Systems thinking, the Swiss Cheese Model and accident analysis: A comparative systemic analysis of the Grayrigg train derailment using the ATSB, AcciMap and STAMP models

https://doi.org/10.1016/j.aap.2013.07.027Get rights and content

Highlights

  • A debate exists over the validity of the Swiss Cheese Model (SCM).

  • The efficiency-thoroughness trade-off may make STAMP more suitable for use in research.

  • This study suggests that the SCM still offers a systems thinking approach.

Abstract

The Swiss Cheese Model (SCM) is the most popular accident causation model and is widely used throughout various industries. A debate exists in the research literature over whether the SCM remains a viable tool for accident analysis. Critics of the model suggest that it provides a sequential, oversimplified view of accidents. Conversely, proponents suggest that it embodies the concepts of systems theory, as per the contemporary systemic analysis techniques. The aim of this paper was to consider whether the SCM can provide a systems thinking approach and remain a viable option for accident analysis. To achieve this, the train derailment at Grayrigg was analysed with an SCM-based model (the ATSB accident investigation model) and two systemic accident analysis methods (AcciMap and STAMP). The analysis outputs and usage of the techniques were compared. The findings of the study showed that each model applied the systems thinking approach. However, the ATSB model and AcciMap graphically presented their findings in a more succinct manner, whereas STAMP more clearly embodied the concepts of systems theory. The study suggests that, whilst the selection of an analysis method is subject to trade-offs that practitioners and researchers must make, the SCM remains a viable model for accident analysis.

Introduction

The systems thinking approach to understanding socio-technical system accidents is arguably the dominant paradigm within accident analysis research (e.g. Salmon et al., 2012, Stanton et al., 2012). It views accidents as the result of unexpected, uncontrolled relationships between a system's constituent parts with the requirement that systems are analysed as whole entities, rather than considering their parts in isolation (Underwood and Waterson, 2013).

Traditional cause–effect accident models suggest that complex systems accidents are caused by events such as catastrophic equipment failure or an unsafe human action. However, as system complexity has increased over time, many accidents (e.g. space shuttle Columbia; Comair flight 5191) have not simply resulted from such trigger events. Instead these accidents emerge as complex phenomena within the normal operational variability of a system (de Carvalho, 2011). Describing accidents in a sequential (cause–effect) fashion is, therefore, arguably inadequate. It can also lead to equipment or humans at the ‘sharp end’ of a system being incorrectly blamed for an accident. This represents a missed opportunity to learn important lessons about system safety and how to prevent accident recurrence.

The use of the systems thinking approach, via systemic accident analysis (SAA), attempts to avoid these limitations and it has been used as the conceptual foundation for various SAA methods and models, such as: AcciMap (Rasmussen, 1997); Functional Resonance Analysis Method (FRAM) (Hollnagel, 2004); Systems Theoretic Accident Modelling and Processes model (STAMP) (Leveson, 2004); systems dynamics simulation (e.g. Cooke, 2003); causal loop diagrams (e.g. Goh et al., 2010, Goh et al., 2012). A number of studies have compared SAA methods with established non-systemic analysis techniques, such as the Sequentially Timed Events Plotting method (e.g. Herrera and Woltjer, 2010) and Fault Tree Analysis (e.g. Belmonte et al., 2011). These studies and others like them (e.g. Ferjencik, 2011) suggest that the SAA techniques do indeed provide a deeper understanding of how dynamic, complex system behaviour contributes to accidents.

The academic debate on accident models is, however, a lengthy one with new models often criticising or even disqualifying older ones (Ghirxi, 2010, Jacobsson et al., 2009). A notable case in point can be found when considering the Swiss Cheese Model (SCM) (Reason, 1990, Reason, 1997).

Undoubtedly the most popular accident causation model, the SCM has been widely adopted in various industries (e.g. aviation and healthcare) (Salmon et al., 2012). Classified by some (e.g. Hollnagel, 2004) as an ‘epidemiological’ model, the SCM suggests that longstanding organisational deficiencies can create the necessary conditions for a frontline ‘active failure’ to trigger an accident. The presence of these conditions and events in the system represent the inadequacy/absence of defensive barriers (e.g. physical protection, training and procedures) designed to prevent accidents. The defences within a system and their associated inadequacies are graphically represented by layers of and holes in Swiss cheese (see Fig. 1). When the ‘holes’ in a system's defences align, an accident trajectory can pass through the defensive layers and result in a hazard causing harm to people, assets and the environment, as depicted in Fig. 1 (Reason, 2008, p.101).

