Accident Models and Risk Analysis

8/3/2019 Accident Models and Risk Analysis

1/68

Rogier WoltjerDivision of Human-Centered Systems

Department of Computer and Information Science

Linkping University

BIKS1 4OKT06 F6&7(with thanks to Erik Hollnagel and Yu-Hsing Huang)

Cognitive Systems Behaviour

in Complex Environments:Accident Models and Risk Analysis


2/68

2


3/68

3

!!"

An accident is an unexpected event with unwantedoutcome

Unexpectedevent

Unwantedoutcome

AND Accident

Hollnagel (2004)


4/68

4

Unwanted

outcomeprevented

#$%!"

Accident

Normaloperation

Unwantedoutcome

Unexpected event

Unexpected

eventprevented

Accident

avoided

Reduce theprobability

that the eventhappens

Reduce theconsequences

of the event


5/68

5

"&!"

Normalcondition

Unexpected

event

ANDAbnormalcondition

Failure ofcontrol

ANDLoss of

control

Lack ofdefence

AND Accident

Rasmussen & Jensen (1973)


6/68

6

"'!$""

Green & Senders (2003)

85%-National Safety Council (1974)

89%1193Finnish Insurance Information Center (1974)

95%2130English Study (cited in Sabey and Staughton, 1975)

88%670Perchonok (1972)

92.6%2258Treat et al. (1977)

% human error# accidentsStudy


7/68

7

"'!$""

Vehicle (12.6%)

Driver (92.6%)

2,258road accidents

Improper lookout (23.1%)

Excessive speed (16.9%)

Inattention (15.0%)

Improper evasive action (13.3%) Internal distraction (9.0%)

Environment (33.8%)

Treat et al. (1977)

View obstructions (12.1%)

Slick roads (9.8%)

Transient hazards (5.2%)

Design problems (4.8%)

Control hindrances (3.8%)

Braking systems (5.2%)

Tires and wheels (4.0%)

Communications systems (1.7%)

Steering systems (1.0%)

Body and doors 0.7%)


8/68

8

"("$)'"'*

10

20

30

40

50

60

70

80

100

90

1960 1965 1970 1975 1980 1985 1990 1995

% Attributed cause

2000

Humanfactors

Organisation

?

?

?

Technology

Hollnagel (2002)


9/68

9

%+%(*!"'

Accident /event

Technicalfailures

Other

Humanerror

Operation

MaintenanceDesign

Management

Latent failureconditions

Organisationalfailures

Violations

Safety culture

Barriers

Quality management

Resources

Heuristics

Information processes

Cognitive functions

Pathogenic organisations

Software failures

Complexcoincidences

Simplecausality

Hollnagel (2002)


10/68

10

*$%"**$"

Analyzedata

SelectremedyApplyremedy

Monitor

Basic Personal Philosophy ofAccident Occurrence and Prevention

Principles Beliefs

Fundamental Approach to AccidentPrevention

(Safety Management)

For Long-Term SafetyManagement Considerations

and Safety Programming

For Short-Term SafetyManagement Problems and

Considerations

Collectdata

Heinrich et al. (1980)


11/68

11

+, +"!"- &

Method

Classification

schemeModelAnalysis

Data:Observations,event reports

The method describes how theclassification take place

The model describes

the internal structure ofthe classificationscheme

Hollnagel (1998)

Conclusions


12/68

12

""+.*$%

Analysis Prevention

Probable causes

Cost-benefitanalysis

Corrective action


13/68

13

&+

Analysis Prevention

Probable causes Corrective actionAccidentmodel

Effect Cause Cause Effect

Cost-benefitanalysis


14/68

14

"'"+"'&*

Every cause has an effect

Every event (effect) has a prior cause

Cause Effect

EffectCause

1. If we knowwhat this is ...

2. then we canlook for this!

1. If we cansee what thisis ...

2. then we canfind out whatthis is!

Hollnagel (2002)


15/68

15

""&+

Accidents are the

complex result ofmultiple, interactingfactors. In order to make

sense of this, an accidentmodel is required.

An accident model isan abstraction that

describes howaccidents can occurand therefore also howthey can be prevented.

Accident analysis Accident prevention

What shouldwe look for?

What can wedo about it?


16/68

16

&*+/+"$"'-!!&+

Assumption: Accidents are the (natural) culminationof a series of events or circumstances, which occurin a specific and recognisable order.

