Understanding Safety / General
What causes the accidents
A very complex question arises, when one tries to determine the cause of accidents. Many accident causation theories have traditionally focused on preventing accidents by simplifying the task into the “what happened”, “who was responsible” and “when did it occur”. This reactive method does not assist in identifying the root causes of the problem and preventing similar occurrences in the future. Therefore, the stakeholders, with the leading assistance of ICAO, have embraced methodologies of trying to identify the “WHY it happened” and finding the suitable defences to prevent reoccurrences. The blame notion of WHO, has been removed from the equation and punishing the guilty part in not the required outcome.
Aviation is a relatively young industry – considering it is only in its second century of life. The evolution of safety went through some stages which reflect this gradual maturity of the mentality inside the industry. As aircraft are complex machines and are considered technological marvels, the first idea of solving an accident was to find the technical factor. The Technical Era as it is referred to focused solely on the equipment failure. But as the technology progressed and the aircraft became more advanced and reliable the focus shifted towards the human factor. The Human Factors Era brought upfront the concept of Crew Resource Management (CRM) and focused on the individual, still isolating the person from the organisation. Deeper research and analysis of findings led to the classification of the organisation factors – which includes the organisational culture and the operational context of a complex environment. The Organisational Era views safety in a systemic perspective and the proactive trend of data gathering prior the investigation of an accident formulated the rational of the safety management system.
ICAO SMM – Evolution of Safety
In order to better understand the root causes, literature and science have created the accident causation models. These models enable:
- the understanding of the difference between hazards/ threats and accidents
- assist in forming a better understanding of the reality by visualizing the things we cannot directly observe
- aid in creating useful and helpful approximations of the real environment
The basis for this process is the Heinrich’s pyramid, which adapted to aviation-in the form of an iceberg, proposes that for every fatal accident there are 10 non-fatal accidents, 30 reportable incidents and 600 near misses and an unknown number of unsafe acts which went unnoticed.
Accident causation models can be divided based on the underlying assumptions in three categories:
- Simple Linear: accidents are a culmination of a series of events or circumstances. There is a sequential interaction of events – one leads to the next one. This can be visualised by a series of falling dominos (Heinrich’s Domino Theory). Hence the belief that if the sequence is broken by removing one of the events (removing one domino) the disaster will be avoided.
- Complex Linear: Presumes that accidents are the result of a combination of latent hazards and unsafe acts which continue to happen in a sequential way. The model considers a variety of factors including the environmental as well as organisational effects. The application of the model enables the set-up of safety barriers and defences along the timeline of the events (contributing factors). Similar to an epidemy, the model is characterised as epidemiological, and draws conclusions from latent factors that sometimes do not really affect the outcome and it tends to oversimplify the causes.
- Complex non-linear: accidents are the results of a combination of mutually interacting variables occurring in real world environments. Understanding of these interactions through careful analysis is the only way to understand and prevent accidents. A systemic model which focuses on interactions and functions of the system rather than just individual events. Accidents are regarded as emergent rather than resultant phenomena (i.e. are not predictable).
Another conceptual tool, widely used in aviation, which analyses the interaction between multiple system components, is SHELL, which stands for:
S = Software (any procedures, checklists, training, computer)
H = Hardware (machines and equipment- including the controls, instruments and interfaces)
E = Environment (conditions – oxygen, pressure, temperature, socioeconomic considerations)
L = Liveware (any people involved in the workplace – pilots, cabin crew, ATC, engineers etc )
The Human to human interface is in the middle of the model as it is considered the important element and it is the main contributor and factor in aviation safety. Our goal is to understand the interaction with the other components and identify the way this interaction results in mistakes and errors. However, the inconsistency in the human element brings up the following 4 P-factors which need to be considered: Physical, Physiological, Psychological and Psycho-social factors.
The constant interaction of the elements with liveware is what sets-up the conditions and the basis for an event.
The advancement of SHELL produced the SCHELL, which has the addition of Culture in the components, a factor that can greatly influence the interactions.
Another similar model for examining and valuing accidents, the 5M model, illustrates the interactions in the complex environment of aviation by intertwined circles. The three circles are Man, Machine and Medium, which together create the area of Mission and all these together are bound by the management circle.
Man circle refers to all the front-line personnel involved in the operation of the flight, but some safety experts even include people involved in design and management. This way aids in removing the concept of “pilot error” who for many years was considered the only element of the Man circle. But in this model pilot is simply viewed as the last line of defence in a chain of mishaps. Being a user-centred model, the human is considered the forcing function of the system.
Machine in this model is any equipment and technological advancement, which disregarding the high efficiency and reliability they still pose a hazard and a threat to the operation of a flight. Redundancy in critical components is major step towards achieving safety but the new designs must take further note of the human interaction, mainly the physiological limitations. Failures can be classified as early failure (in regards to life of the component), a random failure and a wear-out failure (towards the end of component’s life). Engineering design as well as maintenance come in play with this circle.
From the accident prevention viewpoint, medium is considered to be both the natural environment of the flight as well as the artificial one. Natural refers to weather, topography, temperature etc. Artificial is divided into physical, which includes ATC, airport, aids and infrastructure, whilst and non-physical is the legislation and procedures under which the flight takes place.
The mission is nothing more than the actual flight, which changes according to the actual operations, the type of flights, type of aircraft, destination etc.
