Today, most of the top managers, contractors and workers, who work in construction industry, are aware about the significance of preventing accident.( In fact they know that ignoring safety and health can impose a high penalty on a company -large or small. Also individual accident or injury can mean compensation, time off and lost production and what have seemed to be a minor risk becomes a major liability)(safety at work/compiled by Badrie Abdullah/p.iii). Therefore they know the valuable of occupational safety and health management (OSH), although most of the managers haven't enough knowledge about OSH. It means that they don't know what the OSH is and how they must use it. In this report I try to investigate different part of OSH management in addition the need for it.
In current years, construction accident rates have decreased as a result of substantial effort by many parties. Increased pressures from OSHA and owners, and increased cost of accidents raised the contractors' awareness. In turn, contractors increased safety training and enforcement. These efforts have decline the injury and illness rate from 12.2 in 1993 to 7.9 in 2001.
The recent approach to accident prevention is based on OSHA's violations approach and focuses on prescribing and enforcing "defenses" that is, physical and procedural barriers that reduce the workers' exposure to hazards. The violations of the defenses are called "unsafe conditions" and "unsafe behaviors." (Systems Model of Construction Accident Causation /Panagiotis Mitropoulos1; Tariq S. Abdelhamid2; and Gregory A. Howell3.p.1&2)
Only knowing about the benefits of OSH management isn't enough, we must be act and apply it. So at first it's important to understand the necessity of OSH management then definition of OSH management and finally how we can follow its rules to make our workplace safe.
Who are included in the safety value chain?
Maybe, it `s better to ask this question "who should be interested in accident causation and safety system?"
In fact the safety value chain includes students, researchers, technicians, system designers, operators, managers, shareholders, accident investigators and safety inspectors. (Fig.1), all these groups affect to system safety in different time-scale. Educators and researchers play important role in this safety value chain, because educators by teaching safety culture can help students to have awareness before they enter to workplace and they impact on accident prevention in long term.
What is occupational safety and control?
The Occupational Safety and Health management is a management which provides the legislative framework to secure the safety, health and welfare among all workforces and to protect others against risks to safety or health in connection with the activities of persons at work.( Job Seeker Handbook/alaysian Labour Law : Regulation of Employment)
Occupational health and safety is a discipline with a broad scope involving many specialized fields. In its broadest sense, it should aim at:
the promotion and maintenance of the highest degree of physical, mental and social well-being of workers in all occupations;
the prevention among workers of adverse effects on health caused by their working conditions;
The protection of workers in their employment from risks resulting from factors adverse to health;
The placing and maintenance of workers in an occupational environment adapted to physical and mental needs;
The adaptation of work to humans.
In other words, occupational health and safety encompasses theÂ social, mental and physical well-being of workers that is the "whole person". (Website of International
What is an accident?
It is necessary to define what we mean by the word "accident", because before anyone can begin to put up any sort of a flight, he must know his enemy. So we must do the same.
An accident is an unplanned event, which could result in injury to persons or in damage to plant and equipment or both. Also accidents are consequent of unplanned (unsafe) acts or unplanned (unsafe) conditions performed or created by people. In fact people cause accidents, by what they do or what they neglect to do and the activity of people, in a factory or any other place of work, are controlled by management. (a safe place of work/D.WB James/p.5&6)
From the linguistic point of view, the word accident is the present participle of the Latin verb accident which means "to happen", which in turn is derived from ad- + cadere, meaning to fall. The literal meaning of accident is therefore that of a fall or stumble. The derivation from "to fall" is significant, since falling is not something one dose on purpose. If someone falls while walking or while climbing, it is decidedly an unexpected and unwanted event. It is, in other words, what we call an accident: an unforeseen and unplanned event, which leads to some sort of loss or injury.