Consequence:Accidents are prevented by finding and eliminatingpossible causes.Safety is ensured by improving the organisations

capability to respond.


17/68

17

The occurrence of a preventable injury is the naturalculmination of a series of events or circumstances, whichinvariably occur in a fixed and logical order.One is dependent on another and one follows because ofanother, thus constituting a sequence that may be compared

with a row of dominoes placed on and in such alignment inrelation to one another that the fall of the first dominoprecipitates the fall of the entire row

&&+0$/12345

So

cial

environment

Anc

estr

y

Faultof

person

Unsafeact

Mechanic

al&physical

H

azards

Acc

ident

A

ccid

ent

In

jury

Inju

ry


18/68

18

&$

1

1. Ancestry and social environment

2. Fault of person

3. Unsafe act or/and unsafe

mechanical or physical condition

4. Accident

5. Injury

Removal ofmiddle domino

breaks the chain

23

4

5

Heinrich et al. (1980)


19/68

19

%""'

B

C

C

Accident

Event

Cause

A

Unexpectedevent


20/68

20

6'&"$$$6

Hollnagel (1998)

Response

Response

withinlimits?

Humanerror

Correctresponse

Criterion

Error as anexternalised category

No Yes


21/68

21

7'"+"&+

Accident

Componentfailure

Normallyfunctioningsystem

Time

Humanfailure

Technicalfailure

Accidentanalysis

Componentfailure

Component

reliability

Accidentprevention

Time


22/68

22

'&"$$'"

Hollnagel (1998)

Mistake

CorrectExecution?

Slip

Correctaction

Error as an

internalised category

Correct

intention?

Yes

No

Yes No


23/68

23

7'!"&*+/+"$&+

Find specificcauses and cause-

effect links.

Eliminate causesand links.

Improve responses

Basic principle Purpose of analysis Typical reaction

Causality(Single or multiple

causes)

C

D

D

Accident

Event

(Caus

e)

B

Unexpected event

ENormal

developmentA


24/68

24

&*+8/+"$"'-!!&+

Assumption: Accidents result from a combination ofactive failures (unsafe acts) and latent conditions(hazards).

Consequence:Accidents are prevented by strengthening barriersand defences.Safety is ensured by keeping track of performanceindicators.


25/68

Some holes aredue to active

failures

Other holes aredue to latentconditions

Hazard

Loss

66 &+0"5

Accidents are seen as the result of interrelationsbetween real time unsafe acts by front lineoperators and latent conditions weakeneddefences.


26/68

26

&+

Weakeneddefence

HostAgent

Environment


27/68

27

%"!"$

B

C

C

Accident

Event

Factors

E

A

AH

Unexpectedevent


28/68

28

Combinations ofunsafe acts andlatent conditions

Strengthen barriersand defences.

Improveobservation (of

indicators)

Basic principle Typical reaction

Hiddendependencies

7'!"&*+8/+"$&+

C

D

DB E

Barrier

Latent

conditions

Accident

Unexpectedevent

Normaldevelopm

ent

A

Causes

Latent

conditions

Event

Basic principle Purpose of analysis


29/68

29

-+"$"&+

Assumption: Accidents result from unexpectedcombinations (resonance) of normal performancevariability.

Consequence:Accidents are prevented by monitoring and dampingvariability.Safety requires constant ability to anticipate futureevents.

DC

BA


30/68

30

$&"+$0#$$/129:5

Accident is a normal state of complex systems

Two dimensions in the evaluation of system

Complexity

Coupling

Accident prevention

The failure of component is not the target

To understand the property of systems


31/68

31

"$*, )+'

Factors atlocal

workplaceManagement Company Regulator

Sharp endfactors work

here and now

Blunt end factorsare removed inspace and time

GovernmentUnsafeacts

Morals,socialnorms

Hollnagel (2002)


32/68

32

*"$

Government

Regulators

Company

Management

Operational staff

Work actions

AccidentEverybodys blunt end issomeone elses sharp end.

Roberts (2001)


33/68

33

&'*'

The system aims to remain its output on a reference and within

an acceptable zone. System output fluctuates about thereference. An accident occurs when the output over the

boundary.

Accident

System output

AcceptablezoneReference


34/68

34

'+*+!"$"&'+*+"

Accident

Chains of events are hindsight


35/68

35

"'"

Accidents arecaused by a

coincidence amongevents, rather than a

sequence of

failures.

