ArticlePDF Available

Accidents and barriers

Authors:
  • Resilient Systems Plus

Abstract

This paper discusses the barrier concept starting from a basic distinction between barrier functions, defined as the specific manner by which the barrier achieves its purpose, and barrier systems, defined as the organisational and/or physical foundation for the barrier function. Four different types are proposed, called material, functional, symbolic, and immaterial barrier systems respectively. A basic distinction between barrier functions is whether they are preventive or protective. This reflects whether the barrier function is intended to work before the occurrence of an accident or after it has happened. It is furthermore possible to describe a number of generic barrier functions, such as:, and prescribing. There is no simple one-to-one correspondence between barrier functions and barrier systems, nor between barrier functions and their use as either preventive or protective barriers. The paper also introduces the specific discussion of the retrospective and prospective use of barriers.
ACCIDENTS AND BARRIERS
Erik Hollnagel
Graduate School of Human-Machine Interaction
University of Linköping, LIU/IKP/HMI, S-581 83 Linköping, Sweden
eriho@ikp.liu.se
Abstract
This paper discusses the barrier concept starting from a basic distinction between barrier
functions, defined as the specific manner by which the barrier achieves its purpose, and
barrier systems, defined as the organisational and/or physical foundation for the barrier
function. Four different types are proposed, called material, functional, symbolic, and
immaterial barrier systems respectively. A basic distinction between barrier functions is
whether they are preventive or protective. This reflects whether the barrier function is
intended to work before the occurrence of an accident or after it has happened. It is
furthermore possible to describe a number of generic barrier functions, such as: containing,
restraining, keeping together, dissipating, preventing, hindering, regulating, indicating,
permitting, communicating, monitoring, and prescribing. There is no simple one-to-one
correspondence between barrier functions and barrier systems, nor between barrier functions
and their use as either preventive or protective barriers. The paper also introduces the specific
discussion of the retrospective and prospective use of barriers.
Keywords
Accidents, failures, barriers, prevention, design, organisations.
1. INTRODUCTION
Accidents are frequently characterised either in terms of the events and conditions that led to
the final outcome or in terms of the barriers that have failed. A barrier, in this sense, is an
obstacle, an obstruction, or a hindrance that may either (1) prevent an action from being
carried out or an event from taking place, or (2) prevent or lessen the impact of the
consequences, for instance by slowing down the uncontrolled release of matter and energy,
limiting the reach of the consequences or weakening them in other ways, cf. Figure 1. Barriers
are important for the understanding and prevention of accidents. Firstly, the very fact that an
accident has taken place means that one or more barriers have failed – i.e., that they did not
serve their purpose or that they were missing. Secondly, once the aetiology of an accident has
been determined and the causal pathways identified, barriers can be used as a means to
prevent that the same, or a similar, accident takes place in the future.
Prevention (control barriers):
Active or passive barrier
functions that prevent the
initiating event from occurring.
Protection (safety
barriers):
Active barrier
functions that deflect
consequences
Protection
(boundaries):
Passive barrier
functions that minimise
consequences
Accident
Initiating event
(incorrect action)
Figure 1: Use of barriers.
The notion of a barrier can be considered both in relation to a method or a set of guidelines for
identifying barriers and in relation to a way of systematically describing or classifying
barriers. The two aspects are, of course, not independent, since the method for analysis
necessarily must refer to a classification scheme, regardless of whether the analysis is a
retroactive or a proactive one (Hollnagel, 1998). As a starting point, a barrier function can
be defined as the specific manner by which the barrier achieves its purpose, whereas a
barrier system can be defined as the substratum or foundation for the barrier function, i.e.,
the organisational and/or physical structure without which the barrier function could not be
accomplished. The use of the barrier concept should be based on a systematic description of
various types of barrier systems and barrier functions, for instance as a classification system.
This will help to identify specific barrier systems and barrier functions and to understand the
role of barriers, in either meaning, in the history of an accident.