The responsibility of safety in any organisation rests with the management, thus the management circle encloses all the others in a sense of control and protection, as it is the integrating link. Management’s responsibilities include the correct allocation of resources, appointment of qualified personnel, selection of fleet and routes and most importantly the fostering of the organisational culture. The attitude and behaviour of management has a profound effect on the people and it is important to realise that responsibility does not end with financial support and regulatory compliance, but also with acts such as support of the safety programme, avoiding overpressure, pushing the limits etc.
Accidents are the result of a chain of interactions, sequential events, with each event triggering the next one. Removing one of the key factors (event-domino) can break the link-sequence.
The initial point is considered to be the social environmental factor pushing on to individual (person) factor, then to unsafe acts, mechanical and physical hazard to an accident or injury.
This model is considered very subjective due to the concept that everything results in a failure.
Accident Evolution Barrier (Svenson)
AEB models accidents in a sequential interaction of human and technical systems. It is based on the principle that setting barrier functions between two successive errors it is possible to stop the sequence. AEB emphasises on technical errors and forces integration of human and technical systems simultaneously during the analysis.
Swiss Cheese Model (Reason)
One of the most famous accident causation model is the Swiss Cheese Model, published in 1990 by professor James Reason. It illustrates how the organisational factors at the various organisational levels (including the management level) can lead to an accident. The Swiss Cheese model identifies the existence of both active and latent conditions in an organisation, which under the right combination and circumstances trigger a breach in the system defences. Active conditions (failures) are actions or inactions, errors or violations, associated with the front-line personnel (pilots, engineers, ATC), which have an immediate adverse effect. Latent conditions on the other hand exist in the system well before the failure and can be dormant for a long time. They are created by actions, decisions or conditions that are far removed from the actual timeline and space of the event and without interaction with other conditions they are not harmful or even visible.
The swiss cheese model (named after the look of the illustration) illustrates how the barriers at the various levels (layers) prevent the interaction and combination of active and latent conditions. It further shows how breaches and weak points in these barriers, when aligned under the right conditions, time and space, can escalate an event into an accident. It is interesting to note that the breaches (gaps) are not stationary and move around the barrier (slice) randomly according to the pre-existing conditions. The innovation of the swiss cheese model was that the human error was only the manifestation of the latent conditions and is the end result of root causes which are traced back to the management or initial system design. The focus is therefore on the influences created by the high-level decision makers like rapid expansion, lack of regulation, culture towards safety, policies, communication and resources allocation. The target is therefore to reinforce each defence layer as much as possible and to block the existing holes.
Functional Resonance Accident Model (FRAM) (Hollangel 2004 & 2012) is a model/ method describing the outcomes through a 4-step process analysis. The concept is based on the idea that the variability of daily performance creates resonance. Resonance is the phenomenon where a function vibrating forces another function in the system to vibrate at greater amplitudes than usual often leading to a break of the system. FRAM aims at damping (reducing the amplitude) of this resonance, which is a result of the unwanted variability.
The steps are to identify, describe and characterise (6 basic characteristics as per figure) the system functions, check the model completeness and consistency, then characterise the variability and identify the resonance of the functions and eventually monitor and control the development.
The basic principle of FRAM is that the same underlying process can lead to either success or failure, therefore the outcome is not mutually connected to the process. The performance variability which determines the outcome, is a result of the variable and different conditions, group interactions, resources allocation etc, existing during the actual process in relation to the prescribed or specified one. The combination of performance variability in a group of functions (system) can cause the accident, but no function on its own could constitute a malfunction of the system. In other words, in the absence of the system, each individual function is functioning properly. Resonance of a function means that its variability is unusually high with consequences spreading dynamically to the other functions of the system through not necessarily identifiable couplings.
FRAM enables an overall understanding of a socio-technical system, by avoiding to decompose the system into smaller components and characteristics. Emphasis is given on the comprehensive view. The process itself forces questioning rather than finding straight clear answers, as it does not include the typical cause-effect models.
The biggest weakness of the method is the time-consuming process, which is mainly attributed to the young age of the method. As it differs fundamentally from the traditional methods, it will require time for adaptation and efficient use. The method requires imagination and it does not allow room for automation.
The following is an example, with the author analysing the British Midland Flight 92 (Kegworth) accident using the FRAM approach. Full explanation and the steps of the process can be found at https://www.slideshare.net/stargate1280/fram-analysis-kegworth.
According to H.W.Heinrich these are the ten axioms of industrial safety:
- The occurrence of any injury invariably results from a completed series of factors, the last one being the accident itself. The accident being due to the unsafe act of a person and/or mechanical or physical hazard.
- The unsafe acts of persons are responsible for the majority of accidents.
- The person who suffers an injury has probably had at least 300 narrow escapes when committing the same act.
- The four basic motives for the occurrence of accidents are:
- Improper attitude;
- Lack of knowledge or skill;
- Physical unsuitability;
- Improper environment.
- The four-basic method of prevention of accidents are:
- Engineering revision;
- Persuasion and appeal;
- Personnel adjustment;
- The severity of an injury is largely fortuitous.
- Methods of accident prevention are similar to methods of control of quality, cost and production.
- Management has the best opportunity to initiate work of prevention and therefore must take responsibility for accident prevention.
- The supervisor is the key man in accident prevention and can influence accident prevention by taking four steps; these are:
- Identify the problem;
- Find and verify the reason for the existence of the problem;
- Select the appropriate remedy;
- Apply the remedy.
- The humanitarian incentive for preventing accidents is supplemented by two powerful economic factors:
- The safe establishment is efficient;
- The direct cost of an accident is about 1/5 of what the company eventually pays.