ACCIDENTS AND BARRIERS
advertisement
ACCIDENTS AND BARRIERS Erik Hollnagel Graduate School of Human-Machine Interaction University of Linköping, LIU/IKP/HMI, S-581 83 Linköping, Sweden eriho@ikp.liu.se Abstract This paper discusses the barrier concept starting from a basic distinction between barrier functions, defined as the specific manner by which the barrier achieves its purpose, and barrier systems, defined as the organisational and/or physical foundation for the barrier function. Four different types are proposed, called material, functional, symbolic, and immaterial barrier systems respectively. A basic distinction between barrier functions is whether they are preventive or protective. This reflects whether the barrier function is intended to work before the occurrence of an accident or after it has happened. It is furthermore possible to describe a number of generic barrier functions, such as: containing, restraining, keeping together, dissipating, preventing, hindering, regulating, indicating, permitting, communicating, monitoring, and prescribing. There is no simple one-to-one correspondence between barrier functions and barrier systems, nor between barrier functions and their use as either preventive or protective barriers. The paper also introduces the specific discussion of the retrospective and prospective use of barriers. Keywords Accidents, failures, barriers, prevention, design, organisations. 1. INTRODUCTION Accidents are frequently characterised either in terms of the events and conditions that led to the final outcome or in terms of the barriers that have failed. A barrier, in this sense, is an obstacle, an obstruction, or a hindrance that may either (1) prevent an action from being carried out or an event from taking place, or (2) prevent or lessen the impact of the consequences, for instance by slowing down the uncontrolled release of matter and energy, limiting the reach of the consequences or weakening them in other ways, cf. Figure 1. Barriers are important for the understanding and prevention of accidents. Firstly, the very fact that an accident has taken place means that one or more barriers have failed – i.e., that they did not serve their purpose or that they were missing. Secondly, once the aetiology of an accident has been determined and the causal pathways identified, barriers can be used as a means to prevent that the same, or a similar, accident takes place in the future. Initiating event (incorrect action) Protection (safety barriers): Prevention (control barriers): Active or passive barrier functions that prevent the initiating event from occurring. Accident Protection (boundaries): Active barrier Passive barrier functions that deflect functions that minimise consequences consequences Figure 1: Use of barriers. The notion of a barrier can be considered both in relation to a method or a set of guidelines for identifying barriers and in relation to a way of systematically describing or classifying barriers. The two aspects are, of course, not independent, since the method for analysis necessarily must refer to a classification scheme, regardless of whether the analysis is a retroactive or a proactive one (Hollnagel, 1998). As a starting point, a barrier function can be defined as the specific manner by which the barrier achieves its purpose, whereas a barrier system can be defined as the substratum or foundation for the barrier function, i.e., the organisational and/or physical structure without which the barrier function could not be accomplished. The use of the barrier concept should be based on a systematic description of various types of barrier systems and barrier functions, for instance as a classification system. This will help to identify specific barrier systems and barrier functions and to understand the role of barriers, in either meaning, in the history of an accident. Despite the importance of the barrier concept, the accident literature only contains a small number of studies (Kecklund et al. 1996; Leveson, 1995; Svenson, 1991 & 1997; Taylor, 1998 and Trost & Nertney, 1985). The classifications proposed by these studies have been quite diverse, partly because of the lack of a common conceptual background, and partly because they have been developed for specific purposes within quite diverse fields. The most successful attempt of developing a theory of barriers has been the work of Svenson (1991), which also was the basis for the field studies of Kecklund et al (1996). 