Despite the importance of the barrier concept, the accident literature only contains a small
number of studies (Kecklund et al. 1996; Leveson, 1995; Svenson, 1991 & 1997; Taylor,
1998 and Trost & Nertney, 1985). The classifications proposed by these studies have been
quite diverse, partly because of the lack of a common conceptual background, and partly
because they have been developed for specific purposes within quite diverse fields. The most
successful attempt of developing a theory of barriers has been the work of Svenson (1991),
which also was the basis for the field studies of Kecklund et al (1996).
2. DESCRIPTORS OF BARRIER SYSTEMS
An analytical description of barriers can be based on several different concepts, such as the
barriers’ origin, their purpose, their location, and their nature. Of these, only the concept of
the barrier nature is rich enough to support an extensive classification. The nature of barriers
is principally independent of their origin, their purpose (e.g., as preventive or protective), and
their location. By their nature barrier systems can range from physical hindrances (walls,
cages) to ethereal rules and laws. A classification of barrier systems can be based on the
following four main categories.
Material barriers physically prevent an action from being carried out or the consequences
from spreading. Examples of material barriers are buildings, walls, fences, railings, bars,
cages, gates, etc. A material barrier presents an actual physical hindrance for the action or
event in question and although it may not prevent it under all circumstances, it will at least
slow it down or delay it. Furthermore, a material barrier does not have to be perceived or
interpreted by the acting agent in order to serve its purpose.
Functional (active or dynamic) barriers work by impeding the action to be carried out,
for instance by establishing a logical or temporal interlock. A functional barrier effectively
sets up one or more pre-conditions that have to be met before something can happen. These
pre-conditions need not be interpreted by a human, but may be interrogated or sensed by
the system itself. Functional barriers are therefore not always visible or discernible,
although their presence often is indicated to the user in one way or another and may require
one or more actions to be overcome. A lock, for instance, is a functional barrier, whether it
is a physical lock that requires the use of a key or a logical lock that requires some kind of
password or identification.
Symbolic barriers require an act of interpretation in order to achieve their purpose, hence
an “intelligent” agent that can react or respond to the barrier. Whereas a functional barrier
works by establishing an actual pre-condition that must be met by the system, or the user,
before further actions can be carried out, a symbolic barrier indicates a limitation on
performance that may be disregarded or neglected. Alternative terms may therefore be
conceptual or perceptual barriers. While the railing along a road is both a physical and a
symbolic barrier, the reflective posts or markers are only a symbolic barrier: they indicate
where the edge of the road is, but unlike the railing they are insufficient to prevent a car
from going off the road. All kinds of signs and signals are symbolic barriers, specifically
visual and auditory signals. The same goes for warnings (texts, symbols, sounds), interface
layout, information presented on the interface, visual demarcations, etc.
Immaterial barriers are not physically present or represented in the situation, but depend
on the knowledge of the user to achieve their purpose. Immaterial barriers are usually also
represented in a physical form such as a book or a memorandum, but are normally not
physically present when their use is mandated. Typical immaterial barriers are: rules,
guidelines, restrictions, and laws. In industrial contexts, immaterial barriers are largely
synonymous with organisational barriers, i.e., rules for actions that are imposed by the
organisation, rather than being physically, functionally or symbolically present in the
system.
It is clearly possible to realise several barrier systems and functions in the same physical
artefact or object. For instance, a door may have on it a written warning and may require a
key to be opened. Here the door is a physical barrier system, the written warning is a symbolic
barrier system, and the lock requiring a key is a functional barrier system. It may, in fact, be
the rule rather than the exception that more than one type of barrier is combined, at least for
the first three categories.
3. A CLASSIFICATION OF BARRIERS
The following Table 1, presents a classification of the barriers that are known from the
general literature. Each barrier is described with regard to its system, i.e., one of the four main
classes as defined above, and its function (or mode), i.e., the more specific nature of the
barrier. The list of barriers presented here is clearly not exhaustive, but hopefully sufficiently
extensive to be of some practical use.
Table 1: Barrier systems and barrier functions.
Barrier
system Barrier function Example
Material,
physical Containing or protecting.
Physical obstacle, either to
prevent transporting something
from the present location (e.g.,
release) or into present location
(penetration).
Walls, doors, buildings, restricted physical
access, railings, fences, filters, containers, tanks,
valves, rectifiers, etc.
