2 | Loss Prevention Bulletin 270 December 2019

Safety practice

The imperfections of accident analysis

Erik Hollnagel and Fiona Macleod
may be significant time and public (political) pressure. The
Summary depth of analysis is often limited by available resources
Determining the cause of an accident is a psychological and by deadlines. And the investigation often looks for
(social) rather than logical (rational) process and can never be liabilities, people and organisations to blame and punish,
completely free of bias. and then accept these as causes.
If your only tool is hammer, then everything looks like
Keywords: Accident investigation, Safety–II, ETTO,
a nail1.
resilience engineering, WAI-WAD, Work-as-imagined, Work-
as-done, cognitive bias
Discussion
Introduction WAI (Work As Imagined) vs WAD (Work As Done)
Most accident analyses assume that it is possible to reason The design, management, and analysis of work tacitly assumes
backwards in time from effect(s) to cause(s) in order to implement that we know how things are done or should be done. The
specific remedial actions and learn the relevant lessons.
planning and management of work assumes that compliance with
The simplicity of this way of thinking has made it attractive, but procedures, rules, and guidelines is sufficient to guarantee safety.
it leads to a false sense of comfort; the real world of work is too The purpose of accident investigations is to understand why the
complex for such simple methods to work. outcome of a series of actions led to an unacceptable adverse
This paper presents four concepts that help us understand why event.
simple solutions are insufficient, hence why accidents recur. In reality, only in very special cases is real work completely
• WAI-WAD – Work As Imagined vs Work As Done regular or orderly and perfectly described by rules. In fact “Work
The ideas about how work should take place may be far to rule” has been used in the past as a form of industrial action,
removed from how work actually takes place. Few tasks are where employees precisely follow all written regulations to the
performed in isolation and there is no giant rule book that letter in order to cause a slowdown and decrease in productivity.
covers all the interfaces and interactions. Work-as-done (WAD) will always be different from work-as-
imagined (WAI) because it is impossible to know in advance what
• ETTO – Efficiency Thoroughness Trade Off
the actual conditions of work will be, not least the demands and
People, individually as well as in groups, are required to
resources at the time. In general, it is inadvisable to assume that
balance the time and resources spent on preparing to do
compliance guarantees safety.
something against the time and resources spent on doing
it. In order to carry out work, it is necessary continuously In real work, people face a variety of difficulties, complexities,
to make compromises based on the information, time and dilemmas and trade-offs and are called on to achieve multiple,
resources available in the real world. often conflicting, goals. Safety is created at the sharp end as
practitioners interact with the hazardous processes inherent in
• M&M – Methods-and-Models their field of activity in the face of the multiple demands and
Accident analysis is usually based on pre-defined models using the available tools and resources2.It is practically impossible
— from falling dominos to slices of swiss cheese to the to provide guidelines or instructions that are detailed enough
abstraction hierarchy behind STAMP (Systems – Theoretic to be followed “mechanically”. How work is actually done, how
Accident Model and Process). These models directly or everyday performance is balanced and why things go right is a
indirectly provide the rationale for the methods, but are prerequisite for understanding what has or could go wrong.
rarely visible or explicitly recognised. They are usually Many things go well without being right in a more normative
also linear and based on simple causality: one thing sense. There are degrees to “how well” something may go, and it
causes another. But modern process plants are complex, is precisely this grey zone that is essential in the understanding of
interlocking, intractable systems, designed and run by work.
people — socio-technical rather than pure technical The reason why everyday performance in most cases goes well
systems. Linear models are no longer adequate, nor is is that people — and organisations — know or have learned to
causal reasoning sufficient. adjust what they do to match the actual conditions, resources,
• WYLFIWYF – What You Look For Is What You Find and constraints — for instance by trading off efficiency and
Even though those in charge often promise “to leave no thoroughness (ETTO)3. The adjustments are ubiquitous and
stone unturned” when accidents are investigated, there generally useful. But the very reasons that make them necessary
are many factors that may constrain an investigation. There also means that they will be approximate rather than precise.

