Kenneth L. MartinGraduate Student

University of Alabama at BirminghamAdvanced Safety Engineering and Management

UNIVERSITY OF ALABAMA BIRMINGHAM – College of Engineering, Birmingham, AL (expected graduation 2015). Candidate forMaster of Engineering in Advanced Safety Engineering and Management (full‐time student).

EASTERN KENTUCKY UNIVERSITY ‐ College of Justice & Safety, Richmond, KentuckyBachelors in Occupational Safety and Fire Safety Engineering Technology (2013)

TIDEWATER COMMUNITY COLLEGE ‐ Portsmouth, VirginiaAssociate of Applied Science in Environmental Protection (2000) 

Seasoned safety professional with multifaceted experience in a variety of environments including a cumulative 15+ years in the health & safety compliance field with several major construction and manufacturing organizations. 

Before entering the safety profession I worked in several skilled trades in manufacturing and residential and commercial construction.

The next 25 minutes…

1. Define Human Error and Error Provocative Environment

2. Heinrich’s 88-10-2 Theory Explored3. Relationship Between Injury

Frequency/Severity Rate4. Complex Systems and Why Do We Need

Something Different 5. Application of Prevention Through Design

(PtD) in the workplace

PhilosophyJames Reason definition:

“(Human) Error will be taken as a generic term to encompass all those occasions in which a planned sequence of mental or physical activities fails to achieve its intended outcome, and when these failures cannot be attributed to the intervention of some chance agency.”

Photo: Retrieved from internet: http://www.andbethere.com/

Dr. Sidney Dekker:

There are basically two ways of looking at human error. The first view is known as the old View, or The Bad apple Theory. it maintains that:

• Complex systems would be fine, were it not for the erratic behavior of some unreliable people (Bad apples) in it;• Human errors cause accidents: humans are the dominant contributor to more than two thirds of them;• Failures come as unpleasant surprises. They are unexpected and do not belong in the system. Failures are introduced to the system only through the inherent unreliability of people (The Field Guide to Understanding Human Error, 2006, p. 1).

Dr. Sidney Dekker:

The new View of human error:

• Human error is not a cause of failure. Human error is the effect, or symptom, of deeper trouble in the system. • Human error is not random. it is systematically connected to features of people’s tools, tasks and operating environment. • Human error is not the conclusion of an investigation, it is the starting point (The Field Guide to Understanding Human Error, 2006, p. 15).

Dr. Nancy Leveson:

“Instead of thinking of operations as predefined sequences of actions, human interaction with a system is increasingly being considered to be a continuous control task in which separate “decisions” or errors are difficult to identify.”

The alternative view on human error “requires a new approach to representing and understanding human behavior, focused not on human error and violation of rules but on the mechanisms generating behavior in the actual, dynamic context” (Engineering a Safer World, Systems Thinking Applied to Safety, 2011, p. 46 & 46).

Ways of thinking about the issuesPhilosophy &TheoryHow we thinkPrinciplesVocabulary

Safety

(Borys, 2014)

Practice

What we doQuestions we ask

Professor Sidney Dekker on Why Things Go Wrong 

Fred Manuele

“To avoid hazard-related incidents resulting in serious injuries, human error potentials must be addressed at the cultural, organizational, management systems, design, and engineering levels, and with respect to the work methods prescribed. This spells opportunity for safety professionals to acquire new knowledge with respect to human error reduction and to enhance their professional status. Human error reduction may very well become the frontier for the practice of safety” (Advanced Safety Management, Focusing on Z10 and Serious Injury Prevention, 2008, p. 79).

So-called human errors are events of different types (slips, trips and falls, lapses, mistakes, violations, errors of judgment, mismatches and ignorance of responsibilities), made by different people (managers, designers, operators, construction workers, maintenance workers and so on) and that different actions are required to prevent them happening again: in some cases better training or instructions, in other cases better enforcement of the rules, in most cases a change in the work situation.

Source: The Field Guide to Understanding Human Error, 2006, p. 225

An Error Provocative Environment is an environment that lacks controls to such a degree that the area itself “Provokes, Entices or Stimulates” individuals to make errors. These errors are manifested as unsafe acts” (Christopher J. Colburn, Meng, CSP, The Error Provocative Environment).If the design of the workplace or the work methods is error-provocative, you can be sure that human errors will occur.

