Figure 4 - uploaded by Zahid Qureshi
Content may be subject to copyright.
Boundaries of safe operation (Rasmussen 1997)

Boundaries of safe operation (Rasmussen 1997)

Source publication
Article
Full-text available
The increasing complexity in highly technological systems such as aviation, maritime, air traffic control, telecommunications, nuclear power plants, defence and aerospace, chemical and petroleum industry, and healthcare and patient safety is leading to potentially disastrous failure modes and new kinds of safety issues. Traditional accident modelli...

Contexts in source publication

Context 1
... argues that in order to analyse a work domain's safety, it is important to identify the boundaries of safe operations and the dynamic forces that may cause the socio-technical system to migrate towards or cross these boundaries. Figure 4 shows the dynamic forces that can influence a complex socio-technical system to modify its behaviour over time. The safe space of performance within which actors can navigate freely is contained within three boundaries: individual unacceptable workload; financial and economic constraints; and the safety regulations and procedures. ...
Context 2
... system adaptations cannot be pre-programmed during system design ( Hollnagel et al. 2006). According to Rasmussen's model (Figure 4), a system may become unstable or lose control at the boundary of safety regulations. Thus resilience is the ability of organisations to maintain control in order to stay outside the accident region. ...

Citations

... En annen gruppe ulykkesmodeller er epidemiologiske modeller, der ulykker kan ses på som en analogi til spredning av sykdom. En ulykke er et resultat av en kombinasjon av manifesterte og latente faktorer som tilfeldigvis eksisterer sammen i tid og rom [9]. Disse modellene er imidlertid ofte fremstilt på en lineaer måte, slik som den berømte «sveitserost»-modellen utviklet av James Reason [10]. ...
Technical Report
Full-text available
Branner er hendelser som kan skade mennesker, materielle verdier og miljø. Ulike myndigheter, organisasjoner, bedrifter og aktører bør kunne lære av branner for å redusere sannsynligheten for fremtidige branner og minimere skadene. For å oppnå en reduksjon av antall branner og konsekvensene av disse, trengs en innsats fra flere aktører, og det vil være nødvendig med både tekniske, organisatoriske og individuelle endringer. Endring anses som en forutsetning for læring. Så hvordan kan vi som samfunn endre innsatsen for å forebygge branner og redusere brannskader? Starten på en læringsprosess er ofte i form av opplysninger om ulykken som har skjedd – innhentet gjennom en undersøkelse. Denne undersøkelsen kan ha mange former: brannvesenets egen vurdering av innsatsen i en brannhendelse, en myndighets vurderinger av om regelverket er etterlevd og om det er behov for justeringer, analyse av interne regler og organisering i en bedrift, og politiets etterforskning av mulig kriminalitet i forbindelse med en brann. Undersøkelser og etterforskninger krever dyktige fagfolk, og det er ofte behov for tverrfaglig kompetanse, som kunnskap om menneskelig atferd, branndynamikk, elektriske installasjoner, mekaniske prosesser og mange andre ulike fagområder. Mange forskjellige teknikker og taktikker kan brukes for å finne ut hvordan brannen startet, hvilken feil som førte til brannen, hva som fikk brannen til å utvikle seg slik den gjorde, og hvilke faktorer og tiltak som fungerte godt i brannen. De som utfører slike analyser kan være ansatt i brannvesen, politi eller forsikringsselskaper, de kan være innleide som private etterforskere eller ansatt i større bedrifter, for å nevne noen. Det er imidlertid ikke alle branner som undersøkes i Norge, og det er også et stort antall hendelser der det konkluderes med ukjent brannårsak i brannstatistikken. Målet med forskningen vår har vært å øke samfunnets evne til å lære av branner. Vi har to hovedmål som bidrar til dette: 1. Innhente kunnskap om forutsetningene for å lære av branner i Norge. 2. Gi anbefalinger for å øke læringen fra branner i Norge.
... The focus in these accident models is thus often on the actors, and the time aspect of the events leading to the accident. A second group of accident models are epidemiological models, where accidents can be seen as analogue to the spreading of disease -an accident is the outcome of a combination of manifest and latent factors that happen to exist together in space and time [7]. These models are, however, often portrayed in a linear way, such as the famous "Swiss cheese" model developed by James Reason [8]. ...