© Institution of Chemical Engineers

0260-9576/19/$17.63 + 0.00
 Loss Prevention Bulletin 270 December 2019 | 3

Approximate adjustments are the reason why tasks usually go conscious, but rather a result of habit, social norms, experience
well, and things go right, but by the same token also the reason and established practice. For organisations, it is more likely to
why tasks occasionally end badly and things go wrong be the result of a direct consideration — although this choice
The conditions under which work takes place always are in itself will also be subject to the ETTO principle.
underspecified, hence with limited predictability. There will Thoroughness here is defined as planning the activity to the
always be some variability in the environment, hence unexpected point that it is carried out only if the necessary and sufficient
conditions and situations. conditions exist so that it will achieve its objective and not
Things do not generally go wrong because of outright failures, create any unwanted side-effects. These conditions comprise
mistakes, or violations. They rather go wrong because the time, information, materials, energy, competence, tools, etc.
variability of everyday performance aggregates in an unexpected A perfect operation for one system (extended shift
manner. handover) often conflicts with what is safe for another (worker
fatigue).
WAI vs WAD – Victoria Hall In Blink4, Malcolm Gladwell praises “thin-slicing”: the human
ability to use limited information from a very narrow period of
In 1883 190 children died in the Victoria Hall in Sunderland,
experience to reach a conclusion. He contends that sometimes
England when the planned distribution of presents at the end having too much information can interfere with the accuracy of
of a show led to a stampede and the crushing and trampling a judgment (analysis paralysis). Intuitive judgment is developed
of children by others. by experience, training, and knowledge. This “efficient” mode
Lessons from disaster – How organisations have no memory and of operation is not without risk.
accidents recur p137 – Trevor Kletz In Thinking Fast and Slow5, Daniel Kahneman contrasts two
modes of thought: “System 1” is fast, instinctive and emotional;
“System 2” is slower, more deliberative, and more logical. From
WAI vs WAD – Piper Alpha No1 framing choices to people’s tendency to replace a difficult
question with one which is easy to answer, the book highlights
The permit to work procedure for Occidental North Sea Oil the pitfalls of associating new information with existing
Rig, Piper Alpha, in Scotland had many flaws which made it patterns and demonstrates the need for rational, statistical
impossible to follow as written. In 1988 the recommissioning analysis or “thoroughness”.
of a pump still under maintenance caused a fire and explosion
In everyday life, individuals switch effortlessly between
which led to the death of 165 men.
different modes of thinking: System 1-Efficient-Fast and
The failure in the operation of the permit to work system was System 2-Thorough-Slow. We all know that the perfect
not an isolated mistake. There were a number of respects decision made too late is worse than an adequate decision

knowledge and
competence
in which the laid down procedure was not adhered to and made on time. It is only with hindsight that we tend to point the
unsafe practices were followed. One particular danger, which finger of blame.
was relevant to the disaster, was the need to prevent the The ETTO fallacy is that people are required to be both
inadvertent or unauthorised recommissioning of equipment efficient and thorough at the same time — or rather to be
which was still under maintenance and not in a state in which thorough when with hindsight it was wrong to be efficient.
it could safely be put into service. The evidence also indicated
dissatisfaction with the standard of information which was
communicated at shift handover. ETTO – a clash of priorities
A supervisor issued a permit for hot work to construct a new
The Public enquiry into the Piper Alpha Disaster – Lord Cullen
pipeline in a trench. Busy on a plant some distance away, a

systems and
request came for a second permit to remove a slip plate to

procedures
ETTO — Efficiency Thoroughness Trade Off complete the emptying of the connecting line, he judged
the distance between jobs to be safe and did not visit the
People — from regulators to financiers to designers to construction site again before issuing the second permit.
operators — and the organisations they work for, must make Rain had left pools of water in the trench. Removal of the
regular trade-offs between the resources they spend on slip plate released a few litres of liquid hydrocarbon into the
preparing to do something and the resources they spend trench, which spread over the surface of the water and was
on doing it. The trade-off may favour thoroughness over ignited by the hot work 20m away, killing the man splitting
efficiency if safety and quality are the dominant concerns, or the pipe.
efficiency over thoroughness if throughput and output are the
dominant concerns. The ETTO principle states that while no Lessons from disaster – How organisations have no memory and
human factors

