The error of our ways28 September 2001
In every industry many accidents are said to be due to human error or human failing. While this may be true it is about as helpful as saying that falls are due to gravity.
It is difficult for engineers to change human nature. Instead of trying to persuade people not to make errors, we should accept people as we find them and try to remove opportunities for error by changing the work situation – that is, the plant or equipment design or the method of working.
To say that accidents are due to human failing is not so much untrue as unhelpful, for three reasons:
• First, every accident is due to human error: someone, usually a manager, has to decide what to do; someone, usually a designer, has to decide how to do it; and someone, usually an operator, has to do it. All of them can make errors but the operator is at the end of the chain and often gets all the blame.
• Second, saying an accident is due to human error does not lead to constructive action. It merely tempts us to tell someone to be more careful. But no one is deliberately careless; telling people to take more care will not prevent an accident happening again. It merely diverts attention away from those changes in design or methods of working that can prevent the accident happening again.
• Third, the phrase “human error” groups together the following different sorts of failure that require quite different actions to prevent them happening again.
Many errors are due to a slip or a momentary lapse of attention. Training cannot prevent them as people know what to do and intend to do it but it just slips their mind, especially if they are distracted or under stress. The only way to prevent these accidents is to remove or reduce opportunities for error by changing designs or methods of working.
Some errors, usually called mistakes, occur because someone does not know what to do. The intention is wrong. The obvious method of prevention is to improve training or instructions but before doing so we should see if the task can be simplified.
The accident at Three Mile Island in 1979 had many causes and many lessons can be drawn from it, but some of the most important ones are concerned with the human factors. In particular, the training the operators received had not equipped them to deal with the events that occurred.
Other errors occur because someone knows what to do but decides not to do it. They are usually called violations or non-compliances. To prevent them we have to persuade people to follow instructions and accepted good practice, as we do not live in a society in which people will follow them unthinkingly. If the task is difficult we should see if it can be made simpler. While people sometimes break the rules in order to make the task easier, very often they genuinely believe that a departure from the rules, or the usual practice, is justified. In fact, if the rules are wrong, violations can prevent an accident. Also, there is a fuzzy border between violations and initiative: what is called a violation if it fails may be praised as initiative if it succeeds.
Finally, a few errors (mismatches) occur because the task is beyond the physical or mental ability of the person asked to do it, in many cases beyond anyone’s ability. The best method of prevention is to change the design or method of working though sometimes someone else may have to be asked to carry out the task.
Note that managers and designers usually have time to check their work and discover any slips and lapses of attention they may have had but they can and do make the other sorts of error.
The Table below summarises the four sorts of error and the actions needed to prevent them happening again. There are other ways of classifying accidents but this one points us towards the actions needed to prevent them.
Browsing through old ICI files I came across a report dating from the late 1920s in which one of the company’s first safety officers announced a new discovery: after reading many accident reports he had realised that most accidents are due to human failing. The remedy was obvious. We must persuade people to take more care.
Since then people have been exhorted to do just this, and this policy has been supported by tables of accident statistics from many companies which show that over 50%, sometimes as many as 90%, of industrial accidents are due to human failing, meaning by that the failing of the injured man or a fellow-worker. (Managers and designers, it seems, are not human or do not fail.) This is comforting for managers. It implies that there is little or nothing they can do to stop most accidents.
People should not be blamed for behaving as most people would behave. If we consider separately the various types of human error summarised in the Table, there is no place for blaming the operator if the error is due to a slip or lapse of attention, to lack of training or instructions or to lack of ability. (Sometimes the employer could have provided a better system of work, or better training or instructions, or employed a more competent person; but before we blame the employer we should ask if he or she had been adequately trained.) Blame is relevant only when the person concerned has a choice. Even here, the violation may have occurred because the rules were not clear, or the reasons for them had not been explained, or someone turned a blind eye when they were broken in the past.
Even if blame is justified it may not be wise, as it may result in people being less forthcoming during future investigations and make it harder for us to find out what happened. Of course, if someone makes repeated errors, more than a normal person would make, or shows that he is incapable of understanding what he is required to do, or is unwilling to do it, then he may have to be moved.
Sometimes people are blamed because those in charge wish to deflect criticism from themselves on to a scapegoat. People may be blamed for a momentary slip or lapse of attention because a manager, perhaps unconsciously, wishes to divert attention from his own failure to provide a safe plant or system of work. In my experience, managers in the process industries, at least in the larger companies, do not often do this. After an accident they are usually willing to stand in a white sheet and admit that they might have done more to prevent it.
The same is not true for all industries. In 1976 a mid-air collision in Yugoslavia killed 176 people. The air traffic controllers were overworked and the control equipment was poor. One controller went to look for his relief, who was late, leaving his assistant alone for eight minutes. The assistant made a slip which led to the accident. All the controllers on duty were arrested, eight were tried and the overworked assis-tant was sentenced to seven years’ imprisonment. Following widespread protests he was released after two years.
Many years ago, when I was a manager, not a safety adviser, I looked through a bunch of accident reports and realised that most of the accidents could be prevented by better management – sometimes by better design or method of working, sometimes by better training or instructions, sometimes by better enforcement of the instructions.
Together these may be called changing the work situation. There was, of course, an element of human failing in the accidents. They would not have occurred if someone had not forgotten to close a valve, looked where he was going, not taken a short-cut. But what chance do we have, without management action of some sort, of persuading people not to do these things?