The improvement in system performance that can be realized from the redesign of equipment is usually greater than the gains that can be realized from the selection and training of personnel.

Design characteristics that increase the probability of error include a job, situation, or system which:

a. Violates operator expectationsb. Requires performance beyond what an operator can deliverc. Induces fatigued. Provides inadequate facilities or information for the

operatore. Is unnecessarily difficult or unpleasantf. Is unnecessarily dangerous (Dr. Alphonse Chapanis, The

Error-Provocative Situation, 1980).

Heinrich Revisited

Source:  UAB ASEM EGR 601 Presentation, Lanny Floyd, P.E., CSP, CMRP. Sept. 29,2013

Heinrich Revisited

Source:  UAB ASEM EGR 601 Presentation, Lanny Floyd, P.E., CSP, CMRP. Sept. 29,2013

Herbert Heinrich published one of the earliest accident models in 1931, known as the Domino Accident Model. Heinrich worked for Travelers Insurance Company, where he was exposed to countless industrial accident reports.

Heinrich believed that the vast majority of industrial accidents—98 percent—were preventable if the “true causes” could be identified using a better model of accident causation.

Heinrich’s theory: that 88% of accidents were caused by unsafe acts while 10% of accidents were caused by unsafe conditions. These acts and conditions are in turn caused by the fault of a person, which is a result of their ancestry and social environment.

Heinrich RevisitedFocus on Direct Causality and Human Error

Heinrich’s conclusions are based on the following assertions (Domino Accident Model):

1. Accidents are best understood as a chain of events

2. A direct causal relationship exists between events resulting in linear propagation (i.e., verses non‐linear dynamic systems)

3. Accidents are primarily caused by a single “root cause” or “proximate cause”

4. Accidents are primarily caused by operator error

Heinrich’s Domino Model (1931)

Heinrich Revisited

Source:  UAB ASEM EGR 601 Presentation, Lanny Floyd, P.E., CSP, CMRP. Sept. 29,2013

Heinrich Revisited

Source:  UAB ASEM EGR 601 Presentation, Lanny Floyd, P.E., CSP, CMRP. Sept. 29,2013

Source:  UAB ASEM EGR 601 Presentation, Lanny Floyd, P.E., CSP, CMRP. Sept. 29,2013

Heinrich Revisited

Source:  UAB ASEM EGR 601 Presentation, Lanny Floyd, P.E., CSP, CMRP. Sept. 29,2013

Heinrich Revisited

Source:  UAB ASEM EGR 601 Presentation, Lanny Floyd, P.E., CSP, CMRP. Sept. 29,2013

In a speech at the 2003 Behavioral Safety Now Conference, James Johnson, a managing director at Liberty Mutual Insurance Company, stated the following:

“I’m sure that have many of us have said at onetime or another that frequency reduction will result in severity reduction. This popularly held belief is not necessarily true. If we do nothing different than we are doing today, these types of trends will continue.”

“Don’t blame people for problems caused by the system” Dr. Deming

“Behavior is an outcome of a number of cultural factors, including work climate, the relevant equipment, the work process and the management system” Dr. Scott Geller

Retrieved from the internet: http://www.psyc.vt.edu/users/esgeller, 2/2/14.

Further Studies on Heinrich

Source:Manuele, F. A. (2008). Prevention Through Design, Addressing occupation risks in the design and redesign processes. ASSE Professional Safety, 28‐40.

Why Do We Need Something Different?

The ProblemThe first step in solving any problem is to understand it. We often propose solutions to problems that we do not understand and then are surprised when the solutions fail to have the anticipated effect.

Photo retrieved from the internet: http://empowermax.biz/wp‐content/uploads/2014/11/problems.jpg, 1/2/15.

Why Do We Need Something Different?

Impediments to Learning from Accidents and Incidents

• Filtering and subjectivity in accident reports (i.e., hiding the bad news)

• “Blame is the enemy of safety” Focuses is on “who” and not “why”

• “Root cause” seduction• Believing in a “root cause” appeals to our 

desire for control Leads to a sophisticated “whack a mole” 

game Fix symptoms but not process that led to 

loss Same accident happening over and over 

again

Photo retrieved from the internet: http://empowermax.biz/wp‐content/uploads/2014/11/problems.jpg, 1/2/15.