Restraining or preventing
movement or transportation. Safety belts, harnesses, fences, cages, restricted
physical movements, spatial distance (gulfs,
gaps), etc.
Keeping together. Cohesion,
resilience, indestructibility Components that do not break or fracture easily,
e.g. safety glass.
Dissipating energy, protecting,
quenching, extinguishing Air bags, crumble zones, sprinklers, scrubbers,
filters, etc.
Functional Preventing movement or action
(mechanical, hard) Locks, equipment alignment, physical
interlocking, equipment match, brakes, etc.
Preventing movement or action
(logical, soft) Passwords, entry codes, action sequences, pre-
conditions, physiological matching (iris,
fingerprint, alcohol level), etc.
Hindering or impeding actions
(spatio-temporal) Distance (too far for a single person to reach),
persistence (dead-man-button), delays,
synchronisation, etc.
Symbolic Countering, preventing or
thwarting actions (visual, tactile
interface design)
Coding of functions (colour, shape, spatial
layout), demarcations, labels & warnings (static),
etc.
Facilitating correct actions may be as effective as
countering incorrect actions.
Regulating actions Instructions, procedures, precautions / conditions,
dialogues, etc.
Indicating system status or
condition (signs, signals and
symbols)
Signs (e.g., traffic signs), signals (visual,
auditory), warnings, alarms, etc.
Permission or authorisation (or
the lack thereof) Work permit, work order.
Communication, interpersonal
dependency Clearance, approval, (on-line or off-line), in the
sense that the lack of clearance etc., is a barrier.
Immaterial Monitoring, supervision Check (by oneself or another a.k.a. visual
inspection), checklists, alarms (dynamic), etc.
Prescribing: rules, laws,
guidelines, prohibitions Rules, restrictions, laws (all either conditional or
unconditional), ethics, etc.
It is not always easy or straightforward to classify a barrier. A wall is, of course, a physical
barrier system and a law is equally obviously an immaterial barrier system. But kind of barrier
system or barrier function is a procedure? The procedure by itself is an instruction for how to
do something, hence not primarily a barrier. Procedures may, however, include warnings and
cautions, as well as conditional actions. The procedure may exist as a physical document, but
it works because of its contents or meaning rather than because of its physical characteristics.
The warnings, cautions, and conditions of a procedure are therefore classified as a symbolic
barrier system, i.e., they require an act of interpretation in order to work.
Symbolic barriers are often used to complement immaterial barriers. For instance, road signs
supplement the general speed limits given by the traffic laws. Symbolic barriers may also
complement material barriers to encourage their use. Seat belts are material barriers, but can
only serve their purpose when they are used. In commercial aircraft, seat belt use is supported
by both static cautions and dynamic signals (seat belt sign), as well as a visual inspection. In
private cars the material barrier is only supported by the immaterial barrier, i.e., the traffic
laws, which often produces a less than satisfactory result.
4. ACCIDENT ANALYSIS AND SYSTEM DESIGN
In order for a classification to be useful, it must be closely integrated with a method. In the
case of barriers, there is actually a need of two different sets of methods, one considering the
identification of barriers in accident analysis, and the other the specifications of barriers for
system design.
In the case of accident analyses, barrier identification is generally carried out in a rather ad
hoc fashion. The common practice in risk analysis is to look for known barriers - similar to
the search for latent failure conditions, sneak paths, or failure modes - and this approach has
simply been applied to accident analysis as well. The principal disadvantage is that the barrier
analysis in this way is carried out on its own, rather than as an integral part of the general
accident analysis method. Although risk analysis has some similarities to accident analysis, it
is clearly not a complete accident analysis method by itself, since it does not address aspects
such as accounting for the interaction between the various elements of the socio-technical
system, or describing the common performance conditions. It is therefore necessary to find a
way of incorporating a systematic classification of barriers into common accident analysis
methods. The easiest solution is presumably to combine the generic fault tree analysis with a
barrier analysis to identify the risks emanating from the failure of barriers, which can be
described as input conditions to the logical gates.
For the purpose of system design, the main emphasis is normally on how to ensure that the
system functions as specified. While this clearly is an essential achievement, it is also
important to consider how the system may not function as specified, i.e., how it may fail.