The events thatcombine into theaccident can be

due to normalperformance

variability, as wellas proper failures.

Regulators

Equipment

Tasks

Environment

Monitoring

People

Hollnagel (2002)


36/68

36

Close couplingsand complexinteractions

Monitor & controlperformance

variability. Improveanticipation

Basic principle Purpose of analysis Typical reaction

Dynamicdependency,

functionalresonance

7'!"-+"$&+


37/68

37

&"&+

Accident

Normallyfunctioning

system

Sharp endfactors

Blunt endfactors

Latentsystem

conditions

Latentsystem

conditions

Time

Commonconditions

System performancevariability


38/68

38

;'"+"+

Design(unanticipatedconsequences)

Limitedmaintenance

Technological

glitches andfailures

Inadequatemaintenance

Design flawsand oversights

Incident,accident

Latent

conditions

Humanperformance

variability

Localoptimisation

(ETTO)Incapacity

Impaired or

missingbarriers

Unclearindications

Lax safetyculture


39/68

39

#$%"*$

Prevention (control barriers):

Active or passive barrierfunctions that prevent the

initiating event from occurring.

Protection (safetybarriers):

Active barrierfunctions that

deflectconsequences

Protection(boundaries):

Passive barrierfunctions that

minimiseconsequences

Accident

Initiating event,failure mode

(Incorrect action)

Hollnagel (2002)


40/68

40

*&+("+"&+

Human

erroneousaction

Normally

functioningsystem

Barrier

Localconditions

Latent

systemconditions

Latent

systemconditions

Time

Accidentanalysis

Accident

Barrier failure

Barrier reliability

Accidentprevention

Time


41/68

41

)$(&+!"

Hollnagel (2002)

Accidents

Incidents

Near-misses

Unsafe acts

Increasingvisibility ofevents

Increasingfrequency

of events


42/68

42

&+

Searchprinciple of

accidentanalysis

Goal of

accidentanalysis

Specific causesand well-defined

links.

Specific causesand well-defined

links.

Eliminate orcontain causes.

Eliminate or

contain causes.

Sequentialaccidentmodel

Epidemiological

accident model

Systemicaccidentmodel

Carriers, barriers,and latentconditions.

Carriers, barriers,and latent

conditions.

Strengthen

defences andbarriers .

Strengthen

defences andbarriers .

Functionaldependencies

and commonconditions

Functionaldependencies

and commonconditions

Monitor & control

performancevariability

Monitor & control

performancevariability

Hollnagel (2002)


43/68

43

+'

Accident model determines analyses and responses

Root cause, shaping factors or coincidence

Event based or system based

Elimination, improvement or monitoring The misleading simplicity of human error

Human performance is inherently variable - but notunreliable

Variability reflects work conditions Performance deviations have positive and negative

consequences: errors as an opportunity for learning

CSE is a system approach for analysing, evaluating

and designing complex systems


44/68

44

"%"!

=

n

iAccidentSafety1

Safety is freedom from accidents or losses.Leveson (1995)

Absence of failuresStay inside envelope of

safe performance

Risks are identified andcontrolled

Performance variabilitymanagement

Imagination, identification,assessment, modification

Monitoring:detection-recovery

Hollnagel (2004)


45/68

45

!!$


46/68

46


47/68

47

%+ !*$!$&"%"+'"

Sensitivity

Level 1: Accident studies(statistics)

Valid

ity

Level 2: Incident studies

Level 3: Performancemeasurements

High

LowHigh

Low

Long delays,

dependent on accidentmodel

Higher event rate; datacollection may be costly

Measurements of singleevents or cases

Model?

Model?

Model?

Hollnagel (2004)

<


48/68

48


49/68

49

+("+$"$ " *$")+ ""+


50/68

50

=#- ">"$ "*$")+ ""+

Objective: Identify all hazards resulting from potential malfunctions in aprocess

Analyse each step in process using HAZOP guidewords

Determine how this could happen

Can the condition be detected? Are the consequences hazardous?

Can the consequences be prevented?

Is prevention cost-effective?

A quantitative decrease (e.g. low pressure)Less

The negation of the intention (e.g. no flow)No or None

A qualitative decrease (e.g. only one or two components present)Part of

In addition to (e.g. impurity)As well as

Complete substitution (e.g. wrong material)Other than

The opposite of the intention (e.g. backflow)Reverse

A quantitative increase (e.g. high pressure)More

MeaningGuide words

=# ">"$ " *$")+ ""+


51/68

51

=#- ">"$ "*$")+ ""+

......

