Science, Maths & Technology

### Become an OU student

Integrated safety, health and environmental management: An introduction

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

# 4.1.1 A hierarchy of causes

## SAQ 3

Consider the difference between the relative safety of car and air travel in relation to the following points.

• A car travels on the ground and not at 10 000 m in the air. Compare the effects of power failure.

• A car travels at perhaps one-tenth of the speed of an aircraft, reducing the risk of injury.

• The external environment of a car can usually support life, while an aircraft is a pressure vessel designed to protect its occupants from the external environment. The integrity of this vessel may fail.

• A car carries a smaller number of passengers, and so the maximum consequences of an accident are lower compared with those of an accident to an aircraft which carries several hundred people.

• The inventory of fuel in an aircraft is far greater than in a car.

A car would appear to be inherently safer, yet statistics suggest otherwise. Rationalise this, drawing on any hard or system features to support your view.

Taking the first point in the list, the loss of power in a car will simply make it coast to a halt, whereas an aircraft will fall from the sky. So why is travel in an aircraft safer than driving a car? This is a paraphrase of the question. In practice there are several engineering and procedural features which allow the commercial aircraft system to overcome its inherent safety disadvantages. You may have identified the following examples to illustrate this.

• There is a high level of redundancy in the critical components of an aircraft – usually two or more engines, redundant control devices, pilot and co-pilot, and so on.

• Critical components are designed and maintained to a high level of integrity. Regulations and company procedures include a high level of preventive maintenance and of inspection and testing of key components. Extensive checking of system components is done before each flight. Compare a pilot’s pre-flight checklist with what most of us do when we get into a car and drive away.

• Facilities are designed to minimise the risk of collision. Compare the building restrictions around an airport with the obstacles regularly seen along roads.

• Sophisticated management systems maintain separation between aircraft both on the ground and in the air. There is no comparable traffic control on the roads.

• Like car drivers, pilots are licensed, but undergo a higher level of training, and have to undergo regular retraining. Other people involved in air transport also have to undergo extensive training.

• The extensive resources and expertise to implement the systems associated with aircraft are judged worthwhile in view of the advantages of speed that travel by air permits.

Therefore, despite the inherent disadvantages of air transport in terms of safety, it is in fact a safer means of travel.

In our response to SAQ 3 it should be clear that one major difference between the two modes of travel is management systems. When the system does break down, and there is an aircraft crash, the inherent disadvantages are revealed, but extensive investigations take place to determine the cause of the incident.

Examples such as the Concorde crash, the capsize of the Herald of Free Enterprise, the fire on the Piper Alpha oil installation, the fire at King's Cross underground station and various rail crashes demonstrate beyond doubt the costs of mismanaging environment, health and safety matters, as all had considerable costs both in lives and in monetary terms. All of these incidents were followed by major inquiries which revealed failures in management systems as their root cause. Table 4 gives some more simple examples.

Table 4: Incidents that can be traced back to management
Immediate causeExamplePossible root causePossible management failure
Poor housekeepingEmployee trips over article on floor/Material falls from shelfHazard not recognisedTraining, planning, layout
Improper use of equipmentUsing side of grinding wheel rather than face, and wheel breaks/Use of compressed air to remove dust from surface causes eye injuryInadequate facilities/Lack of skill, knowledge, proper proceduresTraining of operators and supervisors, operating procedures, enforcement of procedures
Defective equipmentElectric drill without earth wire/Hammer with loose head/Vehicle with defective brakesLack of recognition/Poor design or selection/Poor maintenanceTraining of operators and supervisors, maintenance
Procedures absentNo check for flammable mixture – explosion/No instruction to lock out power before maintenanceOmission/Error by design and by supervisionOperating procedures, training, supervision
Lack of safety deviceMachine has exposed gear – severe cut/No warning horn – person hit by vehicle/No guard rail on scaffold 3 m highNeed not recognised/Inadequate availability/Deliberate actPlanning, layout, design, safety rules, equipment, awareness, motivation, training
Lack of personal protective equipmentDermatitis because gloves or protective lotion not used/Foot injury because materials handler not wearing safety shoesNeed not recognised/Inadequate availabilityPlanning, design, safety rules, awareness, training
Inattention, neglect of safe practiceWelder picks up hot metal with bare hands/Person walks under suspended load/Broken glass and spillages not cleaned up from floorLack of motivation/Poor appreciation of risksEnforcement of rules, procedures/Training, awareness, motivation

Often, preventive measures could be taken at the design and at the supervisory stage as shown in Table 5.