Such analysis are common in the case of complex technological systems, e.g. as fault trees,
cause-consequence analyses, event trees, FMEA, HAZOP, etc., but are conspicuous by their
absence in the case of interactive systems - perhaps with the notable exception of HRA. It is,
however, of the utmost importance to use barriers as a pivotal element in system design, since
it is only by a inventive combination of barriers and facilitators that an effective and safe
system functioning can be achieved.
For event trees, barriers are uncomplicated to insert since they are represented simply as
failures – or rather, effective barriers are represented in terms of successes or very low failure
probabilities. It is then up to the designer later on to be more specific about the types of
barriers that may be needed to achieve the desired probability value. In that sense there is a
gradual transition to cause-consequence trees, which are more developed in the forward
direction than event trees. Here the introduction of the logical gates means that barriers
become more tangible and must be specified in greater detail.
Since barriers are included in a system to prevent undesirable events from occurring or to
protect against their consequences, it is important that potential barrier failures themselves can
be assessed, so that the weaknesses of the system are known. A tentative description of the
conditions that are required for adequate barrier functioning is shown in Table 2.
Table 2: Requirements for effective barrier functions.
Barrier
system Barrier function Pre/condition for proper functioning
Material Physical. Reliable construction, possibly regular
maintenance.
Functional Mechanical Reliable construction, regular maintenance.
Functional Logical Verified implementation, adequate security.
Functional Spatio-temporal Reliable construction, regular maintenance.
Functional Monitoring Reliable performance of monitor
Symbolic Interface design Valid design specification, verified
implementation, systematic updating
Symbolic Information High-quality interface design, reliable functioning.
Symbolic Signs, signals and symbols Regular maintenance, systematic modification,
Symbolic Lack of permission or
authorisation High compliance by users.
Immaterial Communicative, interpersonal Nominal working conditions (no stress, noise,
distraction, etc.).
Immaterial Rules, cautions, warnings,
prohibitions High compliance by users.
In order to include the concept of barriers in accident analysis and accident prevention, it is
necessary to combine the barrier concept with the notion of error modes. Hollnagel (1998)
identified eight basic error modes for human actions, which later were extended to cover
systemic failure modes as shown in Table 3 (cf. Hollnagel, 1999).
Table 3: Human and systemic error modes.
Human error mode Systemic error mode
Timing Action performed too early or too
late Position reached too early or too late.
Equipment not working as required.
Duration Action performed too briefly or for
too long Function performed too briefly or for too long.
System state achieved too briefly or held for too
long
Distance Object/control moved too short or
too far System or object transported too short or too far
Speed Action performed too slowly or too
fast System moving too slowly or too fast
Equipment not working as required.
Direction Action performed in the wrong
direction System or object (mass) moving in the wrong
direction
Force /
power /
pressure
Action performed with too little or
too much force. System exerting too little or too much force.
Equipment not working as required.
System or component having too little or too
much pressure or power.
Object Action performed on wrong object Function targeted at wrong object
Sequence Two or more actions performed in
the wrong order, Two or more functions performed in the wrong
order,
Quantity and
volume None System/object contains too little or too much or is
too light or too heavy.
In order to be able to select the right barrier during system design, it is necessary to assess the
efficiency of each barrier system relative to the failure or error modes. Consider, for instance,
the error mode of distance. Here a material barrier can be highly efficient in preventing a
movement from being taken too far (although not for preventing too short a movement). A
functional barrier may also be highly efficient, but both symbolic and immaterial barriers are
likely to be of little use.
The analyses made so far have indicated that immaterial barriers normally are rather
inefficient, even though they are cheap and fast to implement. This corresponds to the
ordering of approaches to hazard elimination in the MORT technique (Knox & Eicher, 1983),
where immaterial barriers, such as the development of special procedures to handle the
situation, come last. The other barrier systems may be efficient in different ways, and in
practice the establishing of an effective barrier requires a combination of several barrier
systems. Guidelines and principles for how this is to be done will be developed in a recently
started project.
5. REFERENCES
Hollnagel, E. (1998). Cognitive reliability and error analysis method. Oxford, UK: Elsevier
Science.
