Accident Models and Risk Analysis
Transcript of Accident Models and Risk Analysis
-
8/3/2019 Accident Models and Risk Analysis
1/68
Rogier WoltjerDivision of Human-Centered Systems
Department of Computer and Information Science
Linkping University
BIKS1 4OKT06 F6&7(with thanks to Erik Hollnagel and Yu-Hsing Huang)
Cognitive Systems Behaviour
in Complex Environments:Accident Models and Risk Analysis
-
8/3/2019 Accident Models and Risk Analysis
2/68
2
-
8/3/2019 Accident Models and Risk Analysis
3/68
3
!!"
An accident is an unexpected event with unwantedoutcome
Unexpectedevent
Unwantedoutcome
AND Accident
Hollnagel (2004)
-
8/3/2019 Accident Models and Risk Analysis
4/68
4
Unwanted
outcomeprevented
#$%!"
Accident
Normaloperation
Unwantedoutcome
Unexpected event
Unexpected
eventprevented
Accident
avoided
Reduce theprobability
that the eventhappens
Reduce theconsequences
of the event
-
8/3/2019 Accident Models and Risk Analysis
5/68
5
"&!"
Normalcondition
Unexpected
event
ANDAbnormalcondition
Failure ofcontrol
ANDLoss of
control
Lack ofdefence
AND Accident
Rasmussen & Jensen (1973)
-
8/3/2019 Accident Models and Risk Analysis
6/68
6
"'!$""
Green & Senders (2003)
85%-National Safety Council (1974)
89%1193Finnish Insurance Information Center (1974)
95%2130English Study (cited in Sabey and Staughton, 1975)
88%670Perchonok (1972)
92.6%2258Treat et al. (1977)
% human error# accidentsStudy
-
8/3/2019 Accident Models and Risk Analysis
7/68
7
"'!$""
Vehicle (12.6%)
Driver (92.6%)
2,258road accidents
Improper lookout (23.1%)
Excessive speed (16.9%)
Inattention (15.0%)
Improper evasive action (13.3%) Internal distraction (9.0%)
Environment (33.8%)
Treat et al. (1977)
View obstructions (12.1%)
Slick roads (9.8%)
Transient hazards (5.2%)
Design problems (4.8%)
Control hindrances (3.8%)
Braking systems (5.2%)
Tires and wheels (4.0%)
Communications systems (1.7%)
Steering systems (1.0%)
Body and doors 0.7%)
-
8/3/2019 Accident Models and Risk Analysis
8/68
8
"("$)'"'*
10
20
30
40
50
60
70
80
100
90
1960 1965 1970 1975 1980 1985 1990 1995
% Attributed cause
2000
Humanfactors
Organisation
?
?
?
Technology
Hollnagel (2002)
-
8/3/2019 Accident Models and Risk Analysis
9/68
9
%+%(*!"'
Accident /event
Technicalfailures
Other
Humanerror
Operation
MaintenanceDesign
Management
Latent failureconditions
Organisationalfailures
Violations
Safety culture
Barriers
Quality management
Resources
Heuristics
Information processes
Cognitive functions
Pathogenic organisations
Software failures
Complexcoincidences
Simplecausality
Hollnagel (2002)
-
8/3/2019 Accident Models and Risk Analysis
10/68
10
*$%"**$"
Analyzedata
SelectremedyApplyremedy
Monitor
Basic Personal Philosophy ofAccident Occurrence and Prevention
Principles Beliefs
Fundamental Approach to AccidentPrevention
(Safety Management)
For Long-Term SafetyManagement Considerations
and Safety Programming
For Short-Term SafetyManagement Problems and
Considerations
Collectdata
Heinrich et al. (1980)
-
8/3/2019 Accident Models and Risk Analysis
11/68
11
+, +"!"- &
Method
Classification
schemeModelAnalysis
Data:Observations,event reports
The method describes how theclassification take place
The model describes
the internal structure ofthe classificationscheme
Hollnagel (1998)
Conclusions
-
8/3/2019 Accident Models and Risk Analysis
12/68
12
""+.*$%
Analysis Prevention
Probable causes
Cost-benefitanalysis
Corrective action
-
8/3/2019 Accident Models and Risk Analysis
13/68
13
&+
Analysis Prevention
Probable causes Corrective actionAccidentmodel
Effect Cause Cause Effect
Cost-benefitanalysis
-
8/3/2019 Accident Models and Risk Analysis
14/68
14
"'"+"'&*
Every cause has an effect
Every event (effect) has a prior cause
Cause Effect
EffectCause
1. If we knowwhat this is ...
2. then we canlook for this!