accidents recur p131 – Trevor Kletz

activity can expect to succeed without a minimum of either, it is
not possible to maximise both efficiency and thoroughness at Everyone makes daily compromises based on the information,
the same time. time and resources available in the real world. The supervisor
Efficiency here is defined as keeping the resources used to may have made the wrong judgment in prioritising the
achieve a stated objective as low as possible. The resources process over the inspection of the job site, but in the real
may be expressed in terms of time, materials, money, world we constantly ask people to juggle multiple priorities.
psychological effort (workload), physical effort (fatigue), Adding more people is not always a solution as we still need
manpower (number of people), etc. For individuals, the an overall co-ordinator who understands linked activities.
decision about how much effort to spend is usually not

© Institution of Chemical Engineers

0260-9576/19/$17.63 + 0.00
4 | Loss Prevention Bulletin 270 December 2019

observations. Furthermore, the human mind generally does not

ETTO – Piper Alpha No 2 account for the role of chance and therefore falsely assumes
On Piper Alpha, maintenance supervisors were supposed to that a future event will mirror a past event.
visit open jobs and discuss status face-to-face with operations The activities of modern organisations are so intertwined
at the end of the shift. However, this meeting clashed with and complex that they can never be perfectly specified or fully
shift handover between operating crews which took priority. controlled. Statistical process control allows us to understand
the variability in technical systems, monitor trends and set
When Performing Authorities returned permits to the
acceptable limits. Should accidents, then, be treated as
Control Room shortly before the end of the day-shift they
normal and due to common causes rather than exceptional
would sign off all copies of the permit and leave them on
occurrences due to assignable causes? If performance is
the desk of the lead production operator for his subsequent
variable does it mean that outcomes cannot be deterministic
attention. This was contrary to Occidental procedure which
but must be probabilistic?
required the Performing Authority and the Designated
Authority to meet. This deficient practice had developed
because the lead production operators were engaged in M&M – Human error
their handover at this time. “Saying that an accident is due to human failing is about as
The Public enquiry into the Piper Alpha Disaster p192 – Lord Cullen helpful as saying a fall is due to gravity.”
Individual operating procedures are often written as if the An engineer’s view of human error p3 – Trevor Kletz
people with defined roles have no other responsibilities or
infinite time.
M&M – Design compromise
M&M – Methods-and-Models All design “…is the product of arbitrary choice. If you vary the
terms of your compromise — say more speed…lower cost,
Human beings have a basic need to feel safe, to feel that then you vary the … thing designed. It is quite impossible for
nothing can harm them physically, economically, or in other any design to be “the logical outcome of the requirements”
ways6. Because accidents take us by surprise, they are simply because the requirements being in conflict, their
psychologically unpleasant. When something unexpected logical outcome is an impossibility.”
and unpleasant happens, we therefore need to restore our
David Pye quoted in “To engineer is Human – The Role of Failure in
feeling of safety. Finding a cause has a practical value, because Successful Design – Henry Petroski. 1985”
knowledge of the cause is seen as necessary to prevent
a repeat accident. Finding a cause also has psychological
value because it relieves us from the anxiety that follows the
unknown. M&M – Accident Investigation methods
The philosopher, Friedrich Nietzsche, wrote that to “to trace The new CCPS Guidelines for investigating process safety
something unfamiliar back to something familiar is at once a accidents sets out six steps for investigating process safety
relief, a comfort and a satisfaction, while it also produces a accidents, incidents and near misses.
feeling of power. The unfamiliar involves danger, anxiety and “Investigations into catastrophic events have revealed
care — the fundamental instinct is to get rid of these painful something of major significance — the key to preventing
circumstances. First principle — any explanation is better than disasters first lies in recognising leading indicators… By
none at all.”7 examining abnormal/upset operations, near misses and lower-
A cause is the identification, after the fact, of a limited set consequence higher frequency occurrences, companies may
of aspects of the situation that are seen as the necessary and identify deficiencies that, if left uncorrected, could eventually
sufficient conditions for the effect(s) to have occurred. We can result in serious or even catastrophic events.”
therefore feel safe if we can find an acceptable explanation for Guidelines for investigating process safety accidents CCPS AIChemE
the unexpected.
As described by the causality credo8, if outcomes can be
understood in terms of cause-effect relations, then: WYLFIWYF – What you look for, is what you find
• an accident happens because something has failed or
malfunctioned Age of safety management
• the causes of the failures or malfunctions can be found if
Age of human factors
enough evidence is collected
• once the causes have been found, they can be eliminated, Age of technology
encapsulated, or otherwise neutralised
• since all accidents have causes, and since all causes can be 1850 1900 1950 2000