Designing for safety
Everybody makes mistakes or slips and has lapses of attention from time to time and sometimes they result in accidents. Plants should be designed and operated so that these foreseeable errors do not result in accidents.
Designers make errors for all the reasons that other people make errors: a lapse of attention, ignorance, lack of ability, a deliberate decision not to follow a code. As already mentioned, unlike operators they usually have time to check their work, so slips and lapses of attention are frequently detected before the design is complete. Just as we try to prevent some accidents by changing the work situation, so we should try to prevent other accidents by changing the design situation – that is, we should try to find ways of changing the design process so as to produce better designs.
Surveys have shown that most safety advisers are now familiar with the concept of inherently safer design – avoiding hazards rather than controlling them with protective equipment or procedures. While most designers are aware of the concept they have a poor understanding of its scope and benefits. Most senior managers are unaware. Inherently safer designs require a major change in the design process, more time to consider alternatives in the early stages of design, and therefore they will not become widespread until senior managers become more aware and actively encourage their use.
To achieve inherently safer designs we need to consider alternatives systematically during the early stages of design. Very often safety studies do not take place until late in design when all we can do is control hazards by adding-on additional protective equipment or procedures. Such a change will not come about unless senior managers actively encourage it.
The same applies to safety management systems and specific procedures such as those for controlling modifications and preparing equipment for maintenance.
There has been an explosion of interest in safety management systems in recent years and no topic is more popular at conferences. Some recent incidents have left me with an uneasy feeling that some managers believe that a good safety management system is all they need for safe performance. All it can do, however, is ensure that people’s knowledge and experience are applied systematically and thus reduce the chance that something is missed. If the staff lack knowledge and experience then the system is an empty shell. People will go through the motions but the output will be poor. This is a particular danger at the present time when companies are reducing manning and the over-fifties are looked upon as expenses to be eliminated rather than assets in which thirty years’ salary has been invested. Senior managers should systematically assess the levels of knowledge and experience needed and ensure that they are maintained.
Psychologists (and others) often say that we have reached the limit of what can be done by changes in design to make plants safer and we now need to concentrate on changing behaviour. This is not true. The best companies may be near the limit of what can be done by adding on protective equipment but the potentialities of inherently safer designs have still to be grasped.
The Sellafield leak
A cause célèbre in 1984 was a leak of radioactive material into the sea from the BNFL plant at Sellafield. It was the subject of two official reports which agreed that the discharge was due to an operating error, though it is not entirely clear whether the error was due to a lack of communication between shifts, poor training or wrong judgement. However, both official reports failed to point out that the leak was the result of a simple design error, that would have been detected by a hazard and operability study, if one had been carried out.
As a result of an operating error some material which was not suitable for discharge to sea was moved to the sea tanks (see Figure). This should not have mattered as BNFL thought they had “second chance” design, the ability to pump material back from the sea tanks to the plant. The return line was 2 inches diameter, the sea line was 10 inches diameter. Solids settled out in the part of the sea line used for the return flow, as the linear flow rate was low, and were later washed out to sea. The design looks as if it might have been the result of a modification. Whether it was or not, it is the sort of design error that would be picked up by a hazard and operability study.
The authors of the official reports seem to have made the common mistake of looking for culprits instead of looking for ways of changing the work situation, in this case by improving the design process.
In case anyone is tempted by motivational appeals, perhaps I should say that little or no improvement will result from generalised exhortations to people to work safely, follow the rules, be responsible or otherwise avoid sin. As managers, dealing with large numbers of people, we should expect them to behave like average people – forgetting a few things, making a few mistakes, taking a few short cuts, following custom and practice, even indulging in a little petty crime when the temptation is great – not to a great extent but doing so to the extent that experience shows people have done in the past. Changing people, if it can be done at all, is a slow business compared with the timescale of plant design and operation. So let us proceed on the assumption that people will behave much as they have done in the past.
If output, costs, efficiency or product quality require attention, senior managers identify the problems, agree actions and ask for regular reports on progress. This approach is rarely seen where safety is concerned. Although senior managers repeatedly say that safety is important, they rarely show the level of detailed interest that they devote to other problem areas.
If safety standards fall, it may be a long time before a serious accident occurs. The fall in standards is hidden or latent. This may be one reason why safety is given insufficient detailed attention and instead exhortation to work safely replaces consideration of the real problems.
Accidents can be prevented by better management. All my recommendations call for action by managers. While we would like individual workers to take more care, and to pay more attention to the rules, we should try to design our plants and methods of working so as to remove or reduce opportunities for error. And if individual workers do take more care it will be as a result of managerial initiatives – action to make them more aware of the hazards and more knowledgeable about ways to avoid them.
Exhortation to work safely is not an effective management action though behavioural safety training can produce substantial reductions in those accidents which are due to people not wearing the correct protective clothing, using the wrong tools for the job, leaving junk for others to trip over, and so on.
Why then do published accident statistics say that so many accidents — over 50% and sometimes 80 or 90% — are due to human failing?
There are several reasons:
• Accident reports are written by managers and it is easy to blame the other person.
• It is easier to tell a man to be careful than to modify the plant or method of working.
• It is true that accidents are due to human failing but it does not help us prevent them. We should list only those accident causes we can do something about.
• Sometimes there is a desire to find scapegoats.
So my counsel for managers is not one of comfort but one of challenge. You can prevent most accidents, not immediately, but in the long run, if you are prepared to make the effort.
TablesTypes of human error