safetymodels&accidentmodelssimplesequentialaccidentmodel h.heinrich’sdominomodel (1930)...

Post on 15-Jul-2020






Click to see full reader


Safety models & accident models

Eric Marsden


Mental models

▷ A safety model is a set of beliefs or hypotheses (often implicit)about the features and conditions that contribute to the safety ofa system

▷ An accident model is a set of beliefs on the way in whichaccidents occur in a system

▷ Mental models are important because they impact systemdesign, operational decisions and behaviours

2 / 18

Accidents as “acts of god”

▷ Fatalism: “you can’t escape your fate”

▷ Defensive attitude: accidents occur due to circumstances“beyond our control”

▷ Notion that appeared in Roman law: reasons that couldexclude a person from absolute liability• e.g. violent storms & pirates exempted a captain from

responsibility for his cargo

3 / 18

Simple sequential accident model

H. Heinrich’s domino model(1930)


▷ Accidents arise from aquasi-mechanical sequence ofevents or circumstances, thatoccur in a well-defined order

▷ An accident can be preventedby removing one of the“dominos” in the causalsequence

4 / 18

Simple sequential accident model

The “safety pyramid” or “accident triangle”(H. Heinrich, 1930 and F. Bird, 1970)


▷ Each incident is an “embryo” of an accident(the mechanisms which cause minorincidents are the same as those that createmajor accidents)

▷ Reducing the frequency of minor incidentswill reduce the probability of a majoraccident

▷ Accidents can be prevented by identifyingand eliminating possible causes

5 / 18

Simple sequential accident model

According to this model, safety is improved by identifyingand eliminating “rotten apples”

▷ front-line staff who generate “human errors”

▷ whose negligent attitude might propagate to otherstaff

Some accidents (in particular in high-risk systems) have more complicated origins…

6 / 18

On “human error”

‘‘ for a long time people were saying mostaccidents were due to human error and this istrue in a sense but it’s not very helpful. It’s abit like saying that falls are due to gravity…

— Trevor Kletz

A useful alternative concept to human error isperformance variability.

7 / 18

Is it relevant to count errors?

▷ Counting errors produces a quantitative assessment of the “safety level” of a system

▷ Allows inter-comparison of systems

▷ Can constitute the point of departure for a search for the underlying causes of incidents

number of errors safety level

quantity quality

inverse relationship

This simplistic model is very criticized

8 / 18

Is counting errors relevant?

Who is more dangerous?

▷ 700 000 doctors in the USA

▷ between 44 000 and 98 000people die each year from amedical error

→ between 0.063 and 0.14accidental deaths per doctorper year

▷ 80 million firearm owners inthe USA

▷ responsible for ≈1 500accidental deaths per year

→ 0,000019 accidental deaths perfirearm owner per year

The probability that the human error of a

doctor kills someone is 7500 times higher

than for a firearm owner. [S. Dekker]

9 / 18

Is counting errors relevant?

▷ 700 000 doctors in the USA

▷ between 44 000 and 98 000people die each year from amedical error

→ between 0.063 and 0.14accidental deaths per doctorper year

▷ 80 million firearm owners inthe USA

▷ responsible for ≈1 500accidental deaths per year

→ 0,000019 accidental deaths perfirearm owner per year

The probability that the human error of a

doctor kills someone is 7500 times higher

than for a firearm owner. [S. Dekker]

9 / 18

Is counting errors relevant?

▷ 700 000 doctors in the USA

▷ between 44 000 and 98 000people die each year from amedical error

→ between 0.063 and 0.14accidental deaths per doctorper year

▷ 80 million firearm owners inthe USA

▷ responsible for ≈1 500accidental deaths per year

→ 0,000019 accidental deaths perfirearm owner per year

The probability that the human error of a

doctor kills someone is 7500 times higher

than for a firearm owner. [S. Dekker]

9 / 18

Is counting errors relevant?