Hollnagel, E. (1999). Accident analysis and barrier functions. Halden, Norway: Institute for
Energy Technology.
Kecklund, L. J., Edland, A, Wedin, P. & Svenson, O. (1996). Safety barrier function analysis
in a process industry: A nuclear power application. Industrial Ergonomics, 17, 275-284.
Knox, N. W. & Eicher, R. W. (1983) MORT user’s manual (DOE 76/45-4). Idaho Falls,
Idaho: EG&G Idaho, Inc.
Leveson, N. (1995). Safeware. System safety and computers. Reading, MA: Addison-Wesley
Publishing Company.
Svenson, O. (1991). The accident evolution and barrier function (AEB) model applied to
incident analysis in the processing industries. Risk Analysis, 11(3), 499-507.
Svenson, O. (1997). Safety barrier function analysis for evaluation of new systems in a
process industry: How can expert judgment be used? In: Proceedings of Society for Risk
Analysis Europe Conference, Stockholm, June 15-18, 1997.
Taylor, R. J. (1988). Analysemetoder til vurdering af våbensikkerhed. Glumsø, DK: Institute
for Technical Systems Analysis.
Trost, W. A. & Nertney, R. J. (1985). Barrier analysis (DOE 76-45/29). Idaho Falls, Idaho:
EG&G Idaho, Inc.
Bibliographic Data
Proceedings of the European Conference on Cognitive Science Approaches to Process
Control (CSAPC), 21-24 Sep, 1993, Villeneuve, France. (p. 175-180).
... physical, functional, symbolic and incorporeal) and asked the participants to rank the controls in the order of their effectiveness, state which control type they most frequently introduce in their safety recommendations, and justify their last answer. It is noted, that the control types were presented to the participants in a random order of effectiveness outlined in the literature (Hollnagel, 1999). The last section of the instrument referred to the scope of recommendations and included a short description for each of the dimensions (i.e. ...
... The subjects were prompted to choose the frequency to which their recommendations focus on each of the categories of the three dimensions (possible choices: 0-20%, 21-40%, 41-60%, 61-80%, and 81-100%) and state respective reasons. (Hollnagel, 1999). ...
... Concerning the type of controls introduced through safety recommendations, interestingly, their effectiveness as perceived by the participants is not aligned with the literature suggestions, the results showing a reverse order. Whereas the work of Hollnagel (1999) implies that physical and functional controls are more robust and effective, the respondents viewed the symbolic and incorporeal controls as such. The comments collected showed that the viewpoints about the effectiveness of technology and non-technology based controls were evenly divided. ...
Chapter
Full-text available
Taking into account the lack of uniform guidelines for the design and classification of safety recommendations, a relevant framework was developed according to academic and professional literature. The framework includes nine design criteria for recommendations, it incorporates classifications of their scope and expected effectiveness, and it was used to perform a questionnaire survey across aviation professionals involved in the generation of safety recommendations. The goal of the survey was to capture (1) whether practitioners are knowledgeable about the design criteria, (2) the degree to which they apply those criteria along with corresponding reasons, (3) perceptions of the expected effectiveness of types of controls introduced through recommendations, (4) the frequency of generating each control type and respective explanations, and (5) the extent to which practitioners focus on each of the categories of recommendations' scope and the relevant reasons. Overall, the results showed: an adequate level of knowledge of the design criteria; a strong positive association of the knowledge on a particular criterion with the degree of its implementation; a variety of frequencies the recommendations are addressed to each of the scope areas; a reverse order of perception of the expected effectiveness of control types compared to the literature suggestions. A thematic analysis revealed a broad spectrum of reasons about the degree to which the design criteria are applied, and the extent to which the various types of recommendations are generated. The results of the survey can be exploited by the aviation sector to steer its relevant education and training efforts and assess the need for influencing the direction safety recommendations are addressed. Similar research is suggested to be conducted by organizations and regional and international agencies of any industry sector by ensuring a larger sample.
... This categorisation was perceived by the researchers as a combination of levels and types of risk controls. Hence, the authors, as a means to use in this study more distinctive classifications, adapted the ESReDA tool (ESReDA, 2015) to categorise the scope of recommendations, and used the functionality types of barriers (Hollnagel, 1999) for indicating the focus of recommendations, as explained in the sections 2.3.1 and 2.3.2 below. ...