Blame is the enemy of safety

Why Do We Need Something Different?

While the traditional approaches worked well for the simpler systems of the past for which they were devised, significant changes have occurred in the types of systems we are attempting to build today and the context in which they are being built. 

Retrieved from the internet: http://wordlesstech.com/wp‐content/uploads/2011/12/Most‐complicated‐cockpit‐in‐the‐World‐6.jpg , 1/2/15.

Photo: Shuttle Atlantis Cockpit.

Why Do We Need Something Different?

These changes are stretching the limits of safety engineering:

• Use of software has created new causes of accidents• Role of humans in systems and in accidents has changed• Increased recognition of importance of management and social factors in 

accidents• Fast pace of technological change

Learning from experience (“fly‐fix‐fly”) no longer as effective Introduces “unknowns” and new paths to accidents Faster time to market means less testing and analysis  For example, the public is increasingly being exposed to new manmade 

chemicals or toxins in our food and our environment. • Increasing complexity• Decreasing tolerance for single accidents

Leveson, STPA/STAMP Workshop, 2013

Why Do We Need Something Different?

Source: Erik Hollnagel, 2014, Presentation at the National Museum of Finland, Helsinki, From zero tolerance to resilience?

“The dogmas of the quiet past, are inadequate to the stormy present. The occasion is piled high with difficulty, and we must rise --with the occasion. As our case is new, we must think anew, and act anew” (Lincoln, 1862).

Retrieved from the internet: http://en.wikipedia.org/wiki/Abraham_Lincoln , 1/2/15.

Why Do We Need Something Different?

As a profession, the safety profession must move beyond the old ways of doing things, which may have achieved much, but certainly is not suited to the challenges of the future. Retrieved from the internet: 

http://peterdbaker.com/wp‐content/uploads/2014/04/mvmt.gif , 1/2/15.

Why Do We Need Something Different?

In 2008 NIOSH declared as a major initiative:

Develop and approve a abroad, generic voluntary consensus standard on Prevention through Design that is aligned with international design activities and practice.

Retrieved from the internet: http://www.cdc.gov/niosh/topics/ptd/, 2/2/14

Generic voluntary consensus standardAmerican National Standards Institute (ANSI)Need for an ANSI accredited standardsdevelopment organizationAmerican Society of Safety Engineers (ASSE)

The ANSI/ASSE Z590.3 standard provides guidance for the combining of the decision making process into the occupational risks which are associated with the design and redesign processes, including a facility’s operations, equipment, materials and processes (Manuele, 2008).

Source:Manuele, F. A. (2008). Prevention Through Design, Addressing occupation risks in the design and redesign processes. ASSE Professional Safety, 28‐40.

The purpose of the PtD standard is as follows: “achieve safety, which is defined as that state for which the risks are acceptable and tolerable in the setting being considered; minimize the occurrence of occupational injuries, illnesses and fatalities” (Manuele, 2008, p. 29).

Source:Manuele, F. A. (2008). Prevention Through Design, Addressing occupation risks in the design and redesign processes. ASSE Professional Safety, 28‐40.

1. Pre-operational stage, which includes pre-planning, specification, design, prototyping, and construction processes. 2. Operational stage, where hazards and risks are identified and evaluated and corrective action is taken through either redesign initiatives or by making changes in work methods to prevent incidents or exposure. 3. Post incident stage, where investigations are made of incidents and exposures to develop the causal factors, which will lead to the correct interventions and acceptable risk levels. 4. Post operational stage, when the demolition or reusing/rebuilding operations are undertaken.

Source: https://www.osha.gov/SLTC/ergonomics/controlhazards.html

Engineering Controls (implement physical change to the workplace, which eliminates/reduces the hazard on the job/task)Administrative and Work Practice Controls (establish efficient processes or procedures)Personal Protective Equipment (use protection to reduce exposure to ergonomics‐related risk factors) LAST RESORT!

Source:  UAB ASEM EGR 610 Presentation, Dr. Martha W. Bidez, Ph.D. Sept. 29,2013

Safety Through Design

A Pre-Thought, Not An After Thought

Retrofit

Project Conception

Design BuildOperate, Produce, Maintain

Ease of Integrating SafetyCost of Integrating Safety

Eliminate,

Recycle, Revise

Design

Safety includes: fire, environment, ergonomics, health, vehicle, construction workers.