Blockage, valve closed, high ambient temperature etc.More pressure

Heat loss, leak, imbalance of input and output etc.Less temperature

Typical problemsType of deviation

...

None

None

Existing controls

...

Leak

Valve closed

Cause

...

Release toatmosphere

Overpressure

Consequence

......

High pressure alarmMore pressure

Gas detectorLesstemperature

Possible actionDeviation

& '* $< ""+


52/68

52

&-'*$


53/68

53

% $ ""+

IEE (2004)

*- $< ""+


54/68

54

*-$


55/68

55

;"'+$&*

A

CB

AND

Conjunction

If B and C are true,then A is true

A

CB

OR

Disjunction

If B or C are true,

then A is true

Flooding

Pumps donot work

Water levelcontinues to rise

AND

Signal ismissed

Operator isinattentive

Signal/noise ratioIs too low

Hollnagel (2004)

OR

* !"'+ $ ""+


56/68

56

*!"'+$""+

Topevent

AND

ANDOR

Basicevent

1. Identify top event

2. Identify first-level events

3. Link the events to top event by a logic gate

4. Identify next-level events

5. Link the events to last-levelevents by logic gate

6. Repeat step 4 and 5 until all

basic events are identifiedBasic event indicates the limit of

analytical resolution

Basic event indicates the limit of

analytical resolution

Event

++ " $


57/68

57

++"$

IEE (2004)

< +%+


58/68

58


59/68

59


60/68

60

System model Failure modes

Task analysis;Functional

model;Goals-means

model

HAZOP list;MTO list;

phenotypes

Possibilities fordetection Likelihood

Interfacedesign;Work

organisation;

Possibleantecedents

(causes)

Consequence

Accidentstatistics;

experience;brainstorming

Context(performance

conditions)

Context(performance

conditions)

Hollnagel (2004)

$"$"+"


61/68

61

Preparetransaction

Enter PINcode

Select type oftransaction

Removecard

Removemoney

CompletetransactionEnter amount

Insert card

Begin

Enter fourdigits Push Enter

Hollnagel (2004)

&*+"!$$


62/68

62

*

Mitigatingactions

(M, T, or O)

Failure modecan be found

usingguidewords, e.g.

phenotypes.Identification

must besystematic

Activities shouldbe described onthe same level of

detail

Mitigatingaction

Consequence

Yes /No

How When

Consequenceshould be

described asclearly aspossible

Failure mode /deviation

Activity / functionPossibility of

detectionProbability /likelihood

Hollnagel (2004)

'&""&!"+'$&


63/68

63

Human failure mode Systemic failure mode

Timing Action performed tooearly or too late

Position reached too early or too late.

Equipment not working as required.

Duration Action performed toobriefly or for too long

Function or system state held too briefly or fortoo long.

Distance Object/control moved tooshort or too far

System or object transported too short or too far

Speed Action performed tooslowly or too fast

System moving too slowly or too fastEquipment not working as required.

Direction Action performed in thewrong direction

System or object (mass) moving in the wrongdirection

Force / power/ pressure

Action performed withtoo little or too muchforce

System exerting too little or too much force.Equipment not working as required.System or component having too little or toomuch pressure or power.

Object Action on wrong object Function targeted at wrong object

Sequence Two or more actionsperformed in wrong order

Two or more functions performed in the wrongorder,

Quantity /volume

None System/object contains too little or too much oris too light or too heavy.

Hollnagel (2004)

#$!$&"085


64/68

64

Availability (personnel, equipment)

Training and preparation (competence)Communication quality

HMI and operational support

Availability of procedures and methods

Working conditions

Number of goals & conflict resolution

Available time (time pressure)

Circadian rhythm, stress

Team collaboration (commitment)

Organisation quality

Verygood

Verybad

3 32

Hollnagel (2004)

"$$$&";'


65/68

65

? $


66/68

66

? $


67/68

67

Read the US Highway Accident Case

Apply the viewpoints of the three accident models thatwere discussed

Which contributing factors can the model identify?

Which contributing factors do you miss in the model?

Is there enough information for investigation according to eachmodel?

Which model do you think the investigators had in mind?

;'$$ "(


68/68

68

Date post:	06-Apr-2018
Category:	Documents
Upload:	gary-hook
View:	229 times
Download:	0 times

Accident Models and Risk Analysis

Documents