found, it follows that all accidents can be prevented.

And we can be safe by ensuring that nothing goes wrong. But The assumptions about the possible causes (What-You-Look-For)
is that possible? will, to a large extent, determine what lessons are learned (What-
According to Kahneman5, humans often fail to take You-Find). These assumptions are sometimes explicit but, in many
complexity into account. Their understanding of the world cases, they are implicit to the investigating methods used.
consists of a small and necessarily unrepresentative set of We can see how these assumptions change over time.

© Institution of Chemical Engineers

0260-9576/19/$17.63 + 0.00
 Loss Prevention Bulletin 270 December 2019 | 5

• Age of technology — things go wrong because • Age of human factors — things go wrong because of
technology fails: human factors:
– Accidents are the (natural) culmination of a series of – Accidents result from a combination of active failures
events or circumstances, which occur in a specific and (unsafe acts) and latent conditions (hazards) due to
recognisable order due to component failures (technical, degradation of components (organisational, human,
human, organisational). technical).
– Accidents are prevented by finding and eliminating – Accidents are prevented by strengthening barriers and
possible causes. Safety is ensured by improving the defences. Safety is ensured by measuring/sampling
organisation’s ability to respond. performance indicators.
• Age of safety management — things go wrong because
organisations fail:
WYLFIWYF – Bhopal
– Accidents result from failures of leadership.
In 1984 thousands of people died and over 500,000 were
injured as a result of a release of toxic gas from a pesticide
plant in Bhopal, India. WYLFIWYF – Chernobyl
Union Carbide, part owners of the Indian plant, maintained
The first investigation into the 1986 Chernobyl accident put
that the only possible explanation was sabotage.
the blame squarely on the shift operators who over-rode safety
The tendency of plant workers to omit facts or distort
features, despite the fact that they were ordered by senior
evidence was also clearly evident after the Bhopal incident,
management to carry out a “safety” test outside of the safe
making the collection of evidence a time-consuming process.
operating envelope of the nuclear reactor.
In investigating any incident in which facts seem to have been
“the accident was caused by a remarkable range of human
omitted or distorted, it is necessary to examine the motives
errors and violations of operating rules in combination with
of those involved. The story that had been initially told by
specific reactor features which compounded and amplified the
the workers was a preferable one from their perspective,
effects of the errors and led to the reactivity excursion.”
because it exonerated everyone, except perhaps the
“The operators deliberately and in violation of rules
supervisor. According to this version, the reaction happened
withdrew most control and safety rods from the core and
instantaneously; there was no time to take preventive or
switched off some important safety systems.”
remedial measures, and there was no known cause. Without a
INSAG-1 1986 Summary Report on the Post-Accident Review Meeting
cause, no blame could be established. on the Chernobyl Accident of the International Atomic Energy Agency’s