Other definitions of "accident ", such as they can be found in various dictionaries, concur that an accident is an unforeseen and unplanned event or circumstance that (1) happens unpredictably without discernible human intention or observable cause and (2) leads to loss or injury. Used as an adverb, to say that something happens accidently or happens by accident means that it happens by chance. (Barriers and Accident Prevention/Erik Hollnagel p.3&4/2005)
The need for accident models
It is a truism that we cannot think about something without having the words and concepts to describe it, or without having some frame of reference. The advantage of having a common frame of reference is that communication and understanding become more efficient, because a number of things can be taken for granted. The frame of reference is particularly important in thinking about accidents, because it determines how we view the role of humans. (Barriers and Accident Prevention/Erik Hollnagel p.44&45/2005)
Accident causation models:
Figure 2.Â Diagram showing the dominate five perceptions of accident causation (Benner 1975).Â
The single event concept
SINGLE EVENT CONCEPT
What the first opinion of accident causation is the Single Event Concept. This idea concentrates that a single event caused accident. It means that this simple model is the widest
The first perception of accident causation is the single event concept. This concept focuses on the premise that accidents are caused by a single event. This simple model exemplifies the quest for the "cause" of what occurred. The search for a scapegoat and taking care of the scapegoat would solve the problem. This concept is the most widely perceived and least complex. The public and media typically utilize this concept when they ask "what caused the accident?"Â
The single events concept is limited in its ability to see the accident as a process or sequence of events in time. The factors that may contribute to the accident are not identified or pursued due to the fact that the "real" cause is obvious and visible. Causes that may underline human behavior are rarely determined.Â
Current applications are primarily apparent in how the public and media view accidents. This viewpoint is reinforced by findings such as when an airline accident was caused by "pilot error". Police citations are another example of the perception.Â
CHAIN OF EVENTS CONCEPT
The chain of events concept or domino theory was originally developed by Heinrich (1941). The basic concept implied that accidents resulted from a sequence of events that led to an accident. Like a row of dominos, once the sequence began each event led to the next until an accident occurred. Intervention at any point along the events sequence could halt the accident process and eliminate the unwanted results. An unsafe act starts the chain of events that began with an unsafe condition.Â
This concept is limited by the linear progression characteristic of the model. Interactions among events, contributing causes, and the duration and timing of each event limit the identification of all causal factors.Â
The current use of this concept is prevalent in the legal field that attempts to reconstruct the sequence of events that led to the accident.Â
2.the determinat variable concept
3.the domino theory
4.the fault tree analytical methodology
FAULT TREE ANALYSIS
Heinrich (1941) developed the methodology that preceded and formed the basis for Fault Tree Analysis. He illustrated the linear sequence of factors in accident causation by using a domino theory. The theory stated that a disturbance that caused any one of the five identified components of the sequence to fail would set off a chain-of-events that led to an accident. The five in the sequence were 1) ancestry and social environment, 2) conditions and fault of person, 3) unsafe act, 4) unsafe condition and 5) injury. He showed that by intervention at any point along the sequence an accident/injury could be prevented. This theory has been modified and updated (Baker 1953, Marcum 1978, Heinrich et al 1980), and has wide applicability in current automobile accident and law enforcement investigations.Â
Similar linear sequence models such as Critical Path Analysis (CPA), Gantt Charts, and Program Evaluation Research Task (PERT), were initially used in the 1950's and 60's as planning tools (Lockyer 1964). Though many names were given to their process they were very similar in their goals and methods. They provided a graphical display of activities linked to events by arrows in order to plan complex projects. The process illustrated a flow (path) from one task sequence to the next and incorporated time frames and interrelationships between tasks. Projects could then be analyzed by task, the amount of time needed for each segment and the relationship a task may have with another task. These methods offered an effective means of project planning, costs analysis, and time frame considerations by visually outlining the task process (Lockyer 1964). These processes also provided the means to better understand the interrelationships between and among tasks. This logical depiction of process flow related directly to analyzing an accident sequence and the precursor events.Â
In the 1960's Bell Laboratories expanded upon the linear chain of events concept through missile system safety. They arranged events in a flow chart that used a proceed/follow logic pattern. Their concept, Fault Tree Analysis (Figure 11), is generally credited to Watson (1971). Figure 12 illustrates the fault tree concept as applied to a hypothetical accident where a wildland firefighter was burned. This analysis concept helped provide a sense of management by objectives by identifying unwanted events (the top event) and then systematically and sequentially determining the precursor events. The objective is the top event and the identification of the preceding causal factors aid in the management achievement of that objective. Watson's Fault Tree Analysis investigation methodology provided a visible, easily understood and defendable format (1971). The methodology extended the linear chain of events into a "branched events chains" concept through the use of "and/or" logic gates. It uses basic Boolean logic in a hierarchical tree format. Other Boolean terms such as "not" are not used in Fault Tree Analysis. For example, "C" can only occur when both "A"Â andÂ "B" occur. If two or more events are required for a cause to happen then an "and" symbol is used. Another possibility is when only one of the factors need be present. For "C" to occur, then "A"Â orÂ "B" occurred. If only one event of two or more are necessary then an "or" gate is used. The "top event" is the unwanted result of the accident and causal factors branch out below leading to it. The downward sequence is continued until the root causes are found or the tree cannot be further developed. This technique, according to Benner (1975), "contributed a powerful tool for the investigation of accidents - both historical and postulated." Accidents could be investigated or reinvestigated in the search for causal factors utilizing this method. It assisted in illuminating areas that may have previously been overlooked by other means. Numerous approaches to determining accident causal factor using "branched events chains" reflected the discipline of the investigations employing it; thus medical doctorsÂ
used an epidemiological approach (agent/host/environment), while psychologists focused on human factors.Â
Figure 11. Fault Tree diagram illustrating a typical failure process, symbols used,Â
and the logic sequence leading to an undesired event, a dark room (in Ferry 1988).
