10 The Secret of Safety Erik Hollnagel

hello everybody welcome back from lunch if you could take your seats so firstly for those people that put questions in the slide i thank you and

during the afternoon if you've got questions please do continue to put them into slido elizabeth has another reflection from the floor and then a personal reflection

so if i hand over to you so please tell us who you are my name is pia and i'm from matic um and i think that we had some really

strong stories this morning and i was actually quite emotional about especially the personal stories um but

a lot of this we already know a lot of data um a lot of knowledge lessons learned how come that we are not better at sort of putting those things into change

management and my personal thought was that maybe we all need to work on our listening skills and

going back at least i will think both as working with hcc and also in management that we need to empower people to

come back with what they what they their concerns and maybe also some of their thoughts about not just health and safety and i think

that we all think we do that but maybe we do not pay attention enough and i'll definitely work on that great great and start to notice what are the subtle

narratives that we use that suppress people speaking up because you can hear them everywhere when you start listening thank you so much nina elizabeth

yes i was i was reflecting on one of the things that mark mentioned was that they made sure that every every team everyone

in their business is on the same level on safety and it made me think how they do that i mean do they share everything

um and it made me also wonder in in the industry that the oil and gas industry here but also some of the other industries represented here

do we share enough i know in the oil and gas business we say we share but do we share enough like are there webinars that can be opened up where we share we can open up

to more people are all the small contractors to contractors actually participating because they're the ones out there even their managers as well so that's

that's what i i had i thought about over lunch brilliant thanks elizabeth and feel free to keep adding words to slido adding any questions

and we are now going to move on to the next talk if you've been wondering what the secret of safety is you're going to get the answer now so it's strengthening the

resilience potentials i said to you that i was super excited about the speakers so eric nagle is somebody whose writing has influenced my thinking greatly

and when i heard he was speaking her as a little bit like a fan you know it's like i've done that with a couple of of great safety thinkers or great thinkers i'm a little bit like in awe of him

um and his intellect and he's made a definite personal contribution to my own development so for those of you that don't know um you know eric has written numerous books

i asked him how many who said 26 and i nearly fell on the floor but he he's a you know renowned author he's a professor emeritus um from three different universities he's recognized

as a global thinker in resilience so without any further ado i'll hand you over to eric we want to give him a hand we can welcome him

thank you i'm on yes thank you for the introduction thank you for inviting me to come here and then as others have said it's it's great actually to be in a room with people

again and not just looking at the screen um as sort of a a precaution i should say i'm i'm not going to talk about accidents

i don't think it's particularly interesting to talk about accidents and i don't think you learn very much from accidents so i'm going to talk about something well i need to have an interesting title so

that's what i thought of this secret of safety systemic potential management but it's still about safety and my and of course the question is why

are we so concerned about safety and i think it's because it's something that that's in us as as human beings if you that's why i have this this drawing up there are people

in stone age finding mammals i mean they were they felt unsafe and they didn't want to be harmed if you if you take the uh the triangle there this is a famous

pyramid of needs by great psychologist abraham maslow and it's noticeable that the the bottom of physiological needs but the second level are safety needs

so it's really really fundamental in us we need to be safe and that's why we are so concerned about it and talk so much about it and write so much

about it and when you think about safety uh if you ask people i say what what i mean i'm a psychologist if

if that was mentioned but if you ask people about what's the first thing that comes into your mind when you hear the word safety and i would bet that for most people it's something that has gone wrong they

think of an accident the thing of an incident they think of the case of a situation so we associate safety with things that actually aren't safe which is a bit paradoxical and we have

this famous curve that's why we have this household zero we want to get down to zero accidents and and there are many definitions of safety but a typical the

generic one is the system is safe if as little as possible goes wrong and that's what we try to bring about and i have no disagreement with that i

think it's it's it's wonderful if as little as possible goes wrong the question is what's the best way to achieve that well the way we normally do it is that

when something happens then we first of all we go into a state of panic uh and then we say ah we need to find out why did it happen

first of all what happened sometimes that's not always quite clear but second second step is why did it happen and we look for explanations and we have these various