1. If we cansee what thisis ...
2. then we canfind out whatthis is!
Hollnagel (2002)
-
8/3/2019 Accident Models and Risk Analysis
15/68
15
""&+
Accidents are the
complex result ofmultiple, interactingfactors. In order to make
sense of this, an accidentmodel is required.
An accident model isan abstraction that
describes howaccidents can occurand therefore also howthey can be prevented.
Accident analysis Accident prevention
What shouldwe look for?
What can wedo about it?
-
8/3/2019 Accident Models and Risk Analysis
16/68
16
&*+/+"$"'-!!&+
Assumption: Accidents are the (natural) culminationof a series of events or circumstances, which occurin a specific and recognisable order.
Consequence:Accidents are prevented by finding and eliminatingpossible causes.Safety is ensured by improving the organisations
capability to respond.
-
8/3/2019 Accident Models and Risk Analysis
17/68
17
The occurrence of a preventable injury is the naturalculmination of a series of events or circumstances, whichinvariably occur in a fixed and logical order.One is dependent on another and one follows because ofanother, thus constituting a sequence that may be compared
with a row of dominoes placed on and in such alignment inrelation to one another that the fall of the first dominoprecipitates the fall of the entire row
&&+0$/12345
So
cial
environment
Anc
estr
y
Faultof
person
Unsafeact
Mechanic
al&physical
H
azards
Acc
ident
A
ccid
ent
In
jury
Inju
ry
-
8/3/2019 Accident Models and Risk Analysis
18/68
18
&$
1
1. Ancestry and social environment
2. Fault of person
3. Unsafe act or/and unsafe
mechanical or physical condition
4. Accident
5. Injury
Removal ofmiddle domino
breaks the chain
23
4
5
Heinrich et al. (1980)
-
8/3/2019 Accident Models and Risk Analysis
19/68
19
%""'
B
C
C
Accident
Event
Cause
A
Unexpectedevent
-
8/3/2019 Accident Models and Risk Analysis
20/68
20
6'&"$$$6
Hollnagel (1998)
Response
Response
withinlimits?
Humanerror
Correctresponse
Criterion
Error as anexternalised category
No Yes
-
8/3/2019 Accident Models and Risk Analysis
21/68
21
7'"+"&+
Accident
Componentfailure
Normallyfunctioningsystem
Time
Humanfailure
Technicalfailure
Accidentanalysis
Componentfailure
Component
reliability
Accidentprevention
Time
-
8/3/2019 Accident Models and Risk Analysis
22/68
22
'&"$$'"
Hollnagel (1998)
Mistake
CorrectExecution?
Slip
Correctaction
Error as an
internalised category
Correct
intention?
Yes
No
Yes No
-
8/3/2019 Accident Models and Risk Analysis
23/68
23
7'!"&*+/+"$&+
Find specificcauses and cause-
effect links.
Eliminate causesand links.
Improve responses
Basic principle Purpose of analysis Typical reaction
Causality(Single or multiple
causes)
C
D
D
Accident
Event
(Caus
e)
B
Unexpected event
ENormal
developmentA
-
8/3/2019 Accident Models and Risk Analysis
24/68
24
&*+8/+"$"'-!!&+
Assumption: Accidents result from a combination ofactive failures (unsafe acts) and latent conditions(hazards).
Consequence:Accidents are prevented by strengthening barriersand defences.Safety is ensured by keeping track of performanceindicators.
-
8/3/2019 Accident Models and Risk Analysis
25/68
Some holes aredue to active
failures
Other holes aredue to latentconditions
Hazard
Loss
66 &+0"5
Accidents are seen as the result of interrelationsbetween real time unsafe acts by front lineoperators and latent conditions weakeneddefences.
-
8/3/2019 Accident Models and Risk Analysis
26/68
26
&+
Weakeneddefence
HostAgent
Environment
-
8/3/2019 Accident Models and Risk Analysis
27/68
27
%"!"$
B
C
C
Accident
Event
Factors
E
A
AH
Unexpectedevent
-
8/3/2019 Accident Models and Risk Analysis
28/68
28
Combinations ofunsafe acts andlatent conditions
Strengthen barriersand defences.
