Another Morning with CPR

Download Report

Transcript Another Morning with CPR 

Rail & Aviation Conference
RAeS 21st May 2009
Safety Culture and
Safety Management
Jim Reason
Professor Emeritus
University of Manchester, UK
Overview





Organizational accidents
The two faces of safety
Safety culture
Proactive process measures
Error management
Hazards, losses & defences
Defences
Hazards
Losses
The ‘Swiss cheese’ model
of system accidents
Some holes due
to active failures
Losses
Hazards
Other holes due to
latent conditions
(resident ‘pathogens’)
Successive layers of defences, barriers, & safeguards
How and why defences fail
Defences
HOW?
Losses
Hazards
Latent
condition
pathways
WHY?
Causes
Unsafe acts
Local workplace factors
Organisational factors
Investigation
The two faces of safety
 Negative face as revealed by
accidents, incidents, near misses
and the like.
 Positive face = system’s intrinsic
resistance to its operational hazards.
Intrinsic safety
Vulnerable
system
Average
system
Resistant
system
The safety space
Increasing resistance
Increasing vulnerability
Organisations
Navigating the safety space
Increasing resistance
Increasing vulnerability
Cultural drivers
Target
zone
Commitment
Cognizance
Competence
Navigational aids
Reactive
outcome
measures
Proactive
process
measures
Negative outcome measures
 Exceedances (SPADs)
 Near misses & incidents
 Accidents
Proactive process measures
 No single definitive measure.
 Involves regular sampling of a subset of a
much larger population of organisational
processes (somewhere between 8-16).
 Identify those 2-3 processes most in need of
remediation.
 Track progress of remedial measures.
 Safety mgt. = long-term fitness programme
(not a zero production game).
REVIEW:
Railway Problem Factors








Tools & equipment
Materials
Supervision
Working environment
Staff attitudes
Housekeeping
Contractors
Design








Staff Communication
Departmental comm’n
Staffing & rostering
Training
Planning
Rules
Management
Maintenance
RAIT: Railway Accident
Investigation Tool




What defences failed?
How did they fail?
Why did they fail?
Which of the RFTs was most
implicated?
 Errors and violations
 Local situational factors
Three C’s: Excellence drivers
 Commitment: In the face of ever-increasing
production pressures, do you have the will
to make your safety management tools
work effectively?
 Cognizance: Do you understand the nature
of the ‘safety war’—particularly with regard
to human and organisational factors?
 Competence: Are your safety management
techniques understood, appropriate and
properly utilised?
The importance of culture
Though it has the
definitional precision
of a cloud
Only culture can reach all parts of the system.
Only culture can exert a consistent influence,
for good or ill.
Culture: A workable definition
Shared values (what is important) and
beliefs (how things work) that interact
with an organization’s structure and
control systems to produce behavioural
norms (the way we do things around here).
A safe culture: Interlocking
elements
Just
culture
Reporting
culture
Learning
culture
Cultural ‘strata’
GENERATIVE
Respects, anticipates and responds to risks.
A just, learning, flexible, adaptive, prepared
& informed culture. Strives for resilience.
PROACTIVE
Aware that ‘latent pathogens’ and ‘error
traps’ lurk in system. Seeks to eliminate
them beforehand. Listens to ‘sharp enders’.
CALCULATIVE
Systems to manage safety, often in
response to external pressures. Data
harvested rather than used. ‘By the book’.
REACTIVE
Safety given attention after an event.
Concern about adverse publicity.
Establishes an incident reporting system.
PATHOLOGICAL
Blame, denial and the blinkered pursuit of
excellence (Vulnerable System Syndrome).
Financial targets prevail: cheaper/faster.
Error Management (EM)
 Three main elements:
• Error reduction
• Error containment
• Management of EM
 And the hardest of these is
effective management.
More management hoops?
 Quality management systems
 Safety management systems
 Error management: what’s
new?
 Need to sort out differences
and overlaps
Quality Management System
(industrial origins)
 TQM had its origins in Statistical Process
Control (1920s). Deming—Japan—USA
 Quality measurements at point of origin
 Quality assurance (QA) not quality control
 QA documents the way things should be
done and audits against these standards
 Discrepancies are fed back  continuous
improvement
Safety Management System
(regulatory origins)
 HSW Act 1974 (Robens). Piper Alpha, 1988,
Cullen Report (1990). Safety Case.
 Modelled on ISO 9000 quality assurance.
 SMS includes a formal safety assessment of
major hazards—steps documented
•
•
•
•
Hazard identification
Risk assessment
Defences and safeguards
Recovery
QMS & SMS: Common features
 Neither quality nor safety can be ad hoc.
Both need planning and management.
 Both rely heavily on measuring, monitoring
and documentation.
 Both involve the whole organisation.
 Both strive for small continuous
improvements—kaizen not home runs.
QMS & SMS: Problems
 A strong temptation to put form before
substance—to believe that what’s on paper
matches the reality.
 ‘Quality-assured’ accidents
• BAC One-Eleven (1990)
• A320 (1993)
• Boeing 737-400 (1995)
 Neither driven by human factors knowledge;
neither starts from the fact that human and
organizational factors dominate the risks.
Why EM is necessary
(Human Factors origins)
 Effective EM derives more from a
mindset than a set of ring binders.
 EM is not a ‘system’ as such, though it
should be systematic.
 EM requires an understanding of the
varieties of error and their provoking
conditions.
 EM takes Murphy’s Law as its starting
point. Errors are inevitable.
More about EM
 Effective EM needs an informed and wary
culture—this depends on establishing:
• A just culture
• A reporting culture
• A learning culture
 EM must play a major part in both QM and SM
systems.
 QMS and SMS are top-down and normative.
EM is bottom-up and descriptive. It says how
the world is, not how it ought to be.
Some EM principles
 The best people can make the worst
errors.
 Errors fall into recurrent patterns—error
traps.
 There is no one best way of doing EM.
 EM is about system reform rather than
local fixes—it’s about greater resilience.
Error can’t be eliminated,
but it can be managed
 Fallibility is part of the human
condition.
 We are not going to change the
human condition.
 But we can change the conditions
under which people work.