Systems thinking, the Swiss Cheese Model and accident analysis: A comparative systemic analysis of the Grayrigg train derailment using the ATSB, AcciMap and STAMP models
Introduction
The systems thinking approach to understanding socio-technical system accidents is arguably the dominant paradigm within accident analysis research (e.g. Salmon et al., 2012, Stanton et al., 2012). It views accidents as the result of unexpected, uncontrolled relationships between a system's constituent parts with the requirement that systems are analysed as whole entities, rather than considering their parts in isolation (Underwood and Waterson, 2013).
Traditional cause–effect accident models suggest that complex systems accidents are caused by events such as catastrophic equipment failure or an unsafe human action. However, as system complexity has increased over time, many accidents (e.g. space shuttle Columbia; Comair flight 5191) have not simply resulted from such trigger events. Instead these accidents emerge as complex phenomena within the normal operational variability of a system (de Carvalho, 2011). Describing accidents in a sequential (cause–effect) fashion is, therefore, arguably inadequate. It can also lead to equipment or humans at the ‘sharp end’ of a system being incorrectly blamed for an accident. This represents a missed opportunity to learn important lessons about system safety and how to prevent accident recurrence.
The use of the systems thinking approach, via systemic accident analysis (SAA), attempts to avoid these limitations and it has been used as the conceptual foundation for various SAA methods and models, such as: AcciMap (Rasmussen, 1997); Functional Resonance Analysis Method (FRAM) (Hollnagel, 2004); Systems Theoretic Accident Modelling and Processes model (STAMP) (Leveson, 2004); systems dynamics simulation (e.g. Cooke, 2003); causal loop diagrams (e.g. Goh et al., 2010, Goh et al., 2012). A number of studies have compared SAA methods with established non-systemic analysis techniques, such as the Sequentially Timed Events Plotting method (e.g. Herrera and Woltjer, 2010) and Fault Tree Analysis (e.g. Belmonte et al., 2011). These studies and others like them (e.g. Ferjencik, 2011) suggest that the SAA techniques do indeed provide a deeper understanding of how dynamic, complex system behaviour contributes to accidents.
The academic debate on accident models is, however, a lengthy one with new models often criticising or even disqualifying older ones (Ghirxi, 2010, Jacobsson et al., 2009). A notable case in point can be found when considering the Swiss Cheese Model (SCM) (Reason, 1990, Reason, 1997).
Undoubtedly the most popular accident causation model, the SCM has been widely adopted in various industries (e.g. aviation and healthcare) (Salmon et al., 2012). Classified by some (e.g. Hollnagel, 2004) as an ‘epidemiological’ model, the SCM suggests that longstanding organisational deficiencies can create the necessary conditions for a frontline ‘active failure’ to trigger an accident. The presence of these conditions and events in the system represent the inadequacy/absence of defensive barriers (e.g. physical protection, training and procedures) designed to prevent accidents. The defences within a system and their associated inadequacies are graphically represented by layers of and holes in Swiss cheese (see Fig. 1). When the ‘holes’ in a system's defences align, an accident trajectory can pass through the defensive layers and result in a hazard causing harm to people, assets and the environment, as depicted in Fig. 1 (Reason, 2008, p.101).
The SCM has drawn criticism from a number of researchers (e.g. Dekker, 2006, p.89; Hollnagel, 2012, p.14; Leveson, 2012, p.19) who describe it as a sequential technique which oversimplifies accident causation by not considering the complex interaction of system components. In addition, some authors (e.g. Dekker, 2006, p.89; Hickey, 2012, p.19) suggest that the sequential nature of accident causation is portrayed in the signature image of the SCM (see Fig. 1). The implication is that the SCM no longer provides an appropriate description of accident causation.
Other criticisms of the SCM focus on its application. For example, some researchers comment on the model's lack of specificity about a number of its features, e.g. how the holes in the layers of cheese line up and how this affects its ease of use (e.g. Le Coze, 2013, Wiegmann and Shappell, 2003). Furthermore, Shorrock et al. (2004) suggest that an overly prescriptive application of the SCM can lead to accidents being entirely (and incorrectly) attributed to senior management, i.e. overlooking the contribution of individuals at the frontline.
The perceived drawbacks of the SCM (see Section 1.1) only represent one side of the academic debate, however. In contrast to the idea that the SCM is a sequential model, Reason et al. (2006, p.9) state that it describes accident causation as the ‘unlikely and often unforeseeable conjunction of several contributing factors arising from different levels of the system’. In other words, events and/or conditions happen together to produce an accident. As per SAA, the SCM provides a holistic multi-level analysis approach and later versions of the model also take account of the fact that ‘active failures’ are not required for an accident to occur (see Reason, 1997, p.17). Furthermore, the connection made by the SCM between normative serialisation (i.e. cause–effect) and the temporal orderliness of events that occurred is entirely unintended (Reason et al., 2006, p.16).
