Engineering a Safer World

Safety is increased by increasing system or component reliability. If components or systems do not fail, then accidents will not occur.

The confusion on this point is exemplified by the primary focus on failure events in most accident and incident analysis.

High component reliability does not prevent component interaction accidents.

Safety, in contrast, is defined as the absence of accidents, where an accident is an event involving an unplanned and unacceptable loss [115].

To increase safety, the focus should be on eliminating or preventing hazards, not eliminating failures.

Bottom-up decentralized decision making can lead-and has led-to major accidents in complex sociotechnical systems. Each local decision may be “correct” in the limited context in which it was made but lead to an accident when the independent decisions and organizational behaviors interact in dysfunctional ways.

Because the accident model influences what cause(s) is ascribed to an accident, the countermeasures taken to prevent future accidents, and the evaluation of the risk in operating a system, the power and features of the accident model used will greatly affect our ability to identify and control hazards and thus prevent accidents.

The difference between events and conditions is that events are limited in time, while conditions persist until some event occurs that results in new or changed conditions.

In addition to a root cause or causes, some events or conditions may be identified as proximate or direct causes while others are labeled as contributory. There is no more basis for this distinction than the selection of a root cause.Making such distinctions between causes or limiting the factors considered can be a hindrance in learning from and preventing future accidents.

The accident model used should encourage and guide a comprehensive analysis at multiple technical and social system levels.

In general, event-based models are poor at representing systemic accident factors such as structural deficiencies in the organization, management decision making, and flaws in the safety culture of the company or industry.

A narrow focus on technological components and pure engineering activities or a similar narrow focus on operator errors may lead to ignoring some of the most important factors in terms of preventing future accidents.

Without understanding the purpose, goals, and decision criteria used to construct and operate systems, it is not possible to completely understand and most effectively prevent accidents.

An accident model should encourage a broad view of accident mechanisms that expands the investigation beyond the proximate events: A narrow focus on operator actions, physical component failures, and technology may lead to ignoring some of the most important factors in terms of preventing future accidents. The whole concept of “root cause” needs to be reconsidered.

Designers of highly automated systems sometimes do not understand this requirement and design automation that takes operators “out of the loop.”

It is difficult-if not impossible-for any individual to judge the safety of their decisions when it is dependent on the decisions made by other people in other departments and organizations.

that is, the performance-shaping context in which human actions take place and decisions are made.

by providing means for identifying potentially dangerous side effects of individual decisions in the network of decisions over the entire system,

bydesigning for error tolerance (making errors observable and reversible before safety constraints are violated) [167], and by counteracting the pressures that drive operators and decision makers to violate safety constraints.

We can construct software (and often do) that goes beyond human intellectual limits. The result has been an increase in component interaction accidents stemming from intellectual unmanageability that allows potentially unsafe interactions to go undetected during development.