Figure 12. Fault Tree diagram illustrating the deductive process using an example of a sequence of events in which a firefighter receives burns.Â
One key limitation of Fault Tree Analysis is the inability to model time sequences that are concurrent and interactive (Hendrick and Benner 1987). Brown (1993) added that only one event could be analyzed at a time and thus primarily applicable to catastrophic events. Benner (1975) cited similar deficiencies, most notably that charting analysis methods focus on a single undesired event and provided no means to indicate the chronological relationships (and the subsequent concurrent interrelationships) of events. Another limitation is the restriction inherent in the method whereby causes must be either successes or failures and degrees of each are not accounted for (Tulsiani and others 1990).Â
5.the energy-barriers-targets model
Barriers Analysis is an accident investigation method that is an additional component of the MORT process. The method identifies barriers/controls that are in place to prevent accidents. These barriers may be physical and/or administrative and must be absent, inadequate, or bypassed in order for the accident to occur. A more detailed account of this approach will be undertaken in the methods section as this method is one of the USDA proposed investigative tools (USDA 1998).Â
6.the management oversight and risk tree
Traditional accident investigations focused on the active response to a mishap and the identification of procedures to prevent future occurrences. The degree and intensity of the accident dictated the intensity of the investigation response and subsequent preventative action (Brown 1993). But as technology advanced and systems became more complex, the consequences of accidents became increasingly unacceptable to society and industry, particularly in the nuclear power industry. The nuclear industry and similar high-risk technologies have determined that learning from accidents and even near misses was not an option. The consequences of accidents precluded the traditional trial by error approach where as accidents occurred the problem was fixed subsequent to the next mishap (termed the fly-fix-fly approach). A new approach was undertaken to become proactive as well as reactive in accident analysis techniques to determine possible failure points prior to occurrence. Johnson (1973a) working for the National Safety Council and under a contract from the US Atomic Energy Commission focused on a systems approach to accident analysis. This approach focused on the entire system in which accidents occurred and the interaction of events within that system. Johnson merged two basic views to focus on management responsibility in planning the context in which accidents occur. These views, understanding the energy release process and focusing management of that hazard on the route of its release, led Johnson to develop the concept of "less than adequate" management decisions. This progressed to the Management Oversight and Risk Tree (MORT) accident analysis tool. He said MORT was "an analytical procedure that provides a disciplined approach for finding the causes and contributing factors of mishaps". It entailed a very broad and detailed checklist that facilitated the search for safety problems. It incorporated 1500 possible causes and 98 generic problems and was the initial methodology to embody management oversight into accident causation. The Department of Energy currently employs this method as one of its most comprehensive analytical techniques (DOE 1992). It is more generally used as a proactive method in safety system evaluations than as an accident investigation method. This is primarily due to the fact that it can be time consuming and intensive and due to the nature of the nuclear industry, identifying possible loopholes in the safety system to eliminate hazards is more cost effective and publicly expedient than after the accident occurs.Â
This concept was highly visible, easily reviewed and updated as new relevant facts warrant, and provided structure to help reduce overlooked factors and bias. Within the MORT system incidents were defined as inadequate barrier/controls or as failures without consequence. Accidents resulted in adverse consequences. The MORT system incorporated the concept of the unwanted transfer of energy that can cause mishaps due to inadequate barriers/controls. These barriers and controls may be physical (protective clothing, concrete walls, etc...) or administrative (codes, standards and regulations). The MORT system is based on two main sources of accidental losses: 1) specific job oversights and omissions and 2) the management system factors that control the job (Johnson 1973a). A third source he mentioned was "assumed risk". Johnson noted that once this source was properly evaluated it could not be considered accidental in nature since we have consciously decided to accept the risk. Integral aspects of the MORT process are Fault Tree Analysis, Barriers Analysis and Event and Causal Factors Charting. Each of these approaches will be subsequently explained.Â