2. DESCRIPTORS OF BARRIER SYSTEMS An analytical description of barriers can be based on several different concepts, such as the barriers’ origin, their purpose, their location, and their nature. Of these, only the concept of the barrier nature is rich enough to support an extensive classification. The nature of barriers is principally independent of their origin, their purpose (e.g., as preventive or protective), and their location. By their nature barrier systems can range from physical hindrances (walls, cages) to ethereal rules and laws. A classification of barrier systems can be based on the following four main categories. • Material barriers physically prevent an action from being carried out or the consequences from spreading. Examples of material barriers are buildings, walls, fences, railings, bars, cages, gates, etc. A material barrier presents an actual physical hindrance for the action or event in question and although it may not prevent it under all circumstances, it will at least slow it down or delay it. Furthermore, a material barrier does not have to be perceived or interpreted by the acting agent in order to serve its purpose. • Functional (active or dynamic) barriers work by impeding the action to be carried out, for instance by establishing a logical or temporal interlock. A functional barrier effectively sets up one or more pre-conditions that have to be met before something can happen. These pre-conditions need not be interpreted by a human, but may be interrogated or sensed by the system itself. Functional barriers are therefore not always visible or discernible, although their presence often is indicated to the user in one way or another and may require one or more actions to be overcome. A lock, for instance, is a functional barrier, whether it is a physical lock that requires the use of a key or a logical lock that requires some kind of password or identification. • Symbolic barriers require an act of interpretation in order to achieve their purpose, hence an “intelligent” agent that can react or respond to the barrier. Whereas a functional barrier works by establishing an actual pre-condition that must be met by the system, or the user, before further actions can be carried out, a symbolic barrier indicates a limitation on performance that may be disregarded or neglected. Alternative terms may therefore be conceptual or perceptual barriers. While the railing along a road is both a physical and a symbolic barrier, the reflective posts or markers are only a symbolic barrier: they indicate where the edge of the road is, but unlike the railing they are insufficient to prevent a car from going off the road. All kinds of signs and signals are symbolic barriers, specifically visual and auditory signals. The same goes for warnings (texts, symbols, sounds), interface layout, information presented on the interface, visual demarcations, etc. • Immaterial barriers are not physically present or represented in the situation, but depend on the knowledge of the user to achieve their purpose. Immaterial barriers are usually also represented in a physical form such as a book or a memorandum, but are normally not physically present when their use is mandated. Typical immaterial barriers are: rules, guidelines, restrictions, and laws. In industrial contexts, immaterial barriers are largely synonymous with organisational barriers, i.e., rules for actions that are imposed by the organisation, rather than being physically, functionally or symbolically present in the system. It is clearly possible to realise several barrier systems and functions in the same physical artefact or object. For instance, a door may have on it a written warning and may require a key to be opened. Here the door is a physical barrier system, the written warning is a symbolic barrier system, and the lock requiring a key is a functional barrier system. It may, in fact, be the rule rather than the exception that more than one type of barrier is combined, at least for the first three categories. 3. A CLASSIFICATION OF BARRIERS The following Table 1, presents a classification of the barriers that are known from the general literature. Each barrier is described with regard to its system, i.e., one of the four main classes as defined above, and its function (or mode), i.e., the more specific nature of the barrier. The list of barriers presented here is clearly not exhaustive, but hopefully sufficiently extensive to be of some practical use. Table 1: Barrier systems and barrier functions. Barrier system Material, physical Functional Barrier function Example Containing or protecting. Physical obstacle, either to prevent transporting something from the present location (e.g., release) or into present location (penetration). Restraining or preventing movement or transportation. Walls, doors, buildings, restricted physical access, railings, fences, filters, containers, tanks, valves, rectifiers, etc. Keeping together. Cohesion, resilience, indestructibility Dissipating energy, protecting, quenching, extinguishing Preventing movement or action (mechanical, hard) Preventing movement or action (logical, soft) Hindering or impeding actions (spatio-temporal) Symbolic Countering, preventing or thwarting actions (visual, tactile interface design) Regulating actions Immaterial Indicating system status or condition (signs, signals and symbols) Permission or authorisation (or the lack thereof) Communication, interpersonal dependency Monitoring, supervision Prescribing: rules, laws, guidelines, prohibitions Safety belts, harnesses, fences, cages, restricted physical movements, spatial distance (gulfs, gaps), etc. Components that do not break or fracture easily, e.g. safety glass. Air bags, crumble zones, sprinklers, scrubbers, filters, etc. Locks, equipment alignment, physical interlocking, equipment match, brakes, etc. Passwords, entry codes, action sequences, preconditions, physiological matching (iris, fingerprint, alcohol level), etc. Distance (too far for a single person to reach), persistence (dead-man-button), delays, synchronisation, etc. Coding of functions (colour, shape, spatial layout), demarcations, labels & warnings (static), etc. Facilitating correct actions may be as effective as countering incorrect actions. Instructions, procedures, precautions / conditions, dialogues, etc. Signs (e.g., traffic signs), signals (visual, auditory), warnings, alarms, etc. Work permit, work order. Clearance, approval, (on-line or off-line), in the sense that the lack of clearance etc., is a barrier. Check (by oneself or another a.k.a. visual inspection), checklists, alarms (dynamic), etc. Rules, restrictions, laws (all either conditional or unconditional), ethics, etc. It is not always easy or straightforward to classify a barrier. A wall is, of course, a physical barrier system and a law is equally obviously an immaterial barrier system. But kind of barrier system or barrier function is a procedure? The procedure by itself is an instruction for how to do something, hence not primarily a barrier. Procedures may, however, include warnings and cautions, as well as conditional actions. The procedure may exist as a physical document, but it works because of its contents or meaning rather than because of its physical characteristics. The warnings, cautions, and conditions of a procedure are therefore classified as a symbolic barrier system, i.e., they require an act of interpretation in order to work. Symbolic barriers are often used to complement immaterial barriers. For instance, road signs supplement the general speed limits given by the traffic laws. Symbolic barriers may also complement material barriers to encourage their use. Seat belts are material barriers, but can only serve their purpose when they are used. In commercial aircraft, seat belt use is supported by both static cautions and dynamic signals (seat belt sign), as well as a visual inspection. In private cars the material barrier is only supported by the immaterial barrier, i.e., the traffic laws, which often produces a less than satisfactory result. 4. ACCIDENT ANALYSIS AND SYSTEM DESIGN In order for a classification to be useful, it must be closely integrated with a method. In the case of barriers, there is actually a need of two different sets of methods, one considering the identification of barriers in accident analysis, and the other the specifications of barriers for system design. In the case of accident analyses, barrier identification is generally carried out in a rather ad hoc fashion. The common practice in risk analysis is to look for known barriers - similar to the search for latent failure conditions, sneak paths, or failure modes - and this approach has simply been applied to accident analysis as well. The principal disadvantage is that the barrier analysis in this way is carried out on its own, rather than as an integral part of the general accident analysis method. Although risk analysis has some similarities to accident analysis, it is clearly not a complete accident analysis method by itself, since it does not address aspects such as accounting for the interaction between the various elements of the socio-technical system, or describing the common performance conditions. It is therefore necessary to find a way of incorporating a systematic classification of barriers into common accident analysis methods. The easiest solution is presumably to combine the generic fault tree analysis with a barrier analysis to identify the risks emanating from the failure of barriers, which can be described as input conditions to the logical gates. For the purpose of system design, the main emphasis is normally on how to ensure that the system functions as specified. While this clearly is an essential achievement, it is also important to consider how the system may not function as specified, i.e., how it may fail. Such analysis are common in the case of complex technological systems, e.g. as fault trees, cause-consequence analyses, event trees, FMEA, HAZOP, etc., but are conspicuous by their absence in the case of interactive systems - perhaps with the notable exception of HRA. It is, however, of the utmost importance to use barriers as a pivotal element in system design, since it is only by a inventive combination of barriers and facilitators that an effective and safe system functioning can be achieved. For event trees, barriers are uncomplicated to insert since they are represented simply as failures – or rather, effective barriers are represented in terms of successes or very low failure probabilities. It is then up to the designer later on to be more specific about the types of barriers that may be needed to achieve the desired probability value. In that sense there is a gradual transition to cause-consequence trees, which are more developed in the forward direction than event trees. Here the introduction of the logical gates means that barriers become more tangible and must be specified in greater detail. Since barriers are included in a system to prevent undesirable events from occurring or to protect against their consequences, it is important that potential barrier failures themselves