... However, the authors contemplated that the definition of Sklet (2006) captures the concept sufficiently: Safety barriers are physical and/or nonphysical means planned to prevent, control or mitigate undesired events or accidents. Hollnagel (1999) introduced four types of barriers that reflect their functionality: ...
Article
Full-text available
Literature and industry standards do not mention inclusive guidelines to generate safety recommendations. Following a literature review, we suggest nine design criteria as well as the classification of safety recommendations according to their scope (i.e. organizational context, stakeholders addressed and degree of change) and their focus, the latter corresponding to the type of risk barrier introduced. The design and classification criteria were applied to 625 recommendations published by four aviation investigation agencies. The analysis results suggested sufficient implementation of most of the design criteria. Concerning their scope, the findings showed an emphasis on processes and structures (i.e. lower organizational contexts), adaptations that correspond to medium degree of changes, and local stakeholders. Regarding the focus of the recommendations, non-technical barriers that rely mostly on employees’ interpretation were introduced by the vast majority of safety recommendations. Also, statistically significant differences were detected across investigation authorities and time periods. This study demonstrated how the application of the suggested design and classification frameworks could reveal valuable information about the quality, scope and focus of recommendations. Especially the design criteria could function as a starting point towards the introduction of a common standard to be used at local, national and international levels.
... The performance evaluation of safety barriers serves as a tool for preventing, controlling, and minimizing accidents within systematic safety modeling and assessment. The concept of safety barriers is credited to Haddon [18,19], with the Management Oversight and Risk Tree (MORT) providing a clear representation of this idea [20], which was later manipulated by Hollnagel [21]. ...
Chapter
In accident causation, the interaction between human involvement and organizational factors plays a crucial role, often leading to deviations at the organizational level before affecting humans and equipment. Taking a proactive approach to identify and address these organizational-level deviations holds promise in preventing subsequent human and equipment failures. However, traditional risk assessment methods like PHA, HAZOP, FMEA, LOPA, and QRA, while foundational, lack the sufficient capacity to assess safety barrier performance and quantify Risk Influence Factors (RIFs). This gap results in overlooking the impact of organizational factors on the overall risk profile. This chapter aims to fill this gap by exploring models of safety incident origins explicitly designed to integrate RIFs, addressing critical gaps in root cause analysis. These methodologies, mindful of RIFs, provide a comprehensive view covering short- and long-term factors influencing technological systems and human behavior. The modeling of RIFs becomes crucial, offering insights essential for identifying risk prevention and mitigation strategies, along with relevant indicators. The utilization of these indicators for monitoring RIF states is instrumental in uncovering fluctuations directly linked to shifts in the risk scenario. The chapter examined various models and methodologies, including Barrier and Operational Risk Analysis (BORA), Causal Modeling of Air Transportation System (CATS), Hybrid Causal Logic Model (HCL), Accidental Risk Assessment Methodology for Industries (ARAMIS), Integrated Risk (I-Risk) method, Accident Causation using Hierarchical Influence Network (MACHINE), Operational Condition Safety (OTS), and Risk Modeling—Integration of Organizational, Human, and Technical factors (Risk-OMT). It also highlights hybrid methodologies, incorporating diverse tools like Bayesian networks into accident causation modeling. This exploration serves as a guide for an adaptive approach in complex sociotechnical systems. Emphasizing the pivotal role of organizational and management factors in shaping accident dynamics and risk assessments, this work offers a scholarly yet accessible insight into risk assessment methodologies considering RIFs.
... Svenson developed an accident evolution and barrier function (AEB) model that can be used to conduct accident evolution analysis to give suggestions for increasing safety in the process industries (Svenson, 1991). Then, the concept and functions of the so-called "safety barrier" were elaborated by Hollnagel in 1999(Hollnagel, 1999a, 1999b before some researchers tried to interpret and define safety barriers clearly to reduce misconceptions in work related to risk management and accident prevention . Additionally, the ARAMIS (Accidental Risk Assessment Methodology for Industries) project developed an integrated approach for modelling and managing risks related to major hazard plants in Europe since 2001. ...