methods and models that we apply to understand why things happen and when we look for courses we look for root causes and traditionally we have

historically we first had the uh the technological course actually before that uh the course was god or forces of

nature uh but about the about the renaissance we started to realize that that wasn't sufficient one one reason for that is it's very difficult to do about do

something about the cause if the course is god so then we switch to technological failures that's easier because you can do something about it if you have a technological failure and then

in 1979 we got into human error and in 1986 we got into with the challenger and chernobyl we got into organizational culture so we have

sort of these three stable explanations that we use and we have these models i'm sure you know know them or recognize them of how to explain how things go wrong so that's that's how we do and when something goes

wrong we get the the top is simply taken from a press release it says this was a tragic accident that should never have happened the airline said have you heard that

before we assume full responsibility for this strategy and express our deepest condolences to the family and are committed to supporting them

we are thoroughly investigating what occurred to prevent this from ever happening again i think you've heard these lines before what happened was

a passenger had brought aboard a dog a dog and and the the cabin crew said no no madden you can't have it here you have to put

it in the overhead luggage against the rules by the way which you did and when they landed the dog had suffocated hence these headlines but what do you think when

i'm i'm i'm i'm not saying it's true it's a trivial trivial event and it's very sad for the dogs for the dog and for the for the lady who owned the dog but but i think

there's a lack of proportion in in the response there and it seems to me to be a standard response from that airline whenever something happens you come out you roll out this yes it's tragic we'll

do everything we can to find out what happens to make sure it doesn't happen again that's a mantra that we all live by so

of course we should try to become better at what we do and learn and therefore it's important to see what what do we actually do

when we try to learn things and and what happens is when something has happened we look at it we look back into jaina's head here we look back and

look at what happened and we look at what people did and we pay attention to accidents and incidents and failures and mistakes

and we say well why did why did this happen what was missing uh was it situation awareness was it safety culture

was it design features was it resilience whatever because it's so nice if you can point to something and say well this was missing

then the solution is very simple provide whatever was missing that's why safety culture is so popular you say oh it's a lack of safety culture or it's a lack of communication well then we just provide

what was missing and the problem has been solved perhaps and and when we look ahead we should say we look ahead and say what should we do the next time this happens because

things always happen again and how can we avoid the same failures and mistakes if there were failures and mistakes how can we provide what was missing if

something was missing and that's how we think about it and this is very has been very effective up to a certain limit

about 20 years ago it's very simple it's a simple way of thinking about things that's why we like to do it because we have simple minds myself included by

perhaps the best example of a simple mind we have simple minds and we like simple ways of thinking and simple ways of explaining and understanding

and it's also easier to explain so so we so we all agree when we're here today why why would you otherwise be at a zero accident edition

conference we all agree that the focus should be on accidents we should try to understand accidents uh we should try to find out why they

happen and we should try to make sure that they don't happen and again i'm in complete agreement with that i i as like anybody else i don't want any

want accidents to happen i want to be free from accidents but i think there's another way to do it than the way we normally do

so the way we manage safety is normally this you can illustrate the situation that we want by the beaker there on the right hand side

and the beagle contains what goes wrong yeah hence hence red we had an interesting discussion last night about the meaning of red and green but in this

case red means bad it's like blood and we want nothing like that so the goal is to empty the beaker there's nothing in it

zero accidents and and the way to do that is to say whenever something happens we try to analyze that and we try to understand that because then

we think we can fix it we can prevent it from happening again and then we are safe so that's the ways to safety reduce things that go wrong this is this is the

way we have been doing it for a couple of hundred years and and it works generally well uh today it works less well than it did

before but it really works so so that's sort of the mantra and and the important thing is we rarely stop to think about that we just do it

because we are required to do it by laws by authorities by policies by company company mission statements by ethics or

whatever but if you look at it then you can look at this and say what are we actually doing well we are looking at snapshots

of how the system worked snapshots when it failed so if you take this diagram and you have the line here that's called the limit of unacceptable performance what we're

looking at are events that are below the limit of unacceptable performance completely unacceptable events

but we also know they're random they're not systematic and they're rare they're very infrequent we look at them

we study them we analyze them we try to explain them we try to find the causes but above the line