Improveobservation (of
indicators)
Basic principle Typical reaction
Hiddendependencies
7'!"&*+8/+"$&+
C
D
DB E
Barrier
Latent
conditions
Accident
Unexpectedevent
Normaldevelopm
ent
A
Causes
Latent
conditions
Event
Basic principle Purpose of analysis
-
8/3/2019 Accident Models and Risk Analysis
29/68
29
-+"$"&+
Assumption: Accidents result from unexpectedcombinations (resonance) of normal performancevariability.
Consequence:Accidents are prevented by monitoring and dampingvariability.Safety requires constant ability to anticipate futureevents.
DC
BA
-
8/3/2019 Accident Models and Risk Analysis
30/68
30
$&"+$0#$$/129:5
Accident is a normal state of complex systems
Two dimensions in the evaluation of system
Complexity
Coupling
Accident prevention
The failure of component is not the target
To understand the property of systems
-
8/3/2019 Accident Models and Risk Analysis
31/68
31
"$*, )+'
Factors atlocal
workplaceManagement Company Regulator
Sharp endfactors work
here and now
Blunt end factorsare removed inspace and time
GovernmentUnsafeacts
Morals,socialnorms
Hollnagel (2002)
-
8/3/2019 Accident Models and Risk Analysis
32/68
32
*"$
Government
Regulators
Company
Management
Operational staff
Work actions
AccidentEverybodys blunt end issomeone elses sharp end.
Roberts (2001)
-
8/3/2019 Accident Models and Risk Analysis
33/68
33
&'*'
The system aims to remain its output on a reference and within
an acceptable zone. System output fluctuates about thereference. An accident occurs when the output over the
boundary.
Accident
System output
AcceptablezoneReference
-
8/3/2019 Accident Models and Risk Analysis
34/68
34
'+*+!"$"&'+*+"
Accident
Chains of events are hindsight
-
8/3/2019 Accident Models and Risk Analysis
35/68
35
"'"
Accidents arecaused by a
coincidence amongevents, rather than a
sequence of
failures.
The events thatcombine into theaccident can be
due to normalperformance
variability, as wellas proper failures.
Regulators
Equipment
Tasks
Environment
Monitoring
People
Hollnagel (2002)
-
8/3/2019 Accident Models and Risk Analysis
36/68
36
Close couplingsand complexinteractions
Monitor & controlperformance
variability. Improveanticipation
Basic principle Purpose of analysis Typical reaction
Dynamicdependency,
functionalresonance
7'!"-+"$&+
-
8/3/2019 Accident Models and Risk Analysis
37/68
37
&"&+
Accident
Normallyfunctioning
system
Sharp endfactors
Blunt endfactors
Latentsystem
conditions
Latentsystem
conditions
Time
Commonconditions
System performancevariability
-
8/3/2019 Accident Models and Risk Analysis
38/68
38
;'"+"+
Design(unanticipatedconsequences)
Limitedmaintenance
Technological
glitches andfailures
Inadequatemaintenance
Design flawsand oversights
Incident,accident
Latent
conditions
Humanperformance
variability
Localoptimisation
(ETTO)Incapacity
Impaired or
missingbarriers
Unclearindications
Lax safetyculture
-
8/3/2019 Accident Models and Risk Analysis
39/68
39
#$%"*$
Prevention (control barriers):
Active or passive barrierfunctions that prevent the
initiating event from occurring.
Protection (safetybarriers):
Active barrierfunctions that
deflectconsequences
Protection(boundaries):
Passive barrierfunctions that
minimiseconsequences
Accident
Initiating event,failure mode
(Incorrect action)
Hollnagel (2002)
-
8/3/2019 Accident Models and Risk Analysis
40/68
40
*&+("+"&+
Human
erroneousaction
Normally
functioningsystem
Barrier
Localconditions
Latent
systemconditions
Latent
systemconditions
Time
Accidentanalysis
Accident
Barrier failure
Barrier reliability
Accidentprevention
Time
-
8/3/2019 Accident Models and Risk Analysis
41/68
41
)$(&+!"