Article
Full-text available
Barriers are used in various forms to assure the safety of chemical plants. A deep understanding of the literature related to safety barriers is essential to tackle the challenges in improving their design and management. This paper first provides an overview of the history of the development of the safety barrier concept. Subsequently, this paper elaborates a systematic review of the definition, classification, evaluation, performance assessment, and management of safety barriers in the chemical process industries. Based on the literature review, this study proposes a practical classification of safety barriers benefiting the identification of performance indicators and the collection of indicator-related data for safety barriers. The safety barrier functions are extended and illustrated by involving the resilience concept. Performance assessment criteria are proposed corresponding to the adaptability and recoverability of the safety barriers. Finally, the management of safety barriers is discussed. The roadmap for future studies to develop integrated management of safety and security barriers to ensure the resilience of chemical plants is suggested.
... The diversity of safety barriers according to the field makes the concept unclear. Hollnagel (1999) defined barriers as obstacles, obstructions, or hindrances that can either prevent an inappropriate action or the occurrence of an event or prevent or lessen the impact of its consequences. In the field of production, three safety barriers are described to avoid human error and to reduce the risks associated with human behaviour: the barrier of the designer of the production tool, the barrier of the operator which includes it into the existing work environment, and users' barriers (Vanderhaegen, 2003). ...
Article
The traditional approaches to safety in risk activities have been applied to radiotherapy following the occurrence of serious accidents. This strategy is based on the characterization of specific risks and the definition of preventive and protective measures, particularly for the implementation of safety barriers. Evaluating the performance of safety barriers makes it possible, in theory, to determine the level of risk control. This article presents a literature review that highlights the limits of the safety barrier concept. To overcome these limitations, we then introduce the notion of “activities contributing to safety” (ACS). This concept allows us to better take into account the managerial, contextual, organizational and human dimensions of safety and to promote risk control through a more realistic approach.
... Safety-II considers the ability of systems to adapt to variation, disruption, and degradation of expected conditions [22,23]. One can see the transition through papers about accident barrier classification and analysis [24], to a recognition that a reactive approach was insufficient, necessitating accident prevention and a proactive approach [25], to safety as a dynamic non-event (i.e., the absence of events) using a framework of resilience. Importantly, the reactive approach of Safety-I should be complemented (not replaced) by proactive Safety-II approaches that attempt to develop ways to support things that "go right" [21]. ...
Article
Full-text available
Thinking in patient safety has evolved over time from more simplistic accident causation models to more robust frameworks of work system design. Throughout this evolution, less consideration has been given to the role of the built environment in supporting safety. The aim of this paper is to theoretically explore how we think about harm as a systems problem by mitigating the risk of adverse events through proactive healthcare facility design. We review the evolution of thinking in safety as a safety science. Using falls as a case study topic, we use a previously published model (SCOPE: Safety as Complexity of the Organization, People, and Environment) to develop an expanded framework. The resulting theoretical model and matrix, DEEP SCOPE (DEsigning with Ergonomic Principles), provide a way to synthesize design interventions into a systems-based model for healthcare facility design using human factors/ergonomics (HF/E) design principles. The DEEP SCOPE matrix is proposed to highlight the design of safe healthcare facilities as an ergonomic problem of design that fits the environment to the user by understanding built environments that support the “human” factor.
Article
In 2014, a BC Hydro electrician made inadvertent hand contact with a 12-kV bus while working on a station disconnect switch installation. The electrician lived but ended up losing both arms below the elbows. This article provides an overview of the incident, the two-and-a-half-month investigation, and the corrective action of implementing improved hazard identification and effective barriers as a part of job planning. It briefly introduces the Tripod Beta methodology of incident analysis, which focuses on barriers that could have been implemented to prevent or mitigate the outcome. The article will also reveal how human factors contributed to the incident as well as how a very detailed and thorough tailboard discussion focused on generic hazard categories rather than specific hazard sources. The corrective-action implementation included introducing a barrier-effectiveness tool called the hazard barrier reference (HBR) that crews now use as a part of their tailboard process. If crews cannot implement at least one effective barrier from the HBR sheet, that triggers a hazard barrier deficiency process that logs the work situation in a registry. The Hazard Barrier Governance Committee was formed to address these deficiencies and look for barrier improvements.