of unacceptable performance that's where we have acceptable performance and as you can see i've indicated

drawn a lot of green wavy lines there to indicate that what happens there are there are many things that happen they're all variable to some extent

nothing is is like clockwork like machine like it's all variable adjustable and we we sort of find ways of doing things but

when that works then we're safe because we're above the line and the the question is could we look at that instead of only looking at what's below the line

why don't we look at it when things go well and try to understand how they go well instead of looking at when looking at things look at things when they fail

and try to understand how they fail and a young colleague of mine had this brilliant analogy she said is it possible to understand

what a happy marriage is by analyzing by analyzing and learning from divorces alone if you ask that question i think the answer is fairly straightforward no it's

not possible if you want a happy marriage and who doesn't you shouldn't look at what other people did wrong but you look at what other people do

right what what makes a good marriage but you can take the same argument again and you can just change the word slightly and say is it possible

to understand what safety is by analyzing and learning from accidents and incidents alone and by analogy the answer is no that's

not possible of course it's not possible so we need to look at something else and and i'm sort of supported in this of course because

great minds i just have two of them here have said the same and mind you many years ago but nobody paid attention to it at the time james reason the father of the swiss cheese

model which all know said in 21 years ago safety is defined and measured more by its absence

than by its presence because when there's an accident we we say there's a lack of safety safety was missing

but actually shouldn't we define something by when it's there instead of by when it's not there because vike said even earlier

1987 said reliability or you could say safety is a dynamic non-event it's an ongoing condition in which problems are momentarily under

control due to compensating changes and i think these words are very important they are momentarily under control because we compensate all the time into what happens to make sure that we stay

safe that we stay above the line of unacceptable performance and weigh also said that

reliability safety is invisible particularly in the second meeting there he said safety is invisible

because reliable outcomes are constant which means there's nothing to pay attention to that's part of our our biology so to speak things that are constant

we notice them when they're new but after a while we stopped paying attention to them like the the home of the air conditioning in here like when you know those if you if you come to a different

town and check in in the hotel you hear sounds uh and the first night is very annoying i mean i like in the good old days when they travel they went to australia i always like to get with a

would go to have a hotel by the beach and facing the beach and and the first night i said oh all these waves like why do they keep breaking us or but the second night in the third night well

it's not like the waves disappeared they were still there but i got used to it so things that are constant we get used to and things that go well happen all the time so we get used to them

which means we don't pay attention to them we don't notice it any longer but accidents we notice because they're unusual so you can look at it in this way and say

well what do we do you take this pie chart and you say and here we have red and green again most of the pie is green it's good and then we have one event

one out of 10 100 000 whatever you like which is red and what do we do in when we deal with safety

we look at the event that went wrong we look at it it's easy to see it it attracts attention

it's it's difficult not to notice it uh it it's very infrequent we know that we say that it has simple causes that's

why we try to find the root cause in fact it doesn't have simple causes and i think that the examples we have heard today so far grenfell

challenger formula one shows that there's always a long history going back it's never simple it's a very

complicated set of of interlacing courses that interact and and set up these conditions where something eventually will go wrong so

in fact well i think we've learned that that explanations are never simple and we have this find that fixed attitude but what we do is we learn what does not work

but if you look at the pie most of it is green most of it works but we don't learn from it we don't pay attention to it one reason

is it's difficult to see because it happens all the time nobody pays any attention to things that just go well because well they're supposed to go well aren't they that's what should

happen so why worry about it it's like we say if something happens that shouldn't happen then we say oh that's contrary to my expectations

that means i must have misunderstood something i therefore have to look at it if something happens that should happen then we reason well that's what should

have happened and that proves that my understanding is correct unfortunately that's a logically false conclusion we can't conclude in that way but that's what we do

so when you look at it when you look around and look at what what the because i called it the non-events if you look at your everyday life

it's full of non-events in fact it's it's nothing but non-events it's nothing but things work as they shoot and things are as

issued on the building side in the when you walk in the crowd of people when you go to a pharmacy when you go to a supermarket when you go to a supermarket and you want to pick something off the

