Accidents - are they avoidable?

Taken from the UK Club's series of Human Factor seminars, presented to over 2,000 people worldwide. What is an accident? An accident or incident is an unplanned chain of events which has, or could have, caused injury or illness and/or damage to people, assets, the environment or reputation. Modern research has shown that the basic components of an accident can be shown as the simple 'formula':

And that by adding the concept of breached, or missing, controls and defences a simple accident can be shown diagrammatically (below).

But accidents are not as simple as this, because usually there are several breached or missing controls and defences. More importantly almost all accidents consist of a series of interlinking 'events', in which each event becomes either a new hazard or a new target in its own right. In the presence of further targets or hazards and new and further breaches of defences and controls, a second event is created and so on. During accident investigations it is not uncommon to identify five, six or even seven interlinking events before the final event or accident becomes a reality.

The concept of the 'event chain' or 'incident trajectory' is shown below.

Reverting to the simple accident diagram and the 'formula' in the text box on the front page, if one of the controls or defences had not been breached there would not have been an accident. If detected, the resultant 'near-miss' or 'dangerous occurrence' could still have been reported, investigated and acted upon as if it were the real thing.

The usual mechanism, whereby controls and defences are breached, is an unsafe act by an individual at the sharp end. Occasionally, they may be breached by an inherent unsafe condition but these too will invariably have been caused by the acts or omissions of people, which may be nothing more than a simple and unintentional mistake. Such unsafe acts or unsafe conditions are generally referred to as active failures.

While active failures are interesting - indeed much can be learnt from them - a lot more can be learnt, and more effective remedial measures put in place, by addressing the sick camel in the first place.

Conventional wisdom (below), dictates that in order for an accident to happen, defences of some kind will have been breached, usually by an unsafe act, carried out in a specific situation and in the presence of hazards of some kind.

What changed this long-established view, which as a basis for the new model is still correct, was some highly original research sponsored by one of the oil-majors and carried out at two major universities, one in the UK and one in the Netherlands. The research originally set out to establish the role of the human being in the accident equation but very quickly established an 'alternative' theory of accident causation. Because of the triangular shape of the basic model of the theory, it became known as the 'Tripodian' view of accident causation. Basically it uses the 'conventional' diagram shown below, left, but adds a third component general failure types (GFTs).

This 'alternative' model of accident causation is shown in the diagram below.

The research accepts that, properly investigated, there is much in a reactive sense to be learnt from accidents. It also recognises, that unsafe acts or active failures can be reduced using tools aimed at modifying human behaviour. The research suggested that the problem with attempting to learn solely from active failures is that; (a) there are potentially millions of them; (b) they will rarely be repeated in the same way, and; (c) the circumstances in which they occurred will never be exactly the same.

More importantly the research established once and for all that the 'sick camel' could be made considerably healthier by managing what are called the general failure types (GFTs) of which there are just eleven. Using a medical analogy, the GFTs could be considered as the vital organs of the 'safety body'. If properly managed in terms of their inherent health or strength, these could actually help prevent large numbers of accidents from ever happening at all. Once again, in medical terms it's a bit like having a healthy heart and preventing heart attacks, or being vaccinated against pneumonia or 'flu' - all designed to prevent illness in the first place. Thus rather than acting in response to an incident we seek instead to act before an incident.

The research, delved deep into the causation theory in order to establish a concrete link between breached defences and controls, and active and latent failures, thus the Tripod causation model was born (see diagram below).

Secondly, it introduces the policy maker at the very start of the chain, thus illustrating the clear relationship between commitment by the policy makers at the beginning of the chain and the results at the end of the day.

By comparing the diagram of the Tripod causation model and the simple accident diagram on the front page, it should become obvious that the link between the two is established through failed defences (for the target) and failed controls (for the hazard). The combined accident model, known as the Tripod-BETA tree, complete with all basic components is shown in the diagram (below).

Bearing in mind that any accident consists of a series of interlinking events, a completed accident tree can be exceedingly complex indeed.

Active failures

Both defences and controls are breached by 'active failures'. Active failures are the failures close to the accident event that defeat the controls and defences on the hazard and target trajectories. In many cases, these are the actions of people, i.e. unsafe acts. Human errors are implicated in at least four out of five active failures, but human error as we have already seen is a broad term that includes a number of different sources of error.

Not all active failures are human actions. Physical failure of controls and defences also occur due to conditions such as over-stress, corrosion or metal fatigue. These are often referred to as 'unsafe conditions'. Having said that, human actions are often implicated as contributory causes to this form of active failure but they are not, in themselves, unsafe acts. For instance, a designer may have failed to identify the need to use a particular high-tensile material in a specific circumstance, thus sometime later causing component failure.

Latent failures

As already mentioned, latent failures are the 'vital organs' of the safety equation. Latent failures are deficiencies, or anomalies, that create the preconditions that result in the creation of active failures. Management (the so-called policy or decision makers) decisions often involve the resolution of conflicting objectives. Decisions taken using the best information available at that moment prove to be fallible with time. Also, the future potential for adverse effects of decisions may not be fully appreciated, or circumstances may change that alter their likelihood or magnitude.

The accident-producing potential of latent failures may lay dormant for a long time, only becoming apparent when they combine with local triggering factors - active failures, technical faults, abnormal environmental conditions or abnormal system states; some of which even the best HSE management systems will have absolutely no control over whatsoever.

Rather than dealing with an infinite number of active failures, it is reassuring to note that there are just eleven latent failures on which to work to ensure absolute good health.

The eleven latent failures, which constitute the general failure types (GFTs) are:

• HARDWARE
• DESIGN
• MAINTENANCE MANAGEMENT
• PROCEDURES
• ERROR-ENFORCING CONDITIONS
• HOUSEKEEPING
• INCOMPATIBLE GOALS
• COMMUNICATIONS
• ORGANISATION
• TRAINING
• DEFENCES