Safety–I and Safety–II: The Past and Future of Safety Management
Hollnagel, Erik. Farnham, Surrey, England, and Burlington, Vermont, U.S.: Ashgate, 2014. 200 pp. Figures, tables, glossary, index. Hardcover, paperback, ebook PDF, ePUB PDF.
Hollnagel, professor at the University of Southern Denmark, argues that it is time for a new strategy in safety management. He distinguishes the new process, which he calls Safety–II, from the traditional one that he names Safety–I.
Here is how he defines the two:
- Safety–I: “Safety is the condition where the number of adverse outcomes (accidents/ incidents/near misses) is as low as possible. Safety–I is achieved by trying to make sure that things do not go wrong, either by eliminating the causes of malfunctions and hazards, or by containing their effects.”
- Safety–II: “Safety is a condition where the number of successful outcomes is as high as possible. It is the ability to succeed under varying conditions. Safety–II is achieved by trying to make sure that things go right, rather than by preventing them from going wrong.”
Safety–I, Hollnagel says, has prevailed in risk management since people started pursuing safety in a disciplined way. He discusses several phases of development.
The Three Ages
In what he calls the First Age, “the dominant threats to safety came from the technology that was used, both in the sense that the technology … itself was clunky and unreliable, and in the sense that people had not learned how systematically to analyse and guard against the risks. The main concern was to find the technical means to safeguard machinery, to stop explosions and to prevent structures from collapsing.” This prevailed roughly from the beginning of the Industrial Revolution period in the late 18th century through World War II, and for some years afterward.
“The feeling of having mastered the sources of risks so that the safety of industrial systems could be effectively managed was rather abruptly shattered by the disaster at the Three Mile Island nuclear power plant [in central Pennsylvania, U.S.] on 28 March 1979,” Hollnagel says. This led to what he calls the Second Age, which was marked by the study of a new risk factor — human operators.
While a step forward in some ways, human factors research too often led to another misguided solution, namely, writing the operator out of safety management as much as possible. “In the general view, humans came to be seen as failure-prone and unreliable, and so as a weak link in system safety,” Hollnagel says. “The ‘obvious’ solution was to reduce the role of humans by replacing them by automation, or to limit the variability of human performance by requiring strict compliance.” As will be seen in the discussion of Safety–II, it is precisely this variability that is now said to offer a key to further risk reduction.
Belief in the supreme efficacy of human factors design and procedures “lasted barely a decade.” Several events, including the space shuttle Challenger disaster, the explosion of a nuclear reactor at the Chernobyl power plant in the former Soviet Union, and the taxi-phase collision of two Boeing 747 airliners at Tenerife, Canary Islands, “made it clear that the organisation had to be considered over and above the human factor.
“One consequence was that safety management systems have become a focus for development and research, and even lend their name to the Third Age: ‘the age of safety management.’”
Hollnagel is not convinced that the attempts to counter the safety threats revealed in the Second Age and Third Age are adequate. He says, “While we can have some confidence in the answers when the safety of technical systems is assessed, we cannot feel the same way when the safety of the human factor or the organisation is assessed. The reason for that is simply that the questions are less meaningful than for technical systems, if not outright meaningless.”
He argues that although technical issues can be analyzed, and defenses against technical failure can be reasonably precise, the same cannot be said about people, still less about organizations.
Safety–I has led to huge success in risk reduction. There is no debate about the steep decline in commercial aviation accident rates, particularly since the beginning of the jet era, or the remarkably good safety record that continues in most regions of the world. Hollnagel does not suggest, however, that progress is being held back by Safety–I practices. He says, “While Safety–II represents an approach to safety that in many ways differs from Safety–I, it is important to emphasise that they represent two complementary views of safety rather than two incompatible or conflicting views.”