Limitations of MORT are that it can be insufficient in finding specific causes as it designed to identify general causal areas (Gertman and Blackman 1994). These authors do recognize its strengths in identifying more specific control and managerial factors. Moreover, this systematic process is advantageous when system experts are not available.Â
Its current use as a proactive safety system analysis tool for the Department of Energy has long standing (Briscoe 1990). It has been used exclusively as both a proactive technique and an accident investigation method for the Nuclear Regulatory Commission.Â
7.petersen`s multiple causation model
8.reason`s swiss chess model of human error 1990
Reason's "Swiss Cheese" Model of Human Error
One particularly appealing approach to the genesis of human error is the one proposed by James Reason (1990). Generally referred to as the "Swiss cheese" model of human error, Reason describes four levels of human failure, each influencing the next (Figure 1). Working backwards in time from the accident, the first level depicts thoseÂ Unsafe ActsÂ of Operators that ultimately led to the accident. More commonly referred to in aviation as aircrew/pilot error, this level is where most accident investigations have focused their efforts and consequently, where most causal factors are uncovered. After all, it is typically the actions or inactions of aircrew that are directly linked to the accident. For instance, failing to properly scan the aircraft's instruments while in instrument meteorological conditions (IMC) or penetrating IMC when authorized only for visual meteorological conditions (VMC) may yield relatively immediate, and potentially grave, consequences. Represented as "holes" in the cheese, these active failures are typically the last unsafe acts committed by aircrew.
Â Reason's original work involved operators of a nuclear power plant. However, for the purposes of this manuscript, the operators here refer to aircrew, maintainers, supervisors and other humans involved in aviation.
However, what makes the "Swiss cheese" model particularly useful in accident investigation, is that it forces investigators to address latent failures within the causal sequence of events as well. As their name suggests, latent failures, unlike their active counterparts, may lie dormant or undetected for hours, days, weeks, or even longer, until one day they adversely affect the unsuspecting aircrew. Consequently, they may be overlooked by investigators with even the best intentions.
Within this concept of latent failures, Reason described three more levels of human failure. The first involves the condition of the aircrew as it affects performance. Referred to asPreconditions for Unsafe Acts, this level involves conditions such as mental fatigue and poor communication and coordination practices, often referred to as crew resource management (CRM). Not surprising, if fatigued aircrew fail to communicate and coordinate their activities with others in the cockpit or individuals external to the aircraft (e.g., air traffic control, maintenance, etc.), poor decisions are made and errors often result.
Figure 1. The "Swiss cheese" model of human error causation (adapted from Reason, 1990).
But exactly why did communication and coordination break down in the first place? This is perhaps where Reason's work departed from more traditional approaches to human error. In many instances, the breakdown in good CRM practices can be traced back to instances ofÂ Unsafe Supervision, the third level of human failure. If, for example, two inexperienced (and perhaps even below average pilots) are paired with each other and sent on a flight into known adverse weather at night, is anyone really surprised by a tragic outcome? To make matters worse, if this questionable manning practice is coupled with the lack of quality CRM training, the potential for miscommunication and ultimately, aircrew errors, is magnified. In a sense then, the crew was "set up" for failure as crew coordination and ultimately performance would be compromised. This is not to lessen the role played by the aircrew, only that intervention and mitigation strategies might lie higher within the system.