Investigation of Large Magnitude Incidents : Bhopal as a case study (IAEA’s) International Nuclear Safety Advisory Group
Ashok. S Kalelkar, Arthur D Little 1998 By 1992, the contribution of the RMBK design and the Man
Although it was not known at the time, the gas was formed Machine Interface was recognised.
when a disgruntled plant employee, apparently bent on “the contributions of particular design features, including
spoiling a batch of methyl isocyanate, added water to a the design of the control rods and safety systems, and
storage tank. The water caused a reaction that built up heat arrangements for presenting important safety information
and pressure in the tank, quickly transforming the chemical to the operators. The accident is now seen to have been
compound into a lethal gas that escaped into the cool night air. the result of the concurrence of the following major factors:
Jackson Browning Report 1993 accessed via Union Carbide website specific physical characteristics of the reactor; specific design
http://www.bhopal.com/Cause-of-Bhopal-Tragedy
features of the reactor control elements; and the fact that the
Examining the motives behind these reports is an excellent reactor was brought to a state not specified by procedures or
idea. Blaming a single worker for the disaster hardly investigated by an independent safety body. Most importantly,
exonerates the operating company, which has an absolute the physical characteristics of the reactor made possible its
duty to manage its workforce and prevent harm to them and unstable behaviour.”
the surrounding community. INSAG-7 1992 The Chernobyl Accident: Updating of INSAG-1,
Of the four possible initiating events of the 1984 tragedy*, And what of outside pressures - economic and political?
worker sabotage remains unproven and the least likely. “After I had visited Chernobyl NPP I came to the conclusion
A more probable initiating event relates to the use of that the accident was the inevitable apotheosis of the
nitrogen to make pressure transfers of hazardous liquids after economic system which had been developed in the USSR
pump seals failed — a significant deviation from design with a over many decades. Neglect by the scientific management
chain of knock-on consequences**. and the designers was everywhere with no attention being
Regardless of the initiating event, the process safety paid to the condition of instruments or of equipment... When
emergency systems designed to prevent or mitigate loss of one considers the chain of events leading up to the Chernobyl
containment should never have been removed from service accident, why one person behaved in such a way and why
and the management of a facility running down to closure another person behaved in another etc, it is impossible to find
should be fully aware of, and in control of the hazards. a single culprit, a single initiator of events, because it was like a
*Macleod – Impressions of Bhopal - LPB Bhopal special Issue 240 closed circle.”
December 2004 Testament – Valery Legasov, - 1988, leader of the Soviet delegation to
** Bloch. Jung – Understanding the Impact of Unreliable Machinery – the IAEA Post-Accident Review Meeting, who committed suicide on the
LPB Bhopal special Issue 240 December 2004 second anniversary of the accident.