Safety management has vastly expanded in complexity since the early industrial age, when the goal was mainly to see that equipment such as railroad engines did not blow up or otherwise harm people and property. The safety focus now includes operational systems and their interrelationships, maintenance, automation, organizations and human psycho-physiology. As a result, Hollnagel says, in Safety–I, a split inevitably arises between what is called Work-As-Imagined (by designers, management and others removed from the task; that is at the so-called “blunt end”) and Work-As-Done (by maintenance technicians, pilots and others at the “sharp end” of an airplane).
“Seen from the sharp end, it is no surprise that descriptions based on Work-As-Imagined cannot be used in practice and that actual work is different from prescribed work,” Hollnagel says. “But this difference is not at all easy to see from the blunt end, partly because it is seen from the outside and from a distance, partly because there is a considerable delay and partly because any data that might exist have been filtered through several organisational layers. …
“We know from a long experience that it is possible to design even extremely complicated [technical] systems in every detail and to make certain that they work, by rigourously ensuring that every component functions according to specifications. Machines, furthermore, do not need to adjust their functioning because we take great care to ensure that their working environment is kept stable and that the operating conditions stay within narrow limits.”
People at the sharp end are assumed to be equally capable of performing Work- As-Imagined — and to be motivated by encouragement or threat. Hollnagel says, “According to this way of looking at the world, the logical consequence is to reduce or eliminate performance variability either by standardising work … or by constraining all kinds of performance variability so that efficiency can be maintained and malfunctions or failures avoided.”
Hollnagel distinguishes between the terms tractable and intractable systems:
“A system is tractable if the principles of its functioning are known, if descriptions of it are simple and with few details and, most importantly, if it does not change while it is being described. … A system is intractable if the principles of its functioning are only partly known (or, in extreme cases, completely unknown), if descriptions of it are elaborate with many details and if systems change before descriptions can be completed.” The more complicated a system, the more intractable, and the less its aspects involving humans can be fully specified. Some situations can only be resolved by variability determined ad hoc by humans.
For these reasons, and other issues discussed in the book, Hollnagel concludes that “people always have to adjust work to the actual conditions, which on the whole differ from what was expected — and many times significantly so. This is the performance adjustment or the performance variability that is at the core of Safety–II.”
Whereas in Safety–I, the human factor was considered at best an unfortunate necessity and at worst a threat to be damped down, Safety–II acknowledges the following:
- “Systems are not flawless and people must learn to identify and overcome design flaws and functional glitches;
- “People are able to recognise the actual demands and can adjust their performance accordingly;
- “When procedures must be applied, people can interpret and apply them to match the conditions; [and,]
- “People can detect and correct when something goes wrong or when it is about to go wrong, and hence intervene before the situation seriously worsens.”
All these are examples of things that go right, but they usually go unnoticed, even by the people directly involved. Hollnagel says, “It is essential not to wait for something bad to happen, but to try to understand what actually takes place in situations where nothing out of the ordinary seems to take place. Safety–I assumes that things go well because people simply follow the procedures and Work-As-Imagined. Safety–II assumes that things go well because people always make what they consider sensible adjustments to cope with current and future situational demands. Finding out what those adjustments are and trying to learn from them can be more important than finding the causes of infrequent adverse outcomes!”
Every successful operation, such as a safe flight, involves countless actions that go right. But how can those actions be studied? Many national safety authorities scarcely have the resources to investigate accidents and incidents adequately, let alone investigate what seem like non-events.
Hollnagel suggests several techniques, primarily interviewing the people at the sharp end. He believes that this is feasible and likely to bear fruit because asking individuals about their successful procedures avoids any of their tendency toward defensiveness. Interviews can include questions like these, he says:
- “What do you do if something unexpected happens? For example, an interruption, a new urgent task, an unexpected change of conditions [or] a resource that is missing?
- “Is your work usually routine or does it require a lot of improvisation?
- “What do you do if information is missing, or you cannot get hold of certain people? [and,]
- “How often do you change the way you work?”
“A Safety–II perspective will … require methods and techniques on [their] own to be able to look at things that go right, to be able to analyse how things work and to be able to manage performance variability rather than just constraining it,” Hollnagel says.