Technical Report
Full-text available
Fires are devastating events that may harm humans, properties and the environment. Authorities, organisations, companies and societies should be able to learn from fire incidents to reduce the probability and impact of future fires. To achieve a reduction in fires and their consequences, an effort is needed from multiple actors and both technical, organisational and individual changes would be necessary. Importantly, we therefore consider change as a prerequisite for learning. So how can we as a society change or modify our efforts for prevention and mitigation of fires? A learning approach often starts with some form of inquiry about the occurred accidents – an investigation. This investigation can take many forms: the fire services’ own evaluations of the response to a fire, an authority’s assessments of the compliance and fit of their regulations, a company’s analysis of internal rules and organisation, and the police’s investigation of criminal issues. Investigations require highly skilled professionals using often multidisciplinary skills such as knowledge in human behaviour, fire dynamics, electrical systems, mechanical processes and many more. A fire investigator may use many different techniques and tactics, to figure out how the fire started, what fault led to the fire, what made the fire develop the way it did and, also what factors and measures that worked well in the fire. The investigator can work for the fire service, the police, insurance companies, hired private fire investigators or in larger companies, to mention a few. However, not all fires are investigated in Norway, and there is also a large number of incidents that is concluded with an unknown fire cause. The aim of our research has been to increase the society’s capacity to learn from fires. We have two main objectives contributing to the aim: 1. Obtain knowledge on the preconditions for learning from fires in Norway. 2. Provide recommendations to increase learning from fires in Norway.
... The AcciMap approach is considered an example of systemic approaches (Salmon et al. 2010;Salmon et al. 2012) which was developed for graphically depicting multi-causal chains consisting of events, decisions and contributing factors (Svedung and Rasmussen 2002;Rasmussen and Svedung 2000). While the AcciMap approach in addition to other systemic approaches like STAMP (Systems Theoretic Accident Modelling Process) (Leveson 2002;Leveson et al. 2004;Qureshi 2008) and FRAM (Functional Resonance Accident Method) (Hollnagel 2004) provide different perspectives to how accidents are analysed, there has not been a prevalent adoption of these approaches despite their benefits (Underwood and Waterson 2013). This version was developed by Branford (2007) based on existing versions of the original AcciMap (Rasmussen and Svedung 2000;Vicente and Christoffersen 2006) as a way of providing a consistent methodology for users in determining why the adverse event occurred (Branford 2011). ...
... (1) Creating a blank AcciMap format on which to arrange the causes/contributing factors (2) Identifying the adverse outcome of the incident (3) Identifying contributing factors based on the incident report (4) Identifying the appropriate AcciMap level for each contributing factor identified (5) Preparing the contributing factors representative of each AcciMap level (6) Inserting causal links (relationships) to depict cause and effect between contributing factors (7) Filling in the gaps left in the causal chains where information is missing (8) Checking the causal logic and making sense of the sequence of events (9) Formulating safety recommendations that are practical and feasible Root Cause Analytical (RCA) techniques have been used as toolkits for investigating and analysing serious events in healthcare (Johnson 2004;Qureshi 2008). However, they have been noted to assume a linear approach regarding cause and effect to accident causation and so unsuitable when analysing incidents from a sociotechnical perspective (Canham et al. 2018;Qureshi 2008). ...
... (1) Creating a blank AcciMap format on which to arrange the causes/contributing factors (2) Identifying the adverse outcome of the incident (3) Identifying contributing factors based on the incident report (4) Identifying the appropriate AcciMap level for each contributing factor identified (5) Preparing the contributing factors representative of each AcciMap level (6) Inserting causal links (relationships) to depict cause and effect between contributing factors (7) Filling in the gaps left in the causal chains where information is missing (8) Checking the causal logic and making sense of the sequence of events (9) Formulating safety recommendations that are practical and feasible Root Cause Analytical (RCA) techniques have been used as toolkits for investigating and analysing serious events in healthcare (Johnson 2004;Qureshi 2008). However, they have been noted to assume a linear approach regarding cause and effect to accident causation and so unsuitable when analysing incidents from a sociotechnical perspective (Canham et al. 2018;Qureshi 2008). These techniques are mainly focused on analysing errors at the front end of the spectrum and not considering in-depth system weaknesses and why they occurred. ...