The SCM has drawn criticism from a number of researchers (e.g. Dekker, 2006, p.89; Hollnagel, 2012, p.14; Leveson, 2012, p.19) who describe it as a sequential technique which oversimplifies accident causation by not considering the complex interaction of system components. In addition, some authors (e.g. Dekker, 2006, p.89; Hickey, 2012, p.19) suggest that the sequential nature of accident causation is portrayed in the signature image of the SCM (see Fig. 1). The implication is that the SCM no longer provides an appropriate description of accident causation.

Other criticisms of the SCM focus on its application. For example, some researchers comment on the model's lack of specificity about a number of its features, e.g. how the holes in the layers of cheese line up and how this affects its ease of use (e.g. Le Coze, 2013, Wiegmann and Shappell, 2003). Furthermore, Shorrock et al. (2004) suggest that an overly prescriptive application of the SCM can lead to accidents being entirely (and incorrectly) attributed to senior management, i.e. overlooking the contribution of individuals at the frontline.

The perceived drawbacks of the SCM (see Section 1.1) only represent one side of the academic debate, however. In contrast to the idea that the SCM is a sequential model, Reason et al. (2006, p.9) state that it describes accident causation as the ‘unlikely and often unforeseeable conjunction of several contributing factors arising from different levels of the system’. In other words, events and/or conditions happen together to produce an accident. As per SAA, the SCM provides a holistic multi-level analysis approach and later versions of the model also take account of the fact that ‘active failures’ are not required for an accident to occur (see Reason, 1997, p.17). Furthermore, the connection made by the SCM between normative serialisation (i.e. cause–effect) and the temporal orderliness of events that occurred is entirely unintended (Reason et al., 2006, p.16).

The SCM is underspecified but Reason et al. (2006, p.21) state that it was never intended to be a used as a detailed accident analysis model and that criticising it for a lack of specificity seems unjustified. Regardless, this issue has been resolved by the various methods which have been developed to operationalise its concepts, such as HFACS (Wiegmann and Shappell, 2003) and Tripod-Delta (Hudson et al., 1994). Additionally, a number of organisations (e.g. the Australian Transport Safety Bureau (ATSB) and EUROCONTROL) have purposely neutralised the language used in their SCM-based models to avoid attributing blame, an important aspect of SAA.

Whist the development of accident models has been required to explain the increasing complexity of socio-technical systems, the introduction of a new model does not necessarily mean that existing ones become obsolete (Hollnagel and Speziali, 2008, p.37; Reason et al., 2006, p.21). Indeed, the SCM (and methods based on it) is still used by researchers to perform accident analysis (e.g. Szeremeta et al., 2013, Xue et al., 2013) with some suggesting that it offers a systemic view of accidents (e.g. Salmon et al., 2012, Stanton et al., 2012). However, if the critiques of the SCM are justified then the continued use of this (arguably out-dated) model means accident investigations may not achieve the necessary understanding of major accidents to prevent recurrence. Given that the SCM is in widespread use throughout various industries and SAA methods are yet to be widely adopted by practitioners (see Underwood and Waterson, 2013), the outcome of this debate has clear ramifications with regards to improving safety. Therefore, it is important to understand whether or not the SCM can provide a systems thinking approach and remain a viable option for accident analysis.

The aim of this paper is to consider whether the SCM can provide a systems thinking approach to accident analysis. In order to achieve this aim, the paper has three main objectives:

  • 1.

    Analyse a major accident (the train derailment at Grayrigg) using three techniques: an SCM-based model developed and used by practitioners (the ATSB investigation analysis model) and two SAA methods predominantly used by the research community (AcciMap and STAMP).

  • 2.

    Compare the outputs and application processes of the models, via an evaluation framework, in order to examine their theoretical and usage characteristics.

  • 3.

    Reflect on the similarities and differences between the models and the implications for applying the systems thinking approach in theory and practice.

The intention is to examine this issue within an applied context, rather than a purely conceptual one. By giving a practical example of how the SCM compares to SAA techniques, it is hoped that the paper will be able to demonstrate whether the SCM does apply the systems thinking approach or not. An overview of the three analysis tools, a description of the Grayrigg accident, details of the analysis processes and the model evaluation criteria used in the study are provided in Sections 2 The analysis methods, 3 The Grayrigg accident, 4.1 Accident analysis process, 4.2 Analysis model evaluation respectively.

