2

%or'al a!!ident in3estigations usually start (ith an assu'#tion that the o#erator 'ust ha3e failed, and if this attri1ution !an 1e 'ade, that is the end of serious in2uiry+ (Perrow (1984). Normal Accidents)
Erik Hollnagel, 2010

%"$M analysis ste#s 0 1 2 3 4

?efine the #ur#ose of 'odelling and des!ri1e the situation 1eing analysed+ $n e3ent that has o!!urred /in!ident@a!!ident0 or a #ossi1le future s!enario /risk0+ Identify essential syste' fun!tionsR !hara!terise ea!h fun!tion 1y si. 1asi! #ara'eters+ Chara!terise the /!onte.t de#endent0 #otential 3aria1ility using a !he!klist+ Consider 1oth nor'al and (orst !ase 3aria1ility+ ?efine fun!tional resonan!e 1ased on #ossi1le de#enden!ies /!ou#lings0 a'ong fun!tions+ Identify 1arriers for 3aria1ility /da'#ing fa!tors0 and s#e!ify re2uired #erfor'an!e 'onitoring+
Erik Hollnagel, 2010

Euilding the larger #i!ture

T C T C

AGEQ ta.i 1riefing

P R

O T C

a.i to run(ay
P R

O T C

I T C P I

Perfor' ta.i !he!klist

R

a.i onto run(ay

P R

AGEQ $ C !learan!e

O I R P

Perfor' 1efore take)off !he!klist

R

Erik Hollnagel, 2010

N SE !on!lusion* +++ the #ro1a1le !ause of this a!!ident (as the flight !re('e'1ers5 failure to use a3aila1le !ues and aids +++
Erik Hollnagel, 2010

Con!lusions
"isk assess'ent 1ased on !ause)effe!t relations $!!idents e.#lained as a result of failures and 'alfun!tions $nalysis* $nalysis look for !auses that e.#lain the out!o'e Predi!tion* Predi!tion ?eter'ine ho( failures #ro#agate through syste' Cal!ulate failure #ro1a1ility Identify !ause)effe!t relations and !ause)effe!t !hains Model !o'1inations of a!ti3e and #assi3e /latent0 failures+ "isk assess'ent 1ased on fun!tional resonan!e $!!idents e.#lained as a result of fun!tional !ou#lings $nalysis* $nalysis look for fun!tional !ou#lings #resent in the situation Predi!tion* Predi!tion find #otential fun!tional !ou#lings for the task@a!ti3ity
T C
FAA

Maintenance o ersight

Certification

Aircraft design knowledge

Aircraft

R T Li#iting stabili"er #o e#ent C

Inter al a!!ro als

High workload

Inter al a!!ro als

Aircraft design

Procedures

&nd%!la( checking

Redundant design

Allowable end%!la(

Mechanics

Controlled stabili"er #o e#ent

R
Li#ited stabili"er #o e#ent

&)ui!#ent

&'!ertise

High workload

&'cessi e end%!la(

$ackscrew u!%down #o e#ent

Procedures

Hori"ontal stabili"er #o e#ent

Lubrication

Lubrication

Aircraft !itch control

$ackscrew re!lace#ent

Grease

P
&'!ertise

?eter'ine ho( fun!tions are !ou#led ?eter'ine (hen #erfor'an!e 3aria1ility is likely ?eter'ine ho( 3aria1ility 'ay e.#ress itself
Erik Hollnagel, 2010

Philoso#hi!al #ro1le's of #redi!ta1ility

Gi3et forstTs 1aglUns, 'en 'T le3es forlUns Gife !an only 1e understood 1a!k(ards, 1ut it 'ust 1e li3ed for(ards+
SSren Aierkegaard /1819)18770

he #resent is unlike the #ast, and the future is unlike the #resent
Nor1ert Biener /167;0
Erik Hollnagel, 2010

$ny 2uestions-

Erik Hollnagel, 2010