Article
Full-text available
This paper presents a field workshop organised by the Healthcare Improvement Scotland (HIS) focusing on the evaluation of the formalised AcciMap approach by patient safety practitioners of the National Health Service (NHS). Participants who were experienced in incident analysis relating to patient safety and risk management across different NHS boards but had no prior knowledge using the AcciMap approach were recruited for a case study analysis (Wrong Patient) (Chassin and Becher in Ann Intern Med 136:826–833, 2002). They were subsequently divided into three teams after introduction and training, where each team performed an independent case analysis. AcciMap outcomes produced indicated both similar and varying contributing factors identified by each team. This was also reflected in their formulation of safety recommendations. Their findings were then compared with each other (reliability) and with external review (validity). Based on results obtained from the survey instrument distributed after the exercise and focus discussions, the AcciMap approach was generally perceived as intuitive and a potentially relevant toolkit for incident investigations. However, questions were raised particularly regarding the usability (ease of use) in conducting analyses compared RCA techniques.
... It also tries to identify how safety can be built more holistically into a given system (Hamim et al., 2020;Stefanova et al., 2015). A complex system involves operational interactions, and interrelationships with technical, human, social and management aspects in any organisation (Qureshi, 2008). The hospitality sector is an example of a complex system that encompasses the integration of hotel suppliers, officers from the ministry of public health, private businesses, local enterprises, managers and staff interacting with process, conditions and the effect of human factors (Dhir et al., 2020). ...
Article
A theory-based systems approach, such as AcciMap accident analysis, has been widely used over the years in multiple safety critical sectors such as the nuclear, petrochemical, aviation and railway industries to provide a detailed understanding of complex systems and the chain of events contributing to accidents resulting from system failure. However, despite its advantages, the use of a systems approach in the food safety context has to date been limited. The purpose of this study was to investigate three established norovirus incidents using the AcciMap accident analysis approach to determine its efficacy at informing the design of food safety policies following a norovirus outbreak to prevent reoccurrence. This approach was found to be of value in analysing norovirus outbreaks. The findings of the AcciMap analysis reveal the norovirus outbreaks were not the outcome of a single causal incident, but a chain of events and interactions that involved governmental failure to control and enforce safety regulations and the impact on managerial and individual behaviours at a lower level in the system. The analysis identified the common contributory factors such as poor inspections, lack of regular monitoring of quality of water supply, inadequate management of wastewater and ineffective communication that led to each incident across the hierarchical levels within a socio-technical system. The value of using the AcciMap approach is that it does not constrain the analysis to individual components or particular types of incident allowing for a more holistic and interconnected risk assessment.
... Based on socio-technical system theory, presented a framework (i.e., SoTeRiA) to incorporate organisational, external environment and human factors into PRA. A socio-technical system must be seen as an integrated whole and the role of social factors in conjunction with safety and reliability should be recognised (Qureshi, 2008). This is consistent with the view of Liu and Zhai (2018) in defining traffic problems (e.g., collisions) as not only technical but also social problems. ...
Thesis
Intelligent Transportation Systems (ITS) with the aim of enhancing mobility and sustainability are gaining momentum across public policy sector. Connected and Autonomous Vehicles (CAVs) constitute an integral element of ITS. The rapid advances in the realm of Artificial Intelligence (AI) and relevant disciplines have accelerated the development and evolution of CAVs which are believed to thoroughly transform the transportation landscape in coming decades or even years. There are manifold potential benefits (e.g., increased safety and accessibility, convenience, saving time and energy, reducing traffic congestion, etc.) perceived for this disruptive technology. Nevertheless, there is a considerable extent of uncertainties over the safe and secure performance of intelligent self-driving cars in urban environments. These uncertainties can deteriorate the existing driving risks and incur new risks which can undermine the functional safety and technical reliability of those vehicles. The interdependencies between risk factors have neither been yet studied within an integrative framework nor from the sociotechnical perspective. In this study, an interdisciplinary approach was adopted to construct a Bayesian Belief Network (BBN) in order to capture influential risk factors in urban settings as well as the interdependencies between them, thereby providing estimates for the risk indices under varying and volatile circumstances. This will enable us to estimate the collision risk for intelligent self-driving cars in urban environments and evaluate the impact of risk mitigation actions. Furthermore, such a model can be used to classify the urban districts based on the estimated risks and serve policymakers in allocating resources to maximise the benefits of CAVs and avoid potential safety consequences. Sociotechnical theory as an interdisciplinary approach was adopted to form the foundation of BBN model. The factors were accordingly divided into four blocks and the intersection of these blocks represent collision risk index to quantify the safety risk in urban environments. To identify the risk factors, integrative literature review together with thematic analysis (TA) were used. A new technique was formulated to populate the node probability tables (NPTs) and generate uniform distributions. Afterwards, nine domain experts assigned weights to the identified links between the nodes and influence of the probability distributions. Sensitivity analysis was conducted to examine the influence of the incorporated nodes on the collision risk index. The outcome of the model (i.e., collision risk index) showed the highest sensitivity to traffic control infrastructure, weather conditions and traffic composition, respectively. Six scenarios were also devised to investigate the fluctuations of collision risk index due to variations in input nodes. The results of this research can provide insights for policymakers in contemplating policy choices such as investing in new or upgrading existing infrastructure, introducing new legislations, imposing regulatory requirements, licensing, and technology standardisation.