Section snippets

ATSB investigation analysis model

The ATSB investigation analysis model (referred to hereafter as the ‘ATSB model’) is a modified version of the SCM. As per the SCM, the ATSB model provides a general framework that can be used to guide data collection and analysis activities during an investigation (ATSB, 2008, p.36). However, various alterations to the original SCM were made by the ATSB to improve its usability and the identification of potential safety issues. Such changes include an enhanced ability to combine technical

Case study selection

The train derailment at Grayrigg was selected as the analysis case study for various reasons. Firstly, the event represented a major accident on the UK rail network; a complex system with many stakeholders, including infrastructure controllers, train and freight operating companies and maintenance contractor organisations. Therefore, it was appropriate to utilise systems thinking concepts to analyse the event. Furthermore, the rail industry in the UK is currently expanding and creating an

Accident analysis process

The ATSB model and STAMP analyses of the Grayrigg derailment was performed by the first researcher (Underwood), as per the processes described in Sections 4.1.1 ATSB model analysis process, 4.1.3 STAMP analysis process. The AcciMap analysis of the accident was performed by the second researcher (Waterson) in accordance with the process described in Section 4.1.2. Both individuals (human factors researchers) have experience of applying accident analysis methods in various domains (e.g. rail,

ATSB model analysis output

The analysis chart produced by the ATSB model analysis is presented in Fig. 10.

The derailment of the wheels of the leading vehicle was the single occurrence event attributed to the accident. However, various technical issues were included in the analysis chart to represent the gradual deterioration and failure of the points which led to the derailment. These technical problems were also incorporated to more clearly describe the multiple interactions between them and the individual actions and

Systems thinking approach

The ATSB model, AcciMap and STAMP all provide a systems thinking approach, i.e. they require the analysis of a system's structure, the relationship of its components and its behaviour. However, there is a considerable difference between how the models achieve this.

A number of the systems theory concepts are only implicitly and/or partially contained within the ATSB model. This is particularly true with respect to the description of the system structure and its boundary, the impact of

Conclusions

The systems thinking approach is arguably the dominant concept within accident analysis research. Its application, via systemic accident analysis (SAA), supposedly provides an improved description of accident causation, avoids the incorrect apportioning of blame and helps inform more effective safety recommendations. Debate exists within the research literature over whether the popular and widely adopted Swiss Cheese Model (SCM) provides an out-dated view of accident causation or remains a

References (58)

  • N. Leveson

    Applying systems thinking to analyze and learn from events

    Safety Science

    (2011)
  • N. Leveson

    A new accident model for engineering safer systems

    Safety Science

    (2004)
  • M. Ouyang et al.

    STAMP-based analysis on the railway accident and accident spreading: taking the China—Jiaoji railway accident for example

    Safety Science

    (2010)
  • J. Rasmussen

    Risk management in a dynamic society: a modelling problem

    Safety Science

    (1997)
  • G.J.M. Read et al.

    Sounding the warning bells: the need for a systems approach to understanding behaviour at rail level crossings

    Applied Ergonomics

    (2013)
  • P.M. Salmon et al.

    Systems-based accident analysis methods: a comparison of AcciMap, HFACS, and STAMP

    Safety Science

    (2012)
  • P.M. Salmon et al.

    The crash at Kerang: investigating systemic and psychological factors leading to unintentional non-compliance at rail level crossings

    Accident Analysis & Prevention

    (2013)
  • S. Sklet

    Comparison of some selected methods for accident investigation

    Journal of Hazardous Materials

    (2004)
  • I. Svedung et al.

    Graphic representation of accident scenarios: mapping system structure and the causation of accidents

    Safety Science

    (2002)
  • M. Szeremeta et al.

    Fatal drowning as a result of an airplane crash—case report

    Forensic Science International

    (2013)
  • P. Underwood et al.

    Systemic accident analysis: examining the gap between research and practice

    Accident Analysis & Prevention

    (2013)
  • W.A. Wagenaar et al.

    The goal, and how to get there

    Safety Science

    (1997)
  • L. Xue et al.

    A safety barrier-based accident model for offshore drilling blowouts

    Journal of Loss Prevention in the Process Industries

    (2013)
  • Australian Transport Safety Bureau

    Analysis, causality and proof in safety investigations. Aviation Research and Analysis Report AR-2007-053

    (2008)
  • K. Branford et al.

    Guidelines for AcciMap analysis

  • D.L. Cooke

    A system dynamics analysis of the westray mine disaster

    System Dynamics Review

    (2003)
  • N. Dadashi et al.

    Practical use of work analysis to support rail electrical control rooms: a case of alarm handling

    Journal of Rail and Rapid Transit

    (2013)
  • S. Dekker

    Drift into Failure: From Hunting Broken Components to Understanding Complex Systems

    (2011)
  • S. Dekker

    The Field Guide to Understanding Human Error

    (2006)
  • Cited by (0)

    View full text