Hollnagel (2002)
Accidents
Incidents
Near-misses
Unsafe acts
Increasingvisibility ofevents
Increasingfrequency
of events
-
8/3/2019 Accident Models and Risk Analysis
42/68
42
&+
Searchprinciple of
accidentanalysis
Goal of
accidentanalysis
Specific causesand well-defined
links.
Specific causesand well-defined
links.
Eliminate orcontain causes.
Eliminate or
contain causes.
Sequentialaccidentmodel
Epidemiological
accident model
Systemicaccidentmodel
Carriers, barriers,and latentconditions.
Carriers, barriers,and latent
conditions.
Strengthen
defences andbarriers .
Strengthen
defences andbarriers .
Functionaldependencies
and commonconditions
Functionaldependencies
and commonconditions
Monitor & control
performancevariability
Monitor & control
performancevariability
Hollnagel (2002)
-
8/3/2019 Accident Models and Risk Analysis
43/68
43
+'
Accident model determines analyses and responses
Root cause, shaping factors or coincidence
Event based or system based
Elimination, improvement or monitoring The misleading simplicity of human error
Human performance is inherently variable - but notunreliable
Variability reflects work conditions Performance deviations have positive and negative
consequences: errors as an opportunity for learning
CSE is a system approach for analysing, evaluating
and designing complex systems
-
8/3/2019 Accident Models and Risk Analysis
44/68
44
"%"!
=
n
iAccidentSafety1
Safety is freedom from accidents or losses.Leveson (1995)
Absence of failuresStay inside envelope of
safe performance
Risks are identified andcontrolled
Performance variabilitymanagement
Imagination, identification,assessment, modification
Monitoring:detection-recovery
Hollnagel (2004)
-
8/3/2019 Accident Models and Risk Analysis
45/68
45
!!$
-
8/3/2019 Accident Models and Risk Analysis
46/68
46
-
8/3/2019 Accident Models and Risk Analysis
47/68
47
%+ !*$!$&"%"+'"
Sensitivity
Level 1: Accident studies(statistics)
Valid
ity
Level 2: Incident studies
Level 3: Performancemeasurements
High
LowHigh
Low
Long delays,
dependent on accidentmodel
Higher event rate; datacollection may be costly
Measurements of singleevents or cases
Model?
Model?
Model?
Hollnagel (2004)
<
-
8/3/2019 Accident Models and Risk Analysis
48/68
48
-
8/3/2019 Accident Models and Risk Analysis
49/68
49
+("+$"$ " *$")+ ""+
-
8/3/2019 Accident Models and Risk Analysis
50/68
50
=#- ">"$ "*$")+ ""+
Objective: Identify all hazards resulting from potential malfunctions in aprocess
Analyse each step in process using HAZOP guidewords
Determine how this could happen
Can the condition be detected? Are the consequences hazardous?
Can the consequences be prevented?
Is prevention cost-effective?
A quantitative decrease (e.g. low pressure)Less
The negation of the intention (e.g. no flow)No or None
A qualitative decrease (e.g. only one or two components present)Part of
In addition to (e.g. impurity)As well as
Complete substitution (e.g. wrong material)Other than
The opposite of the intention (e.g. backflow)Reverse
A quantitative increase (e.g. high pressure)More
MeaningGuide words
=# ">"$ " *$")+ ""+
-
8/3/2019 Accident Models and Risk Analysis
51/68
51
=#- ">"$ "*$")+ ""+
......
Blockage, valve closed, high ambient temperature etc.More pressure
Heat loss, leak, imbalance of input and output etc.Less temperature
Typical problemsType of deviation
...
None
None
Existing controls
...
Leak
Valve closed
Cause
...
Release toatmosphere
Overpressure
Consequence
......