... By conceptualizing the characteristics of accidents, accident analysis explains why accidents happen and provides a tool for risk assessment during system development as well as post hoc accident causation analysis, up on which proper prevention measures can be conducted to reduce the occurrence of accidents of similar nature [9]. As large complex systems constitute multielements with regard to humans, machines, and the environment, a diversity of traditional and modern methods with their own merits have been employed to perform accident modeling and have contributed to the understanding of accidents (for a general review see [10]). Among them, the classic chains-of-event models explaining the accidents as a result of a series of events occurred following a particular logical order work well for capturing clear cause-effect relations between discrete or consecutive events. ...
Article
Full-text available
Continuous metro-operation accidents lead to serious economic loss and a negative social impact. The accident causation analysis is of great significance for accident prevention and metro operation safety promotion. Network node importance (NNI) evaluation has been widely used as a tool for ranking the nodes in complex networks; however, traditional indicators such as degree centrality (DC) are insufficient for examining accident networks. This study proposed an improved method by integrating decision making trail and evaluation laboratory (DEMATEL) and interpretive structural modeling (ISM) into traditional NNI evaluation, where the key nodes are determined by both the nature of the accident network topology and the contribution of the nodes to accident development. Drawing on this method, 32 accident causal factors were identified and prioritized on the ground of 248 accident cases. It was found that 14 important factors related to staff (e.g., “driver noncompliance”), environment (e.g., “extrinsic nature disturbance”), passenger (e.g., “passenger sudden illness”), and machine (e.g., “track failures”) should be given priority in safety management due to their significant tendency of causing metro accidents. Theoretical and managerial implications were discussed to provide useful insights into the understanding of the causation of metro accidents and form a basis for metro managers to develop targeted safety countermeasures related to metro operation. The proposed hybrid method is proven effective in investigating accident networks involving sequential and casual relationships and revealing factors with high possibility to increase accidents.
... Accordingly, these models consider accidents as the result of Hierarchical Safety Control Structures deficiencies (Qureshi 2008); therefore, by applying holistic and systemic approaches and using generic tools of the system theory, analyze the root causes of the gradual deficiencies in the hierarchical control structure (Dulac 2007). Studies also have shown that the systemic approach could be an effective tool to model organizational interaction, as well as, it can accurately analyze accident causation within system's hierarchical control structures (Kontogiannis and Malakis 2012). ...
Article
Full-text available
The latest generation of accident models demonstrate that the root causes of the systemic accidents in complex sociotechnical systems derive from the system’s inefficient organizational safety control structure; the "structure" that has not adapted itself to the under-controlled dynamic system and, consequently, is not able to control system’s hazardous behaviors. Hence, in this paper, a clear approach is presented to evaluate organizational safety control structure’s competency. In this approach, the modelling process of the System Theoretic Process Analysis (STPA) is used to model hierarchical safety control structure; then, Bayesian Belief Net (BBN) is applied for the competency evaluation of the structure. Clearly, a novel procedure is introduced for converting an STPA-based safety control structure to a BBN for achieving some invaluable safety lead indicators via quantitative analysis.
