What Is Safety?
Lord Cullen, reporting on the Piper Alpha disaster in the North Sea oil field (Cullen, 1990), recommended that all safety-critical industries declare safety to be their first priority. Since that time, organisations have regularly claimed that ‘safety is the cornerstone of our business’ or ‘safety is our number one priority’. It is now a mantra, but few managers can explain what it means in practice, tending to fall back on the absence of accidents as a measure of safety. For most people, safety is an abstract concept. If we want to bring about both qualitative and quantitative change, then we need to find more tangible expressions of safety enactment (MacLeod, 2005). One generally accepted definition of safety is the ‘freedom from unnecessary risk’ (Blockley, 1992). Three aspects of safety arise from this definition: first, safety is not a property in its owrn right but, instead, is the absence of some other factor, risk; second, risk is recognised as ever-present; third, safety is characterised by our exposure to risks deemed additional to those considered ‘acceptable’. I will explain these terms in the next section, but I want to briefly discuss another, which is ‘reliability’. All organisations depend upon predictable, reliable processes but, as Leveson (2011) makes clear, reliability and safety are not the same thing. A process can be considered reliable in that it delivers a consistent outcome, but the manner in which the process is undertaken can be fundamentally unsafe. This is another reason why the absence of something tells us nothing about the safety status of an operation.
The Building Blocks of Safety Thinking
In the Bible, specifically in the Gospels, you can read about two Roman soldiers sitting at the foot of the cross rolling dice to see who gets to keep Jesus’ clothes. The soldiers were playing what later became known as the game of chance. The game involved rolling dice and betting on which numbers came up. The possible combination of numbers on the face-up dice was called the ‘risk’. In order to make the game more fun, certain combinations of numbers were deemed of no value, and the name of the game was changed to ‘hazard’. Chance, risk and hazard are terms in common usage today but with very different meanings. Chance refers to a random, unavoidable event. A hazard is a source of a problem. Risk, meanwhile, has grown in complexity as a concept. It retains its earlier association with a probabilistic distribution of outcomes, but in a safety context, those outcomes are more firmly linked to disadvantage or harm. In fact, safety management processes now define risk as a combination of the probability of an event and the severity of any outcome. Hazard and risk warrant closer examination.
A hazard is, quite simply, a potential source of a problem. In golf, a sand trap or bunker is a hazard: hit your ball into a bunker and you need to be a pretty good player not to drop a shot. Objects are hazardous if they have the potential to do harm or frustrate us in our pursuit of a specific goal. However, entities only become hazardous when they come into juxtaposition with our course of action, that is, once they interfere with our route towards our intended goal. If my golf ball lands beside the bunker, rather than in it, then the bunker is no longer a hazard (unless I am a really bad golfer).
The following event shows the range of hazard types that can exist in the workplace. The cabin crew on an aircraft reported a sticking toilet door in business class and requested maintenance support when they landed. A crew change was planned during the turnaround, and as the new crew prepared the aircraft, a man, dressed in a business suit, turned up asking for information about the toilet door. One of the new crew, only vaguely aware of the reported fault, directed him to the problem toilet and the man then used a lubricant spray to get the door moving freely. Shortly after take-off, several passengers complained about strong fumes at the front of the cabin. One cabin attendant and two passengers collapsed with respiratory problems, and the aircraft had to divert. It was subsequently found that the man who fixed the door was an office worker employed by the company that provided engineering support to the airline. He had taken the message, but there were no maintenance technicians available at that time, so he decided to see what he could do. He found a can of what he thought was a suitable lubricant in a locker but did not notice the health warning on the label. The spray was heavy-duty oil for use on external aircraft hinged surfaces. It was highly toxic and should never be used in confined spaces and, even then, breathing equipment must be worn. Spraying the toilet door hinges was guaranteed to cause problems (source: ASRS).
We can identify three archetypical hazard states in this story (Cox & Cox, 1996). First, the lubricant was a substance that could cause harm to humans who are exposed to it. The first class of hazard, then, is objects or substances (think of the sand trap or a mis-directed golf ball landing in a crowd of spectators). However, the lubricant was formulated for a specific purpose. When used under the correct conditions - in the outdoors by a trained engineer equipped with breathing apparatus - the hazard is controlled. The second class of hazards, then, are situations where hazards are a part of the designed process but are properly managed. Flight at altitude in a pressurised aircraft is a hazardous condition. A failure to maintain pressurisation will expose passengers to hypoxia. The risk is managed through the design of the aircraft’s pressurisation system and also by providing emergency oxygen masks in the event of a loss of cabin pressure. Finally, an untrained person, simply trying to help, used the spray in circumstances for which it was never intended. Our actions can be hazardous. This third category is the domain of human error and will be discussed in a later chapter. Hazards, then, exist as entities, contexts and actions.