shelf and if you're there you just pick it off the shelf and you go on and continue if it's not there you stop and say well that's strange why isn't it there's a day what's wrong with them what's wrong with their logistics system

or why haven't they planned for that and so on but you never stop to think about it's a small miracle that stuff is there on the shelf when it should be there

well if you work with the logistics you know it's a small it's a big miracle actually and it's a very intricate set of processes and functions that lie behind that but usually we just take it

for granted and we get used to it so we only notice when it doesn't work so that leads to another way of looking at safety

and if you use a bigger analogy again then we say well actually now we we fill it up with things that go well the green

and the purpose of safety is to make sure as much as possible goes well not to prevent things from going wrong but to ensure

that they go well so it's the opposite way of thinking the result is the same in fact as a result if because if this is full then you have zero accidents

but not because you have started the accidents but because you've started things that go well and worked to make sure that things go well

so it's it's the the the end result is the same but the way you get there is completely different because the logic is of course that in in the in our macroscopic world and i

know in the quantum world is different but in our macroscopic world something cannot go well and fail at the same time so if you can make sure it goes well

then it means that it doesn't fail i i didn't say that before but you can see on on the left hand side i have i call it safety two and the previous one i called safety one

because that that's what happened when resilience engineering came into being about about 20 years or so ago 15 20 years ago

and and people started to realize that there was another way of looking at safety and to talk about it you need to have a label you need to

have a name and then after a while we came up with not very brilliant i realized that what we call it safety one and safety two

mind you we were clever enough we thought to to use roman one and roman two not to lead people into thinking oh it's one two and you can have one point five

and one point six and two point two and and so on you say no no no these are categories so it's safety one and safety two in in retrospect even

that was a mistake but there you have it so how do you manage that because that's a question if you accept that well it would be good wouldn't it

to make sure that things go well i mean that's what you're in the business for aren't you that's what business is that things go well that's when you make the money that's when you are happy customers so

what what should we do to make sure that things go we should still ask when you have accidents of course why did this happen and try to understand that but it's not sufficient

we also need to say well how do things go well do we really understand how they go well what can we do to make sure that they go well in the future so if you go back to this

this drawing here you can say i've colored the the gray lines green now i said well because you if you are above the limit of unacceptable performance then you are safe

so what happens up there how can we study that how can we work on that how can we use that how can we facilitate that how can

we manage that how can we strengthen that and and the honest question is do we understand why work goes well and if you're really honest

i think you'd have to say in most cases no we actually don't but it goes well and we all know that but we're not really sure why

when we look at it and this is what resilience engineering has been doing then for for the last 15 years or so i say what but what what happens when things go well why is it

that we that work goes well and that we have the outcomes that we would like to have and that we need then we find that well it's uh

we can actually try to explain it in a relatively simple manner and you always have to simplify things of course both for for ourselves and for others also to

make it manageable you have to simplify it so we simplify it and say well there are four things you have to be able to do and we we talk about them we call them

potentials you have to be able to respond in a flexible way and something happens we have to be able to respond and we heard lots of examples about that today

both good examples from from formula one and and bad examples from other cases where of the inability to respond and we know it's fatal if you cannot respond

so you have to be able to respond you have to have the potential to respond you your organization your company

you have to be able to monitor to keep track of what's going on you have to know what's happening you have to be able to learn

not only from what doesn't work but to learn from what works because how can you become better if you don't know what you do well

and you have to be able to anticipate to look ahead to look further beyond the situation look into the future and say

what could possibly happen how can we possibly prepare for that and i think the pandemic is a wonderful that's probably the only wonderful thing about it it's a

wonderful illustration of the need to anticipate and that's what everybody is doing now like crazy and say well what's going to happen are we going

when winter sits in here are we going to get the third wave well i can't keep track of how many waves we have third wave a fourth wave here in denmark and other countries what's going

to happen next year will be a new variant of the virus and how can we prepare for that and and and how can we see early signs of that

so the the ability to anticipate is really really crucial but but resilience engineering has sort of taken this and say well these are this is a

a simplified way of looking at things but it makes a lot of sense a lot of practical sense also another thing that that's come up in