Article
In nuclear power plants (NPPs), man-machine interfaces (MMIs) are being transformed from conventional panels to computer workstations. Therefore, operators’ behavior and performance shaping factors (PSFs) in modern main control rooms (MCRs) differs from what they do in a conventional one. New human error, error mechanism and PSFs etc. are introduced into digital control systems (DCS). The conventional human error analysis (HEA) methods cannot meet new requirements. So it is important to establish a new technique of HEA for investigating human failure events in digital NPPs. In order to investigate and analyze human errors and to trace organizational root causes in digital NPPs, an Organization-oriented Technique of Human Error Analysis (OTHEA) was established. At this first paper, an organization-oriented conceptual model of HEA was established. Furthermore, the classification framework of HEA was developed based on the established conceptual model of HEA, including classification of human error, PSFs, psychological error mechanisms (PEMs), error recovery failures (ERFs) and safety barriers. It provides a theoretical guidance and practical support for the investigation of human failure events in digital NPPs.
Article
Full-text available
This study develops a theoretical model for accident evolutions and how they can be arrested. The model describes the interaction between technical and human-organizational systems which may lead to an accident. The analytic tool provided by the model gives equal weight to both these types of systems and necessitates simultaneous and interactive accident analysis by engineers and human factors specialists. It can be used in predictive safety analyses as well as in post hoc incident analyses. To illustrate this, the AEB model is applied to an incident reported by the nuclear industry in Sweden. In general, application of the model will indicate where and how safety can be improved, and it also raises questions about issues such as the cost, feasibility, and effectiveness of different ways of increasing safety.
Article
Accidents in complex industrial systems often originate from interacting technical, organizational and human failures. Barrier functions protect the systems from the negative consequences of failures and errors. The purpose of the present study was to present a general model for and analyse the reliability of the existing barrier functions in the refuelling process in a nuclear power plant. A first step in the analysis was to identify the barrier functions in the refuelling process by constructing an Event and Barrier Function Model. Seventeen barrier functions were identified and classified as technical, human or human/organizational. Secondly, the reliability of the barrier functions were assessed using ratings from two personnel groups working in the process, sixteen plant operators and eleven external operators. Five performance shaping factors (PSFs) as well as six task-specific characteristics (TSCs) were also assessed. The plant operators rated the overall barrier function strength as significantly lower than the external operators. For judgments of contribution to a broken barrier function from PSFs and TSCs there were no significant difference between the two groups. Across groups, two PSFs, fatigue and night shift were rated as contributing more to the possibility of a broken barrier function. This analysis can provide a benchmark for comparison of safety in the refuelling task before and after a technical and organizational intervention.
Barrier analysis (DOE 76-45/29)
  • W A Trost
  • R J Nertney
Trost, W. A. & Nertney, R. J. (1985). Barrier analysis (DOE 76-45/29). Idaho Falls, Idaho: EG&G Idaho, Inc. Bibliographic Data Proceedings of the European Conference on Cognitive Science Approaches to Process Control (CSAPC), 21-24 Sep, 1993, Villeneuve, France. (p. 175-180).
Safety barrier function analysis for evaluation of new systems in a process industry: How can expert judgment be used?
  • O Svenson
Svenson, O. (1997). Safety barrier function analysis for evaluation of new systems in a process industry: How can expert judgment be used? In: Proceedings of Society for Risk Analysis Europe Conference, Stockholm, June 15-18, 1997.
MORT user's manual (DOE 76/45-4)
  • N W Knox
  • R W Eicher
Knox, N. W. & Eicher, R. W. (1983) MORT user's manual (DOE 76/45-4). Idaho Falls, Idaho: EG&G Idaho, Inc.
Analysemetoder til vurdering af våbensikkerhed. Glumsø, DK: Institute for Technical Systems Analysis
  • R J Taylor
Taylor, R. J. (1988). Analysemetoder til vurdering af våbensikkerhed. Glumsø, DK: Institute for Technical Systems Analysis.