Reason's model didn't stop at the supervisory level either; the organization itself can impact performance at all levels. For instance, in times of fiscal austerity, funding is often cut, and as a result, training and flight time are curtailed. Consequently, supervisors are often left with no alternative but to task "non-proficient" aviators with complex tasks. Not surprisingly then, in the absence of good CRM training, communication and coordination failures will begin to appear as will a myriad of other preconditions, all of which will affect performance and elicit aircrew errors. Therefore, it makes sense that, if the accident rate is going to be reduced beyond current levels, investigators and analysts alike must examine the accident sequence in its entirety and expand it beyond the cockpit. Ultimately, causal factors at all levels within the organization must be addressed if any accident investigation and prevention system is going to succeed.
In many ways, Reason's "Swiss cheese" model of accident causation has revolutionized common views of accident causation. Unfortunately, however, it is simply a theory with few details on how to apply it in a real-world setting. In other words, the theory never defines what the "holes in the cheese" really are, at least within the context of everyday operations. Ultimately, one needs to know what these system failures or "holes" are, so that they can be identified during accident investigations or better yet, detected and corrected before an accident occurs.
The balance of this paper will attempt to describe the "holes in the cheese." However, rather than attempt to define the holes using esoteric theories with little or no practical applicability, the original framework (called theÂ Taxonomy of Unsafe Operations) was developed using over 300 Naval aviation accidents obtained from the U.S. Naval Safety Center (Shappell & Wiegmann, 1997a). The original taxonomy has since been refined using input and data from other military (U.S. Army Safety Center and the U.S. Air Force Safety Center) and civilian organizations (National Transportation Safety Board and the Federal Aviation Administration). The result was the development of the Human Factors Analysis and Classification System (HFACS).
1.2. Accident investigation methods
During the last decades, a number of methods for accident investigation have been developed and described in the literature.The selection of methods for the needs of our study was made on the basis that they are described in the literature, they show the evolution of accident investigation over time and they are either widely used or recently developed. Based on these criteria, the following methods were selected:
1.2.1. Fault tree analysis (FTA)
FTA was developed in the early 1960s by the Bell Laboratories (Ferry, 1988). In FTA, an undesired event (an accident) is selected and all the possible things that can contribute to the event are diagrammed as a tree in order to show logical connections and causes leading to a specified accident. FTA is more an analytical tool for establishing relations; it does not give the investigator any particular guidance for gathering the information. The analysis starts with the top event (the undesired event) which should be carefully defined and then it proceeds backwards. The top event is linked to preceding events and conditions (such as technical actors, human actions) by two logic gates (the AND and OR gate). The use of the tree allows investigators to represent graphically the logical combinations of causes of the defined top event. In this way, a causal sequence of logical relations (necessary and/or sufficient conditions) is established. FTA is the most widely used of the tree techniques.
1.2.2. Management oversight and risk tree (MORT)
Johnson developed MORT in 1973 for the U.S. Atomic Energy Commission (Johnson, 1980). In MORT, the accident is defined as an unwanted energy transfer because of inadequate energy barriers and/or controls. The method follows the energy transfer and deviation concepts. Fact finding aims at identifying hazardous forms of energy and deviations from the planned and normal production process. The MORT diagram is a logic tree (the accident being the top event) with three main branches: S-factors, the specific oversights and omissions associated with the accident being investigated, Rfactors or assumed risks, which are risks known but for some reason not controlled, and M-factors, which are general characteristics of the management system that contributed to the mishap. The various elements in the tree are numbered and these numbers refer to a list with specific questions that the analyst should pose. Analysis involves going through all elements in the tree and making an assessment of each, based on two assessment levels: ''satisfactory" and ''less than adequate" (LTA), in order to examine the adequacy of measures. The method provides a large checklist to help investigate the facts and look for evidence, it permits a large number of problems to be identified and it prompts the investigator to look not only for direct causes, but also for causal contributions at the management and organisation levels.
1.2.3. Multilinear events sequencing (MES)
Ludwig Benner developed MES in the mid 1970s (Benner, 1975). MES is a charting technique, which shows events chronologically ordered on a time-line basis. It is based on the view that an accident begins when a stable situation is disturbed. A series of events can then lead to an accident. The method distinguishes between actors, actions and events. Actors can be people, equipment, sub- stances while actions are anything carried out by an actor. Events are the unique combination of one actor plus one action. The aim of the method is to help the analyst to identify the main actors and their actions and map the relations between the events along a flexible time line. The final product is thus an accident logic chart with the events, actors and actions sequentially placed.
