Reason - Organizational Accidents Revisited

To Thomas Augustus Reason (18791958).
My grandfather to whom I owe much more than my existence.

JAMES REASON
Professor Emeritus, University of Manchester, UK

ASHGATE

First published 2015 by Ashgate Publishing

Published 2016 by Taylor & Francis

2 Park Square, Milton Park, Abingdon, Oxon OX14 4RN

711 Third Avenue, New York, NY 10017

Ashgate is an imprint of the Taylor & Francis Group, an informa business

James Reason 2016

All rights reserved. No part of this book may be reprinted or reproduced or utilised in any form or by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying and recording, or in any information storage or retrieval system, without permission in writing from the publishers.

James Reason has asserted his right under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.

www.ashgate.com

British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library

The Library of Congress has cataloged the printed edition as follows:

A catalogue record for this book is available from the Library of Congress

ISBN: 9781472447654 (hbk)

ISBN: 9781472447685 (pbk)

ISBN: 9781472447661 (ebk-PDF)

ISBN: 9781472447678 (ebk-ePUB)

James Reason is Professor Emeritus of Psychology at the University of Manchester, England. He is consultant to numerous organizations throughout the world, sought after as a keynote speaker at international conferences and author of several renowned books including Human Error (CUP, 1990), Managing the Risks of Organizational Accidents (Ashgate, 1997), The Human Contribution (Ashgate, 2008) and A Life in Error (Ashgate, 2013).

The term organizational accidents (shortened here to orgax) was coined in the early 1990s and was developed in the Ashgate book published in 1997 entitled Managing the Risks of Organizational Accidents. Sales of the book indicate that many people may have read it it remains Ashgates all-time best-selling book on human performance. So the present book is not a revision, but a revisit. A lot has happened in the ensuing 18 years, my aim here is to update and extend the arguments presented in the first book to accommodate these developments. In short, this book is an addition rather than a replacement. And enough has happened in the interim to require a separate book.

Despite their huge diversity, each organizational accident has at least three common features: hazards, failed defences and losses (damage to people, assets and the environment). Of these, the most promising for effective prevention are the failed defences. Defences, barriers, safeguards and controls exist at many levels of the system and take a large variety of forms. But each defence serves one or more of the following functions:

to create understanding and awareness of the local hazards;

to give guidance on how to operate safely;

to provide alarms and warnings when danger is imminent;

to interpose barriers between the hazards and the potential losses;

to restore the system to a safe state after an event;

to contain and eliminate the hazards should they escape the barriers and controls;

to provide the means of escape and rescue should the defences fail catastrophically.

) to be reconsidered later.

Figure 1.1 The Swiss cheese model of accident causation

The gaps in the defences arise for two reasons active failures and latent conditions occurring either singly or in diabolical combinations. They are devilish because in some cases the trajectory of accident liability need only exist for a very short time, sometimes only a few seconds:

Active failures: these are unsafe acts errors and/or procedural violations on the part of those in direct contact with the system (sharp-enders). They can create weaknesses in or among the protective layers.

Latent conditions: in earlier versions of the Swiss cheese model (SCM), these gaps were attributed to latent failures. But there need be no failure involved, though there often is. A condition is not necessarily a cause, but something whose presence is necessary for a cause to have an effect like oxygen is a necessary condition for fire, though an ignition source is the direct cause.

Designers, builders, maintainers and managers unwittingly seed latent conditions into the system. These arise because it is impossible to foresee all possible event scenarios. Latent conditions act like resident pathogens that combine with local triggers to open up an event trajectory through the defences so that hazards come into harmful contact with people, assets or the environment. In order for this to happen, there needs to be a lining-up of the gaps and weaknesses creating a clear path through the defences. Such line-ups are a defining feature of orgax in which the contributing factors arise at many levels of the system the workplace, the organization and the regulatory environment and subsequently combine in often unforeseen and unforeseeable ways to allow the occurrence of an adverse event. In well-defended systems, such as commercial aircraft and nuclear power plants, such concatenations are very rare. This is not always the case in healthcare, where those in direct contact with patients are the last people to be able to thwart an accident sequence.

Latent conditions possess two important properties: first, their effects are usually longer lasting than those created by active failures; and, second, they are present within the system prior to an adverse event and can in theory at least be detected and repaired before they cause harm. As such, they represent a suitable target for safety management. But prior detection is no easy thing because it is very difficult to foresee all the subtle ways in which latent conditions can combine to produce an accident.

It is very rare for unsafe acts alone to cause such an accident where this appears to be the case, there is almost always a systemic causal history. An obvious domain where unsafe acts might be the sole factor is healthcare where the carer appears to be the last line of defence. Three healthcare case studies are among the 10 discussed below. In each, the unsafe actions of the immediate carers are shaped, even provoked, by systemic factors.

Promising candidates for close study are the generic organizational processes that exist in all systems regardless of domain designing, building, operating, managing, maintaining, scheduling, budgeting, communicating and the like.

This book extends and develops these ideas using case studies that have occurred in a variety of domains in the period that has passed since the 1997 book was written and published. These analyses provide the raw data for the process of drilling down into the underlying causal pathways. Many contributing latent conditions recur in a variety of domains. A number of these organizational issues, design, procedures and communications in particular are examined in detail in order to reveal likely problems before they combine to penetrate the defences-in-depth.