Projects include: facilities, processes, equipment, products.

Retire

Source:Manuele, F. A. (2008). Prevention Through Design Presentation  ASSE.

What is the major key to the success of any new standard, program or process?

Source:  John P. Kotter, Leading Change, 1996

Source:  John P. Kotter, Leading Change, 1996 Ph.D. Sept. 29,2013

Source:  UAB ASEM EGR 610 Presentation, Dr. Martha W. Bidez, Ph.D. Sept. 29,2013

Develop a PtD safety committee, which includes a supervisor having authority to make decisions, engineers, maintenance workers, operators, consultants, experienced workers, etc. 

Retrieved  photo from the internet: http://www.salesbenchmarkindex.com/bid/85664/4‐Meetings‐You‐Need‐to‐Keep‐Sales‐Cadence , 2/2/14.

Zero risk levels are not attainable

The necessity to give designers and safety professionals a practicable and workable definition as a goalLearn to manage the residual risk

Source:  UAB ASEM EGR 610 Presentation, Dr. Martha W. Bidez, Ph.D. Sept. 29,2013.

Source:  UAB ASEM EGR 610 Presentation, Dr. Martha W. Bidez, Ph.D.. Sept. 29,2013.

STAMP(System‐Theoretic Accident Model and Processes)

A new, more powerful accident causation model Based on systems theory, not reliability theory Treats accidents as a dynamic control problem (vs. a failure problem)Includes:Entire socio‐technical system (not just technical part)Component interaction accidentsSoftware and system design errorsHuman errors

Leveson, STPA/STAMP Workshop, 2013

Drifting  into  failure  is  a  slow,  incremental  process…

“Drifting into failure is a gradual, incremental decline into disaster driven by environmental pressure, unruly technology and social processes that normalize growing risk. No organization is exempt from drifting into failure. The reason is that routes to failure trace through the structures, processes and tasks that are necessary to make an organization successful. Failure does not come from the occasional, abnormal dysfunction or breakdown of these structures, processes and tasks, but is an inevitable by‐product of their normal functioning. The same characteristics that guarantee the fulfillment of the organization’s mandate will turn out to be responsible for undermining that mandate” (Dekker, 2011, Drift into Failure, Preface).

Source: Erik Hollnagel, 2014, Presentation at the National Museum of Finland, Helsinki, From zero tolerance to resilience?

Safety‐ITraditional:Make fewer things go wrong to improve safetyMeasuring performance by the absence of safety

Safety‐IIContemporary:Make more things go right to improve safetyMeasuring performance by the presence of safety

(Hollnagel, 2014)

• Cognitive Systems Engineering (with David D Woods)• CREAM (Cognitive Reliability and Error Analysis Method)• GMTA (Goals‐Means Task Analysis)• COCOM (Contextual Control Model)• ECOM (Extended Control Model)• Resilience Engineering (with David Woods and others)• The ETTO Principle• FRAM (the Functional Resonance Analysis Method)• RAG (the Resilience Analysis Grid)• Resilient Health Care Net• Safety‐I and Safety‐II

• Resilience engineering is a paradigm for safety management that focuses on how to help people cope with complexity under pressure to achieve success. A resilient organization treats safety as a core value, not a commodity that can be counted. Indeed, safety shows itself only by the events that do not happen! Rather than view past success as a reason to ramp down investments, such organizations continue to invest in anticipating the changing potential for failure because they appreciate that their knowledge of the gaps is imperfect and that their environment constantly changes. One measure of resilience is therefore the ability to create foresight – to anticipate the changing shape of risk, before failure and harm occurs (Woods, 2005a).

• When research escapes from hindsight and from trying merely to explain what has happened, studies reveal the sources of resilience that usually allow people to produce success when failure threatens (Woods, 2005).

Develop a nationally recognized sociotechnical model for an operation risk management system, one which prevents serious injury and fatalities.

“A sociotechnical system stresses the holistic, interdependent, integrated and inseparable relationship between humans and machines and fosters the shaping of both the technical and the social conditions of work in such a way that both the output goal of the system and the needs of [workers] are accommodated” (Manuele, 2013).