Multilinear Events Sequence (Mes)
Hendrick and Benner (1987) developed a systems based multilinear sequence method (Figure 6) to accident investigations that sought to overcome the deficiencies that were inherent in earlier methods. Multilinear Events Sequencing (MES) was an analytical technique initially developed by Benner (1975) while working with the National Transportation Safety Board and a further development of Events and Causal Factors Charting. Figure 7 illustrates the MES method using a firefighter receiving burn injuries. This approach incorporated a temporal consideration that recognized and accounted for multiple events by multiple actors (or agents) that previous methods failed to take into account. In addition, some of these events may have occurred simultaneously, this method provided a chronological validation and event comparison format. Thus this process provides the opportunity to discover possible unknown linking events, causes, and contributing factors. Benner (1977) remarked that this approach provided a "method for proving the hypothesis that differs from traditional, statistical, or experimental approaches of the scientific method" by illuminating areas that may not be directly linked in the causal sequence. There were two distinct differences of the MES technique that has built upon the work of Benner and associates' (in Ferry 1988). The first was the identification of the beginning and end of the accident sequence. The accident sequence began when a perturbation disturbed the homeostasis (therefore this method has been called the P-theory in reference to a perturbation). When this stable flow of events was interrupted by external influences the possibility of a harmful outcome increased. Identification of the flow deviation from the normal harm-free process was necessary to accurately pinpoint the start of the accident sequence. Identifying the end of the sequence (the final damaging event) would allow the accident process boundaries to become established so that the entire flow of events could be framed. The full sequence could then be subdivided into individual events and causes.Â
Figure 6. Multilinear Events Sequence (MES) diagram showing the analysis process in reconstructing the accident sequence. Note the time scale at the bottom and the incorporation of simultaneous conditions and/or events (Benner 1975).Â
Figure 7. Multilinear Events Sequence example illustrating accident process of firefighter receiving burns.Â
The second major contribution the MES process has embodied is a moreÂ
distinct time frame than was present in antecedent linear models. The timeline has aided investigators by structuring the search for relevant factors and events. Newly discovered conditions or events could be easily tested and then inconsistencies and gaps in knowledge could be more readily determined. The Civil Aeronautics Board (1962) in the early 60's incorporated a time line when flight data recorders came into use.Â
This method may be limited by its perceived complexity in developing the framework to process all the information gathered. Underlying human factors may also be more difficult to identify if experience in the relevant work tasks is limited.Â
Currently the National Transportation Safety Board utilizes a similar concept as part of a hybrid approach. Their approach involves a quantitative assessment of engineering structures, the environment, and the time line analysis (Gertman and Blackman 1994).Â
1.2.4. Systematic cause analysis technique (SCAT)
The International Loss Control Institute (ILCI) developed SCAT in the late 1980s (Kjellén and Hovden, 1993), having its roots on the Heinrich's domino theory (1941) and its updated version by Bird (1974). SCAT is presented as a chart which contains five blocks corresponding to five stages in the accident causation process. The first block contains space to write the accident description, the second block lists the most common categories of contact that could have led to the accident. The third block lists the most common immediate causes of this contact, while the fourth block identifies underlying causes. The final block lists safety management practices that should be addressed to prevent accidents from occurring. The method makes use of checklists, which contain questions about personal and job factors (the second block) and questions corresponding to the elements of a safety management system designed by the ILCI. The preventive philosophy relies upon the removal of one of the blocks, or in erecting barriers to prevent the energy transfer in the sequence.
1.2.5. Causal tree method (CTM)
Leplat (1978) originally developed CTM in the late 1970s for the French Institut National de Recherche et de Sécurité (INRS); for this reason, CTM is often called the INRS method. It belongs to the category of Tree Techniques and the basic idea is that accidents result from variations or deviations in the usual process. There are four classes of variations: those related to the individual, the task, the equipment and the environment, respectively. The tree starts with the end event (the accident) and works backwards. The facts relating to the accident are used in the construction of the causal tree. The end event is the starting point and only the facts that contributed to the accident should be selected. The analyst has to identify and list the variations and then display them in the analytic tree, showing causal relations.