discussions also is that we we need signals and uh recently there's been a lot of discussion about so-called strong signals and weak signals

because people have realized that weak signals are really important strong signals are i mean in classical signal detection theory are signals that are above the the detection threshold and

you notice them like accidents are a strong signal you you notice them they they're easy to see but they're like snapshots

but they're also weak signals that is things that you don't notice and and when you think about them they can be weak for two reasons one is that they are actually

weak in the sense that the energy in the signal is so low that it is not detectable by the sensors or the measurement systems whatever you have

another example is it's weak because they're stretched over time they happen so slowly that we don't notice them and i've just as a simple

example uh when you take a picture of a plant that's a snapshot that's here now but you know all these these uh these films you have of of plants that grow over a

day a week a month or longer time if you take these these these pictures every now and then and put them together in the film you can see the change over time but you

can't see it in real time because that time of development of that doesn't match with the way our brains our perceptual operators work but much of what we talk

about in organizations safety among other things develops so slowly that we don't notice a change and therefore it's a weak signal

and we need to we need to pay attention to the weak seekers we need to be able to see the weak signals because they're critical to what we do so how do we do that

well as i said we have these ideas of what they call the four potentials to respond to monitor to learn and to anticipate and and this

boils down to a definition of what resilience performance is when we started we talked about resilience but we don't talk about

i don't talk about resilience now as a noun then i talk about resilient performance resilient as an adverb and the system is resilient

if it's able to function as required on the expected and unexpected conditions alike and the unexpected conditions are not only dangers and risks as harm they're

also opportunities and you know that the business has to be able to make use of opportunities that pop up and be able to anticipate opportunities otherwise he's not going to to do long well in the long

run so so that's the the gist of it in in resilience engineering we need to look at these four potentials and the reason and we need to look at them at all

levels of an organization and and conventionally we split between the micro level the meso level and the macro level but this is this is sort of arbitrary because of

course not there aren't three clear levels but clearly there are different levels of different different strata of organizations but the nice thing about

thinking about the four potentials to respond to monitor to learn and to anticipate is that they apply at all levels of an organization on the board

level on the management level on the operational level on the department level there they are they are scale invariant which is a very nice feature of the

free why do we need them sort of three therefore what i've been talking about why do we need them well it's i think i've tried to argue that already but it's fairly

easy to to argue them well you of course you need to respond and i think we've heard again today examples of systems organizations that were unable

to respond appropriately and then it fails then you go out to business or you die in the worst case a business death or a personal death

whatever is it's equally tragic so of course you need to be able to respond that's easy to understand and every organization can respond to some things not to everything you need to be able to

monitor and the reason for that is very simple because if you don't monitor and know what's going on then everything that happens will be a surprise

and if you can just think about your daily work life if everything that happened from the moment you stood up in the morning or came to work in the morning was a surprise you wouldn't be very effective and you

wouldn't really be able to respond you're only able to respond if we are we are not surprised all the time that we are able to prepare and look ahead again learning

again you have to learn and because if you don't learn then you always respond in the same way and you always look at the same things to monitor

and and unless the world around us is perfectly stable and static which it isn't then that doesn't work that's why we have to learn and we have

to learn from what we do well but also what we what we don't do well and again we have to anticipate we have to understand that the future is not a repetition of the past we actually don't

know what happens in in the future uh so we have to be prepared for that when it is essential to to anticipate at least so we sort of have an open mind

and and can consider things that might happen and what possibly what should we do possibly to prepare ourselves for that so

the next question is if you want to use this how can we use it and the answer is you can use it by assessing it by asking questions how well are we able

to exact but you can't ask questions like how well are we able to respond how well are we able to monitor and so on because that's too high level it doesn't make sense

but you can easily break it down into more detailed questions take learning you can say well what do we base our learning on in our

organization is our learning event driven so when something goes wrong is it continues

uh how long time does it take how do we verify that something has been learned how do we maintain that something has been low so you can easily break it down into

detail specific very operational questions in for a specific organization they'll be different for the for different organizations it's not a standard questionnaire but you can do that you

can ask the questions and you can get the answers and therefore you can assess how well is my organization doing with regard to