© Institution of Chemical Engineers

0260-9576/19/$17.63 + 0.00
6 | Loss Prevention Bulletin 270 December 2019

– Accidents are prevented by strengthening safety systems when these things are already required by law?
management systems and by improving safety culture Experience tells us that organisations do not learn, only
individuals do11.
Accident analysis is ruled by the law of reverse causality. Just as
And this is the reason accident investigations are worthwhile,
the law of causality states that every cause has an effect, the law of
to remind us of the human cost when things go catastrophically
reverse causality states that every effect has a cause. Is it logically
wrong. It is the image of a people jumping into the sea as the
possible to reason backwards in time from the effect to the cause?
offshore oil rig burns behind them12, the parent scrabbling in
Or does this require a deterministic world that does not really exist.
the grave of a child to take a last look at her face13. These are the
Alternative, non-linear accident models9 propose that:
things that remind us of the hazards we deal with every day. It is
• Accidents result from unexpected combinations (resonance) the recognition that the small part each of us play can, if neglected,
of normal variability in everyday performance. lead to terrible consequences. It is the reminder of the relationship
• Accidents are prevented by monitoring everyday performance between the flap of a butterfly’s wing and a tornado14. It is the
(what goes right) and damping variability. sense of chronic unease15 that makes us do our routine jobs with
• Safety is constant vigilance and unease, the imagination to care and attention, as if our lives, and those of our colleagues,
anticipate future events. depended on it.
As indeed they do.
Non-linear accident models go beyond simple cause-effect and
Accident investigations chronicle the stories that give us pause.
focus as much on what goes well as what goes badly. Socio-
technical systems learn how to adjust in order to absorb everyday References
variability based on experience. Without such adjustments,
systems would not work at all. 1. Maslow, A. H. (1966), The Psychology of Science: A
Accidents, and the human actions which are seen as causing Reconnaissance by Abraham H. Maslow, Published by Harper
them, can never be fully understood in isolation, in hindsight. & Row, US.
There are no simple “truths” or discreet causes to be found, and 2. Woods, D. & Cook, R. (2002). Nine Steps to Move Forward
therefore no simple way of learning from accident investigations. from Error. Cognition, Technology & Work. 4. 137-144.
Any lesson learned is limited by the assumptions on which the 3. Hollnagel, E. (2009). The ETTO Principle: Why things that go
investigation is based. right sometimes go wrong. Published by Ashgate Publishing
Even very advanced methods are subject to the pressures of Limited, UK
work and all issues may not be examined with equal thoroughness, 4. Gladwell, M. (2005). Blink: The Power of Thinking Without
and not all remedial actions implemented with the same Thinking, Published by Back Bay Books, US.
enthusiasm. Some of these performance shaping factors may be 5. Kahneman, D. (2011). Thinking, Fast and Slow, Published by
systemic, resulting in investigation “blind spots”10. Farrar, Straus and Giroux, US.
6. Maslow, A. H. (1943). “A theory of human motivation”.
Conclusion Psychological Review. 50 (4): 370–396.
7. Nietzsche, F. (2007; org. 1895). Twilight of the Idols. Published
Can accident investigations be free from bias? by Wordsworth Editions, UK.
No – So long as one group of people investigate the actions 8. Hollnagel, E. (2014). Safety-I and Safety-II: The Past and
of another group of people, there will always be bias, Future of Safety Management.Published by CRC Press, US.
conscious or unconscious. The best we can hope for is that the 9. Hollnagel, E. (2012). FRAM - The Functional Resonance
composition of the inquiry panel and the terms of reference are Analysis Method: Modelling Complex Socio-technical
designed to minimise bias when interpreting the findings and Systems. Published by Ashgate Publishing Limited, UK.
recommendations. 10. Lundberg, J. & Josefsson, B. (2019). A Pragmatic Approach
to Uncover Blind Spots in Accident Investigation in Ultra-safe
Are accident investigations worthwhile?
Organizations - A Case Study from Air Traffic Management.
Yes – So long as our primary focus is on accident prevention 11. Kletz, T., (1993). Lessons from Disaster: How Organizations
(ensuring things go well) and we recognise the limitations of any Have No Memory and Accidents Recur Hardcover. Published
retrospective investigation after something goes wrong, accident by IChemE, UK.
investigations will always be worthwhile. 12. IChemE (2018). Piper Alpha special edition, Loss Prevention
• as a response to social and psychological needs, helping those Bulletin, Issue 261.
affected understand the sequence of events that led up to the 13. IChemE (2014). Bhopal special edition, Loss Prevention
accident. Bulletin, Issue 240.
• as a requirement of most legal systems before prosecution of 14. Lorenz, Edward N. (March 1963). Deterministic Nonperiodic
individuals or organisations. Flow. Journal of the Atmospheric Sciences. 20 (2): 130–141.
• as a catalyst for changing regulatory framework or laws 15. HSE (2013). Process Safety – focusing on what really matters
• keeping a memorable image or story alive – leadership! Judith Hackitt, Speech given at Mary Kay
O’Connor Process Safety Center symposium, Texas A&M
Can we learn from accident investigations?
University in College Station, Texas, USA,
Yes – How effective are the imprecations to improve safety Tuesday 22nd October 2013. http://www.hse.gov.uk/
culture, or tighten up on management of change or permit to work aboutus/speeches/transcripts/hackitt221013.htm

© Institution of Chemical Engineers

0260-9576/19/$17.63 + 0.00