1.2.6. Occupational Accident Research Unit (OARU)
Kjellén and Larsson (1981) developed OARU for the Occupational Accident Research Unit (OARU) of the Royal Institute of Technology in Stockholm - Sweden. The method has two levels of reasoning: describing the accident sequence, and finding the determining factors. The state of lack of control is characterised by the presence of deviations in the system. The accident sequence has three phases: the initial (when there are deviations from the normal process), the concluding phase (which is characterised by loss of control and ungoverned flow of energy), and the injury phase (where energy meets the human body and causes physical harm). Determining factors are technical, organisational and social properties of the production system that affect the accident sequence. Checklists of deviations (in the initial phase of the accident sequence) and of determining factors were developed to support the investigation. The original model has not survived the test of time (Kjellén and Hovden, 1993) and the main reason for this abandon had to do with lack of input from the (human) information-processing theory (Larsson, 1993).
TRIPOD was developed in the mid 1990s in a joint project by the University of Leiden (The Netherlands) and the University of Manchester (UK), for use in the oil industry (Wagenaar et al., 1994). TRIPOD follows Reason's accident causation model. The idea behind TRIPOD is that organisational failures are the main factors in accident causation. An accident occurs when one or more barriers (controls/defenses) fail. Unsafe acts (active failures) are the direct reason for the failure of barriers which do not just occur but they are generated by underlying mechanisms acting in organisations. These mechanisms are called general failure types (GFTs) and they cover human, organisational and technical problems. The method has 11 categories of GFTs in order to classify deficiencies in the working situation. The aim of TRIPOD analysis is to produce a profile (by means of a bar graph) of the extent to which the 11 GFTs are present in the organisation.
1.2.8. Accident evolution and barrier function (AEB)
AEB was developed in 1991 by Svenson and co-workers in a study conducted for the Swedish Nuclear Power Inspectorate (SKI) and the Netherlands Institute for Advanced Study in the Humanities and Social Sciences (Svenson, 2000). The AEB approach is a stand-alone method and addresses, as a central concept, safety barriers and their functions. An accident is modelled as a series of interactions between human and technical systems. The main principle is that it is possible to stop/interrupt the development of the sequence between any two successive errors (human or technical) through adequate barrier functions (Harms-Ringdahl, 2001). Barrier function systems are systems performing the barrier functions and might consist of an operator, an instruction, an emergency control system. The aim of investigation with AEB is to describe the accident evolution in a flow diagram, showing human and technical errors. The diagram also shows barrier functions related to specific errors. If a particular accident happened, it is because all the barrier functions in the sequence must have broken, been ineffective or inexistent.
1.2.9. Integrated safety investigation methodology (ISIM)
ISIM was developed in 1998 by the Transportation Safety Board (TSB) of Canada and it follows Reason's (1990) accident causation model (Ayeko, 2002). The method starts with the collection of information regarding personnel, tasks, equipment and environmental conditions involved in the occurrence in order to determine the sequence of events and identify underlying factors and unsafe conditions. The next step is to assess the level of risk associated with such unsafe conditions or underlying factors and examine the status of barriers (physical or administrative) in order to identify those that are less than adequate. ISIM forces the investigator to look beyond the actions and decisions of front-line operators and into the latent unsafe conditions in the work system that provided the opportunity for the expression of those actions. Once the safety deficiencies have been identified, options for controlling risk have to be considered. The goal of ISIM is to ensure that both accident investigation and safety deficiency analysis are integrated. The risk control option analysis is a key step of ISIM aiming at generating recommendations and strategies for safety improvement.
1.2.10. Norske Statesbaner (NSB)
NSB was developed in the early 2000s by the Norwegian State Railways (Norske Statesbaner - NSB) for the analysis of accidents in the Norwegian railway sector. The method integrates the approaches of both Reason (1997) and Hollnagel (2002) and focuses on human, technical and organisational interaction (Skriver et al., 2003). The method identifies the sequence of events and where barriers were broken or missing, and it uses a questionnaire, addressing factors such as procedures/documentation, training, communication, human-systems interface, tools and equipment, work preparation and local management, organisational management, work environment and task completion. The latter focuses on the task and individual characteristics.