... The boundary of economic failure creates a pressure towards greater efficiency, which works in opposition to a similar pressure against excessive workload. Because transport systems involve human as well as technical elements, and because humans are able to adapt situations to suit their own needs and preferences, these pressures inevitably introduce variations in behavior which are not explicitly designed and can lead to increasingly emergent system behaviors, both good and bad (Qureshi, 2007;Clegg, 2000). Over time this adaptive behavior can cause the system to cross safety boundaries and accidents to happen (Qureshi, 2007;Rasmussen, 1997). ...
... Because transport systems involve human as well as technical elements, and because humans are able to adapt situations to suit their own needs and preferences, these pressures inevitably introduce variations in behavior which are not explicitly designed and can lead to increasingly emergent system behaviors, both good and bad (Qureshi, 2007;Clegg, 2000). Over time this adaptive behavior can cause the system to cross safety boundaries and accidents to happen (Qureshi, 2007;Rasmussen, 1997). The key, then, is to detect in advance a) where those boundaries are and b) where the system is travelling in relation to them. ...
Conference Paper
Forecasting accidents before they occur is the final frontier for safety science. Although this has long been recognized, the discipline of human factors has yet to produce an appropriate methodology for achieving this. This paper presents some of the findings from an exploratory study in which the abstraction hierarchy method from the work domain analysis phase of cognitive work analysis was used to predict potential accidents. Using rail level crossings as a test case, the exploratory study revealed that the abstraction hierarchy method was able to predict a range of failure pathways that could potentially lead to a collision between a road user and a train at rail level crossings. In addition, certain features of the abstraction hierarchy method were found to make it highly consistent with contemporary systems level views on accident causation, including that it provides a systems level analysis of potential accident pathways, that is does not support a focus on broken human components (since the abstraction hierarchy model is actor independent), and that the primary focus is on the relationships between components rather than the components themselves. Further testing of the approach is recommended, including sensitivity and validity testing whereby the predictions made are compared to real world events.
... Epidemiological accidents models are based on the study of epidemiological diseases and consider accidents as a combination of "latent" and "active" failures within a system, by analogy with the spread of a disease (Qureshi, 2008). ...
... Just as everything evolves in this world, an evolution has taken place reshaping the perspectives of practitioners and researchers and redefining how the concepts of safety, risk and performance are viewed. In the early ages of reliability assessments, the focus has been mainly directed towards evaluating systems by examining the performance of its parts, adopting a more mechanistic perspective and focusing on the technological aspect of things [1]. The classical view considered any system decomposable to its parts, well defined and understood [1]. ...
... In the early ages of reliability assessments, the focus has been mainly directed towards evaluating systems by examining the performance of its parts, adopting a more mechanistic perspective and focusing on the technological aspect of things [1]. The classical view considered any system decomposable to its parts, well defined and understood [1]. Operators performed assigned tasks as required by instructions and procedures and the design phase was expected to account for every possible contingency and then implement barriers and protection mechanisms to prevent the occurrence of any adversity. ...
... Heinrich's Domino Model introduced a paradigm shift in safety analyses shifting the focus from unsafe conditions to human error. Accidents and incidents were described mainly as a chain of discrete events initiated by a root cause and occurring consecutively leading to undesirable outcomes [1]. Preventive measures therefore focused on breaking the chain of events and avoiding errors and malfunctions that could set the chain in motion. ...
Article
Full-text available
In recent years, the focus in safety management has shifted from failure-based analysis towards a more systemic perspective, redefining a successful or failed performance as a complex and emergent event rather than as a conclusion of singular errors or root causes. This paradigm shift has also necessitated the introduction of innovative tools capable of capturing the complex and dynamic nature of modern sociotechnical systems. In our research, we argued at previous stages for adopting a more systemic and human-centric perspective to evaluate the context of aircraft de-icing operations. The Functional Resonance Analysis Method (FRAM) was applied in the first stage for this purpose. Consequently, fuzzy logic was combined with FRAM in the second stage to provide a quantified representation of performance variability. Fuzzy logic was used as a quantification tool suitable for computing with natural language. Several limitations were found in the data collection and rule generation process for the first prototype. In the third phase, the model was further improved by integrating rough sets as a data-mining tool to generate and reduce the size of the rule base and classify outcomes. In this paper, we reflect on the three stages of the project and discuss in a qualitative manner the challenges and limitations faced in the development and application of the models. A summary of the advantages and disadvantages of the three models as experienced in our case are presented at the end. The objective is to present an outlook for future studies to address methodological limitations in the study of complex sociotechnical systems.