can be assessed, so that the weaknesses of the system are known. A tentative description of the conditions that are required for adequate barrier functioning is shown in Table 2. Table 2: Requirements for effective barrier functions. Barrier system Material Barrier function Pre/condition for proper functioning Physical. Functional Functional Functional Functional Symbolic Mechanical Logical Spatio-temporal Monitoring Interface design Symbolic Symbolic Symbolic Information Signs, signals and symbols Lack of permission or authorisation Communicative, interpersonal Reliable construction, possibly regular maintenance. Reliable construction, regular maintenance. Verified implementation, adequate security. Reliable construction, regular maintenance. Reliable performance of monitor Valid design specification, verified implementation, systematic updating High-quality interface design, reliable functioning. Regular maintenance, systematic modification, High compliance by users. Immaterial Immaterial Rules, cautions, warnings, prohibitions Nominal working conditions (no stress, noise, distraction, etc.). High compliance by users. In order to include the concept of barriers in accident analysis and accident prevention, it is necessary to combine the barrier concept with the notion of error modes. Hollnagel (1998) identified eight basic error modes for human actions, which later were extended to cover systemic failure modes as shown in Table 3 (cf. Hollnagel, 1999). Table 3: Human and systemic error modes. Timing Duration Distance Speed Direction Force / power / pressure Human error mode Action performed too early or too late Action performed too briefly or for too long Object/control moved too short or too far Action performed too slowly or too fast Action performed in the wrong direction Action performed with too little or too much force. Object Sequence Action performed on wrong object Two or more actions performed in the wrong order, Quantity and None volume Systemic error mode Position reached too early or too late. Equipment not working as required. Function performed too briefly or for too long. System state achieved too briefly or held for too long System or object transported too short or too far System moving too slowly or too fast Equipment not working as required. System or object (mass) moving in the wrong direction System exerting too little or too much force. Equipment not working as required. System or component having too little or too much pressure or power. Function targeted at wrong object Two or more functions performed in the wrong order, System/object contains too little or too much or is too light or too heavy. In order to be able to select the right barrier during system design, it is necessary to assess the efficiency of each barrier system relative to the failure or error modes. Consider, for instance, the error mode of distance. Here a material barrier can be highly efficient in preventing a movement from being taken too far (although not for preventing too short a movement). A functional barrier may also be highly efficient, but both symbolic and immaterial barriers are likely to be of little use. The analyses made so far have indicated that immaterial barriers normally are rather inefficient, even though they are cheap and fast to implement. This corresponds to the ordering of approaches to hazard elimination in the MORT technique (Knox & Eicher, 1983), where immaterial barriers, such as the development of special procedures to handle the situation, come last. The other barrier systems may be efficient in different ways, and in practice the establishing of an effective barrier requires a combination of several barrier systems. Guidelines and principles for how this is to be done will be developed in a recently started project. 5. REFERENCES Hollnagel, E. (1998). Cognitive reliability and error analysis method. Oxford, UK: Elsevier Science. Hollnagel, E. (1999). Accident analysis and barrier functions. Halden, Norway: Institute for Energy Technology. Kecklund, L. J., Edland, A, Wedin, P. & Svenson, O. (1996). Safety barrier function analysis in a process industry: A nuclear power application. Industrial Ergonomics, 17, 275-284. Knox, N. W. & Eicher, R. W. (1983) MORT user’s manual (DOE 76/45-4). Idaho Falls, Idaho: EG&G Idaho, Inc. Leveson, N. (1995). Safeware. System safety and computers. Reading, MA: Addison-Wesley Publishing Company. Svenson, O. (1991). The accident evolution and barrier function (AEB) model applied to incident analysis in the processing industries. Risk Analysis, 11(3), 499-507. Svenson, O. (1997). Safety barrier function analysis for evaluation of new systems in a process industry: How can expert judgment be used? In: Proceedings of Society for Risk Analysis Europe Conference, Stockholm, June 15-18, 1997. Taylor, R. J. (1988). Analysemetoder til vurdering af våbensikkerhed. Glumsø, DK: Institute for Technical Systems Analysis. Trost, W. A. & Nertney, R. J. (1985). Barrier analysis (DOE 76-45/29). Idaho Falls, Idaho: EG&G Idaho, Inc. Bibliographic Data Proceedings of the European Conference on Cognitive Science Approaches to Process Control (CSAPC), 21-24 Sep, 1993, Villeneuve, France. (p. 175-180).