these potentials and the the the detailed facets of the potentials at any point in time which means you can follow what's happening you can keep track of how it's developing and that's the

essence of controlling something or managing it you need to know your position you need to know where you are at the moment because if you don't know where you are

well then you're lost you need to know where you are you need to know where you want to be and you need to know how to get from where you are to where you want to be that's what you all did successfully

when you came here this morning i hope you knew where you were when you woke up you knew when you were going to be here and you knew how to get here i walked from the hotel it was very simple

so what we have developed is is a system which we call this the systemic potentials which are a set of of questions that the questions are seed questions they're not the questions to

be asked but they're seed questions that you can use to develop specific questions for your organization

and ask questions to or or remove questions from that's okay you end up with a set of questions which are specific for your organization which are diagnostic for the organization and

which are formative in the sense that the answers uh can be used almost immediately as a basis for deciding what to do

how to how to react how to intervene how to improve how to sustain so we can do that uh it's fairly easily done and a nice feature of that and this is

i mean there are other ways of doing it but but you can if you take the this is for the uh for the potential to respond and if you

look at the questions you can say well there are questions with in this case with regard to the threshold the relevance the background the number of events you can respond to the stop

rule that's very important when you respond is not just how quickly can you start but also do you know when to stop because you don't want to stop too early and you don't want to continue beyond

the point where you should have stopped because that's a waste of resources the capacity and so on so it's just an example but but if you ask questions about each of these specific questions

you can get answers you can quite easily score the answers and if you do it again four months later then you actually get two profiles like this and these profiles will tell you

what has happened in the organization in between it'll tell you where you're what what's your position right now but it will also tell you the history and the development of what has happened

so it's it's a very useful way of thinking about how how it's a tool for managing the organization because it gives you a position and it helps you to think about what should we do

to improve that something that of course is terribly important here is to realize that these different facets as they call them are not independent of each other

neither are the four potentials respond monitor learn anticipate are not independent of each other and the detailed facets you have to ask are not independent of each other you

cannot just go in and say oh the event list is a problem here let's solve that because it has consequences for other things as well you need to understand how how things are tied

together so coming back to this figure again we can say well what should we do and you notice i'm trying to emphasize

and you say in the classical way of of working in it we focus on what goes wrong and what we're trying to do is we manage

offshore safety and that's why we talk about safety i've heard the word safety i don't know how many times today so what we do is we manage safety but i

ask you what is safety have you ever seen safety what color is safety how big is it how heavy is it but we still lightly talk about we have safety management systems

which are very often defined as systems to manage safety which is sort of a definition that doesn't make sense because it doesn't tell you what safety is but that's how we talk about managing of

offshore safety but the consequence of the safety two perspective of brazilian perspective is to say no no no no we should say talk about managing also

safely it's not offshore safety we manage but it's offshore as an operation that we manage as a business that we manage and we should manage that business

safely there is no safety to manage but there's a way of managing something safely so that

traditionally you say as few accidents as possible i would say so as many things as possible goes well so that's the upshot of it focus on what

goes well and think about managing something safely and penultimate one i've got one minute and 50 seconds left wow

because we tend to talk about safety management and depending on which which kind of business you're in where you may have quality management or production management or customer

management or reliability management or asset management whatever you have i mean in every any organization there'll be a number of different managements and with different

management heads and and divisions and they have different methods and different approaches but really if you think of it you're not talking about safety management

but you're talking about managing work so that as much as possible go well you're talking about not talking about quality it's not quality or managing but you're

trying to manage what happens so the quality is as high as possible you're trying to manage it so that the product so you produce as much as possible

and when you say that then you can say well actually are we manning if you take this example are we managing five different processes

do we have five different companies or don't we actually just have one company that we have to look at from all these sites at the same time and i think the answer is

that's what we have to do we have to look at it it's the same system it's not five different systems that's what we have to manage so

if you're interested that we're just by coincidence has been released a white paper from euro control it's an air traffic control organization in europe called

the systemic potentials management building a basis for resilient performance i think you can download it and that will tell you in much more detail what i've tried to outline here so

thank you very much for your attention [Applause]