▷ 700 000 doctors in the USA

▷ between 44 000 and 98 000people die each year from amedical error

→ between 0.063 and 0.14accidental deaths per doctorper year

▷ 80 million firearm owners inthe USA

▷ responsible for ≈1 500accidental deaths per year

→ 0,000019 accidental deaths perfirearm owner per year

The probability that the human error of a

doctor kills someone is 7500 times higher

than for a firearm owner. [S. Dekker]

9 / 18

Epidemiological accident model


event incident



l bar



from "Human Error" (James Reason)


ty m



t sy


s an

d pr





d w






James Reason’s Swisscheese model

Assumption: accidents are produced by a combination of active errors (poor safetybehaviours) and latent conditions (environmental factors)

Consequences: prevent accidents by reinforcing barriers. Safety management requiresmonitoring via performance indicators.

10 / 18

Bow-tie modelca







11 / 18

Bow-tie modelca































fault tree event tree

11 / 18

Bow tie diagram

12 / 18

Bow-tie: example

13 / 18

Loss of control accident model




Destabilization point

Figure source: French BEA

14 / 18

Drift into failure

economic failure



space of possibilities

Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.

managementpressure forefficiency

Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

gradient towardsleast effort

Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.

drift towards failure

These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.

A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.

effect of a“questioningattitude”

safety margin

Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.

These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.

Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)

15 / 18

Drift into failure

economic failure



space of possibilities

Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.

managementpressure forefficiency

Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

gradient towardsleast effort

Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.

drift towards failure

These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.

A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.

effect of a“questioningattitude”

safety margin

Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.

These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.

Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)

15 / 18

Drift into failure

economic failure



space of possibilities

Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.

managementpressure forefficiency

Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

gradient towardsleast effort

Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.

drift towards failure

These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.

A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.

effect of a“questioningattitude”

safety margin

Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.

These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.

Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)

15 / 18

Drift into failure

economic failure



space of possibilities

Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.

managementpressure forefficiency

Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

gradient towardsleast effort

Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.

drift towards failure

These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.

A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.

effect of a“questioningattitude”

safety margin

Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.

These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.

Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)

15 / 18

Drift into failure

economic failure



space of possibilities

Human behaviour in any largesystem is shaped by constraints:profitable operations, safeoperations, feasible workload.Actors experiment within thespace formed by these constraints.

managementpressure forefficiency

Human behaviour in any largesystem is shaped by constraints:profitable activity, safe operations,feasible workload. Actorsexperiment within the spaceformed by these constraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

gradient towardsleast effort

Human behaviour in any largesystem is shaped by constraints:economic, safety, feasibleworkload. Actors experimentwithin the space formed by theseconstraints.

Management will provide a “costgradient” which pushes activitytowards economic efficiency.

Workers will seek to maximizethe efficiency of their work, witha gradient in the direction ofreduced workload.

drift towards failure

These pressures push work tomigrate towards the limits ofacceptable (safe) performance.Accidents occur when thesystem’s activity crosses theboundary into unacceptable safety.

A process of “normalization ofdeviance” means that deviationsfrom the safety proceduresestablished during system designprogressively become acceptable,then standard ways of working.

effect of a“questioningattitude”

safety margin

Mature high-hazard systemsapply the defence in depth designprinciple and implement multipleindependent safety barriers. Theyalso put in place programmesaimed at reinforcing people’squestioning attitude and theirchronic unease, making them moresensitive to safety issues.

These shift the perceivedboundary of safe performance tothe right. The difference betweenthe minimally acceptable levelof safe performance and theboundary at which safety barriersare triggered is the safety margin.

Figure adapted from Risk management in a dynamic society, J. Rasmussen, Safety Science, 1997:27(2)

15 / 18

Non-linear accident model

Systemic models

▷ FRAM (Hollnagel, 2000)▷ STAMP (Leveson, 2004)

Assumption: accidents result from an unexpected combination and the resonance of normalvariations in performance

Consequences: preventing accidents means understanding and monitoring performancevariations. Safety requires the ability to anticipate future events and react appropriately.

16 / 18



▷ Sodom and Gomorrah burning (slide 26): Picu Pătruţ, public domain, viaWikimedia Commons

▷ Dominos (slide 27): H. Heinrich, Industrial Accident Prevention: A ScientificApproach, 1931

For more free content on risk engineering,visit

17 / 18

Feedback welcome!

Was some of the content unclear? Which parts were most useful toyou? Your comments to or @LearnRiskEng (Twitter) will help us to improve thesematerials. Thanks!


This presentation is distributed under the terms of theCreative Commons Attribution – Share Alike licence

For more free content on risk engineering,visit

18 / 18

top related