Moving on to ‘risk’, although the term simply describes a possible distribution of outcomes, in safety management it has become attached to a negative outcome: risk has ‘consequence’. Going back to the sand trap on a golf course, as I drive off from the tee, the ‘risk’ is a function of my ability to control the trajectory of the ball. There are any number of places the ball could come to rest, and not all of them are bad. As I get better at playing golf, the ‘negative’ risk - landing in the sand trap, in the rough or out of bounds - should reduce. Conversely, the ‘positive’ risk - landing slap in the middle of the fairway or even a hole-in-one - should increase. There are several problems with this formulation of risk. First, safety management systems use tools based on some understanding of frequencies of events. In engineering terms, it is possible to record the mean time between a specific component failure. That information could then be used to construct preventive maintenance schedules that offer protection against component failures during an operational flight. However, in the case of human performance, such data are probably unknowable. Furthermore, in complex systems with multiple agents, it is impossible to quantify probabilities in any meaningful sense. Failures involving two or more components require us to be able to calculate combinatorial probabilities, something we are not very good at. Probabilistic approaches to safety are probably irrelevant in the context of CRM.
Humans tend to deal with risk in a subjective sense based on a general understanding of an issue and any previous exposure to events. As a result, we construct lay understandings of the distribution of risk (Tversky & Kahneman, 1974). We saw in the previous chapter that risk assessment by railway workers varied with age and experience. The severity of an event will also influence the way we construct a ‘value’ of the risk attached to the event. In effect, we tend to think that ‘nasty stuff is more commonplace than ‘not so nasty stuff’ when, in fact, the opposite is usually true. Table 2.1 shows the responses of 100 airline pilots to questions about the importance of workplace hazards. The data offer indirect evidence of the distribution of crews’
Pilot Responses to Hazard Questionnaire (n = 100. Scale 0 = low; 8 = high)
views on risk. The range of scores reflects, in part, individual beliefs about the significance of each hazard. For example, airport inspections are of less interest to pilots than airframe inspections. That said, these pilots worked for the UK operator and flew mainly within Europe or to the USA. Pilots operating in, say, Indonesia or the Philippines might have a very different view. The score will also be influenced by the individual pilot’s previous encounters with the specific hazard. The item ‘handling aircraft outside of published standards’ could reflect what pilots have seen others do in the past. Risk, then, seems to be something that is socially constructed. It is an abstract entity. Unfortunately, it is a fundamental to aviation.
That individual crew members perceive risk differently is illustrated by this crew of a Boeing 757 (source: ASRS). Company procedures required the aircraft to be established in the correct landing configuration by 1000ft on the final approach. However, delays in handover between air traffic controllers resulted in the aircraft being about 4000 ft above the profile at the start of the descent. The captain, who was flying the aircraft, began the descent with the power at idle and with the speed brakes out. The landing gear was lowered, and the descent was flown at 250 kt kts with the gear and speed brakes extended. As the aircraft slowed for the final intercept, the captain called for flaps as the aircraft progressively slowed through the various flap extension limiting speeds. The flight continued with the speed brakes out, eventually slowing to the point at which landing flaps could be selected, which was achieved at about 15 kt above the target speed for the approach. The landing was normal and the rollout, on the airport’s longest runway, did not call for any unusual braking. It was only after the touchdown that the captain realised that the speed brakes had been out the whole time. After they parked the aircraft and shut the engine down, the captain asked the FO for his input on the events that had taken place. The FO commented that he knew what the captain was doing and did not have a concern about the outcome because of the long runway. The captain suggested that a go-around was probably a better option. The captain later said that he subconsciously calculated that the speed would not be a factor because of the long runway but had, perhaps, not accounted for the 30-kt tailwind during the descent below 5000ft agl. In this incident, two observers participated in the same event and but had different perspectives on the risks associated with their course of action. What is interesting is that the captain appears to have had an expectation of how the FO was viewing the progress of the flight. He was anticipating a call to ‘go-around’, which never came. This example also shows how other external factors - the unexpected wind and the performance of air traffic control (АТС) - shape events. I suggested earlier that probabilistic models of risk start to unravel in the dynamic world of live operations. Risk is probably better seen in terms of a set of influencing factors or attributes of the situation that can shape outcomes.
Hazards and risks, then, are constants in aviation. If we now think about competence, safety flows from our ability to complete tasks within set performance criteria. If the training system has been designed effectively, our performance should allow us to manage the risks associated with any exposure to hazards. Unfortunately, in order to accommodate the variability encountered in the workplace, performance has a degree of discretion - workers can elect to act in different ways to achieve the same goal. Performance has two components: first, the extent to which a workplace solution will satisfy performance goals and, second, the ability of the worker to deliver the performance as required by the task situation. Safety is a function of tools, tasks and operators coming together to achieve goals. Inadequacies in any of these components will increase the risk of task failure, possibly resulting in loss and harm. Historically, there has been a tendency to treat safety as a structural component open to quantification and management. There is a contradiction here in that, on the one hand we are treating safety as something that can be engineered into an organisation and, at the same time, we are suggesting that safety is an artefact of other activities. Aviation involves organisations and people working in collaboration to meet production targets. Those various actors are kept in a dynamic but stable equilibrium. Systems become unsafe when the control being exercised over the component parts fails or is degraded in some way. As a result, margins of performance are eroded, and the probability of exceeding a limitation is increased.
Safety, then, is not a condition in which an organisation exists or some property that can be assessed but, rather, it is a reflection of the competence of workers in that system. It flows from the degree to which workers successfully negotiate solutions to workplace problems. In the rest of this chapter, I want to examine a specific case study from the perspective of different approaches to accident causation. I want to see how different models can elaborate on the types of behaviour that support competent performance in hazardous environments.