High pressure alarmMore pressure
Gas detectorLesstemperature
Possible actionDeviation
& '* $< ""+
-
8/3/2019 Accident Models and Risk Analysis
52/68
52
&-'*$
-
8/3/2019 Accident Models and Risk Analysis
53/68
53
% $ ""+
IEE (2004)
*- $< ""+
-
8/3/2019 Accident Models and Risk Analysis
54/68
54
*-$
-
8/3/2019 Accident Models and Risk Analysis
55/68
55
;"'+$&*
A
CB
AND
Conjunction
If B and C are true,then A is true
A
CB
OR
Disjunction
If B or C are true,
then A is true
Flooding
Pumps donot work
Water levelcontinues to rise
AND
Signal ismissed
Operator isinattentive
Signal/noise ratioIs too low
Hollnagel (2004)
OR
* !"'+ $ ""+
-
8/3/2019 Accident Models and Risk Analysis
56/68
56
*!"'+$""+
Topevent
AND
ANDOR
Basicevent
1. Identify top event
2. Identify first-level events
3. Link the events to top event by a logic gate
4. Identify next-level events
5. Link the events to last-levelevents by logic gate
6. Repeat step 4 and 5 until all
basic events are identifiedBasic event indicates the limit of
analytical resolution
Basic event indicates the limit of
analytical resolution
Event
++ " $
-
8/3/2019 Accident Models and Risk Analysis
57/68
57
++"$
IEE (2004)
< +%+
-
8/3/2019 Accident Models and Risk Analysis
58/68
58
-
8/3/2019 Accident Models and Risk Analysis
59/68
59
-
8/3/2019 Accident Models and Risk Analysis
60/68
60
System model Failure modes
Task analysis;Functional
model;Goals-means
model
HAZOP list;MTO list;
phenotypes
Possibilities fordetection Likelihood
Interfacedesign;Work
organisation;
Possibleantecedents
(causes)
Consequence
Accidentstatistics;
experience;brainstorming
Context(performance
conditions)
Context(performance
conditions)
Hollnagel (2004)
$"$"+"
-
8/3/2019 Accident Models and Risk Analysis
61/68
61
Preparetransaction
Enter PINcode
Select type oftransaction
Removecard
Removemoney
CompletetransactionEnter amount
Insert card
Begin
Enter fourdigits Push Enter
Hollnagel (2004)
&*+"!$$
-
8/3/2019 Accident Models and Risk Analysis
62/68
62
*
Mitigatingactions
(M, T, or O)
Failure modecan be found
usingguidewords, e.g.
phenotypes.Identification
must besystematic
Activities shouldbe described onthe same level of
detail
Mitigatingaction
Consequence
Yes /No
How When
Consequenceshould be
described asclearly aspossible
Failure mode /deviation
Activity / functionPossibility of
detectionProbability /likelihood
Hollnagel (2004)
'&""&!"+'$&
-
8/3/2019 Accident Models and Risk Analysis
63/68
63
Human failure mode Systemic failure mode
Timing Action performed tooearly or too late
Position reached too early or too late.
Equipment not working as required.
Duration Action performed toobriefly or for too long
Function or system state held too briefly or fortoo long.
Distance Object/control moved tooshort or too far
System or object transported too short or too far
Speed Action performed tooslowly or too fast
System moving too slowly or too fastEquipment not working as required.
Direction Action performed in thewrong direction
System or object (mass) moving in the wrongdirection
Force / power/ pressure
Action performed withtoo little or too muchforce
System exerting too little or too much force.Equipment not working as required.System or component having too little or toomuch pressure or power.
Object Action on wrong object Function targeted at wrong object
Sequence Two or more actionsperformed in wrong order
Two or more functions performed in the wrongorder,
Quantity /volume
None System/object contains too little or too much oris too light or too heavy.
Hollnagel (2004)
#$!$&"085
-
8/3/2019 Accident Models and Risk Analysis
64/68
64
Availability (personnel, equipment)
Training and preparation (competence)Communication quality
HMI and operational support
Availability of procedures and methods
Working conditions
Number of goals & conflict resolution
Available time (time pressure)
Circadian rhythm, stress
Team collaboration (commitment)
Organisation quality
Verygood
Verybad
3 32
Hollnagel (2004)
"$$$&";'
-
8/3/2019 Accident Models and Risk Analysis
65/68
65
? $
-
8/3/2019 Accident Models and Risk Analysis
66/68
66
? $
-
8/3/2019 Accident Models and Risk Analysis
67/68
67
Read the US Highway Accident Case
Apply the viewpoints of the three accident models thatwere discussed
Which contributing factors can the model identify?
Which contributing factors do you miss in the model?
Is there enough information for investigation according to eachmodel?
Which model do you think the investigators had in mind?
;'$$ "(
-
8/3/2019 Accident Models and Risk Analysis
68/68
68