Table 5: Preventive measures by design and supervision
Cause of primary errorPreventive measures by designerPreventive measures by supervisor
ImprovisationProvide adequate instructionEnsure procedures supplied to person
Failure to follow correct procedureEnsure procedure not too lengthy or cumbersomeReview procedures to ensure appropriate and not difficult
Procedures not understoodEnsure instructions easy to understandEnsure person understands
Lack of awareness of hazardsProvide warnings, cautions and explanations in instructionsPoint out precautions that must be observed
Errors of judgement, especially under stressMinimise need for making hurried judgements, programme contingency measuresProvide instruction on action under abnormal conditions
Critical components installed incorrectlyDesign components so that only correct installation possible, e.g. asymmetric configurations on mechanical and electrical connections, male and female threads on critical flow systemsProvide instruction on maintenance and repair. Ensure no change from design and do not modify a part to make it fit
Lack of suitable tools and equipmentEnsure need for special equipment minimised; provide those that are unavoidable and emphasise use in instructionsEnsure correct equipment is available and is used
Error or delay in use of controlsAvoid proximity, interference, difficult location or similarity of critical controls. Locate indicator above control so that hand making adjustment does not obscure view of indicator. Label prominentlyCheck equipment during selection and ensure critical controls are easily accessible, easy to select and easy to operate
Vibration and noise cause irritation and loss of effectivenessProvide vibration isolation or eliminate noiseWhere noise levels cannot be suppressed, provide ear defenders
Slipping and fallingIncorporate friction surfaces, guard rails or protective harnesses etc.Determine where safeguards are needed to deal with hazardous locations and ensure their provision and application

You can probably add to these lists to cover other scenarios, such as irritation and loss of effectiveness through excessive heat or humidity. No matter what the organisation, management failures can be linked to risks to the organisation or to individuals.

One analysis of over 6000 incidents from 95 countries, recorded in the MHIDAS (Major Hazard Incident Data Service), identified that a release to the environment occurred in more than 50% of cases, while fire occurred in 44% and explosion in 36%. (As more than one type of incident could occur in a single accident, the total is greater than 100%.) Using a different characteristic for analysis, flammability occurred in almost 70% of cases, toxic substances in about 30%, corrosive substances in 10% and explosive substances in nearly 7% (Vilchez et al., 1995). These proportions justify the emphasis we have given in this unit to the dispersion of releases and to fire. As a result, we shall return to the all too common problem of fires to illustrate the principles in developing a hierarchy of causes of incidents.

There will always be a great temptation to view many of the incidents presented in this unit with the haughty disdain of someone with the 20/20 vision of hindsight. In some cases, it is true, the inevitability of some form of incident or breakdown was clear – the Stalybridge incident, for example, seemed to be a disaster waiting to happen. However, in other cases, the outcome of the initiating act would be far from clear at the time, especially to the people most directly involved.

## Activity 8

Many of the incidents are consequences of some quite complex chains of events – perhaps the multiple cause or domino effect introduced in Section 3. A different analogy is that of a Swiss cheese in which the holes may align allowing passage through a series of barriers. This approach is described in the File Paper ‘Human error: models and management’ by James Reason, which you should now study.

Human error: models and management (PDF, 3 pages, 0.1MB)

View document [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)]

Notice that here Reason attributes active failures to the actions or inactions of operators, which are believed to cause the accident – as in the case of pilot error. Often these operators perform the last ‘unsafe acts’ that lead to unfortunate consequences. Examples include a pilot failing to lower the landing gear before touchdown, or a surgical procedure to remove a foreign body carried out on the wrong finger rather than the finger that had the problem. In contrast, latent failures are errors committed elsewhere in the management chain. For example, overwork or stress may lead to active errors, and the resulting unsafe acts of individuals are the end result of a long chain of causes with roots elsewhere in an organisation. The problem is that these latent failures may remain dormant or undetected for long periods.

Many investigations and reports concentrate on the technical aspects of the incidents or breakdown which led to the fire or explosion. This is probably because they serve as warnings to other practitioners involved with similar materials, processes or installations, a feeling that some good must come from the disaster. There is also an unwillingness to address the more contentious issues of blame or organisational weakness, especially if death has been a consequence of the incident.

However, it is clear that in many, if not all, of the cases discussed there are underlying causes which are related less to the physical properties of materials than to the organisation of the operation, be it material, process or plant. Put more directly, the underlying cause in all cases is the failure to manage the risk.

A hierarchy of causes is shown in Figure 7. At the top is the loss itself, that is life, property, business or the environment. The loss was caused by the incident, accident or breakdown, which in the context of this discussion is the fire or explosion. The cause of the fire is the ignition of some flammable material and the consequent development of a fire. These are the so-called immediate causes, in other words unsafe conditions and unsafe acts. Arson is, of course, an extreme example of an unsafe act.

Now we ask the question, ‘What in turn led to those unsafe conditions, or what promoted those unsafe acts?’ These are the so-called root or basic causes. The following is a fairly exhaustive list of these basic causes.

2. Unsafe working practices – often called systems of work.

3. Poor standards of maintenance – of either equipment or systems of work.