The SCM is underspecified but Reason et al. (2006, p.21) state that it was never intended to be a used as a detailed accident analysis model and that criticising it for a lack of specificity seems unjustified. Regardless, this issue has been resolved by the various methods which have been developed to operationalise its concepts, such as HFACS (Wiegmann and Shappell, 2003) and Tripod-Delta (Hudson et al., 1994). Additionally, a number of organisations (e.g. the Australian Transport Safety Bureau (ATSB) and EUROCONTROL) have purposely neutralised the language used in their SCM-based models to avoid attributing blame, an important aspect of SAA.
Whist the development of accident models has been required to explain the increasing complexity of socio-technical systems, the introduction of a new model does not necessarily mean that existing ones become obsolete (Hollnagel and Speziali, 2008, p.37; Reason et al., 2006, p.21). Indeed, the SCM (and methods based on it) is still used by researchers to perform accident analysis (e.g. Szeremeta et al., 2013, Xue et al., 2013) with some suggesting that it offers a systemic view of accidents (e.g. Salmon et al., 2012, Stanton et al., 2012). However, if the critiques of the SCM are justified then the continued use of this (arguably out-dated) model means accident investigations may not achieve the necessary understanding of major accidents to prevent recurrence. Given that the SCM is in widespread use throughout various industries and SAA methods are yet to be widely adopted by practitioners (see Underwood and Waterson, 2013), the outcome of this debate has clear ramifications with regards to improving safety. Therefore, it is important to understand whether or not the SCM can provide a systems thinking approach and remain a viable option for accident analysis.
The aim of this paper is to consider whether the SCM can provide a systems thinking approach to accident analysis. In order to achieve this aim, the paper has three main objectives:
- 1.
Analyse a major accident (the train derailment at Grayrigg) using three techniques: an SCM-based model developed and used by practitioners (the ATSB investigation analysis model) and two SAA methods predominantly used by the research community (AcciMap and STAMP).
- 2.
Compare the outputs and application processes of the models, via an evaluation framework, in order to examine their theoretical and usage characteristics.
- 3.
Reflect on the similarities and differences between the models and the implications for applying the systems thinking approach in theory and practice.
The intention is to examine this issue within an applied context, rather than a purely conceptual one. By giving a practical example of how the SCM compares to SAA techniques, it is hoped that the paper will be able to demonstrate whether the SCM does apply the systems thinking approach or not. An overview of the three analysis tools, a description of the Grayrigg accident, details of the analysis processes and the model evaluation criteria used in the study are provided in Sections 2 The analysis methods, 3 The Grayrigg accident, 4.1 Accident analysis process, 4.2 Analysis model evaluation respectively.
Section snippets
ATSB investigation analysis model
The ATSB investigation analysis model (referred to hereafter as the ‘ATSB model’) is a modified version of the SCM. As per the SCM, the ATSB model provides a general framework that can be used to guide data collection and analysis activities during an investigation (ATSB, 2008, p.36). However, various alterations to the original SCM were made by the ATSB to improve its usability and the identification of potential safety issues. Such changes include an enhanced ability to combine technical
Case study selection
The train derailment at Grayrigg was selected as the analysis case study for various reasons. Firstly, the event represented a major accident on the UK rail network; a complex system with many stakeholders, including infrastructure controllers, train and freight operating companies and maintenance contractor organisations. Therefore, it was appropriate to utilise systems thinking concepts to analyse the event. Furthermore, the rail industry in the UK is currently expanding and creating an
Accident analysis process
The ATSB model and STAMP analyses of the Grayrigg derailment was performed by the first researcher (Underwood), as per the processes described in Sections 4.1.1 ATSB model analysis process, 4.1.3 STAMP analysis process. The AcciMap analysis of the accident was performed by the second researcher (Waterson) in accordance with the process described in Section 4.1.2. Both individuals (human factors researchers) have experience of applying accident analysis methods in various domains (e.g. rail,
ATSB model analysis output
The analysis chart produced by the ATSB model analysis is presented in Fig. 10.
The derailment of the wheels of the leading vehicle was the single occurrence event attributed to the accident. However, various technical issues were included in the analysis chart to represent the gradual deterioration and failure of the points which led to the derailment. These technical problems were also incorporated to more clearly describe the multiple interactions between them and the individual actions and
Systems thinking approach
The ATSB model, AcciMap and STAMP all provide a systems thinking approach, i.e. they require the analysis of a system's structure, the relationship of its components and its behaviour. However, there is a considerable difference between how the models achieve this.
A number of the systems theory concepts are only implicitly and/or partially contained within the ATSB model. This is particularly true with respect to the description of the system structure and its boundary, the impact of
Conclusions
The systems thinking approach is arguably the dominant concept within accident analysis research. Its application, via systemic accident analysis (SAA), supposedly provides an improved description of accident causation, avoids the incorrect apportioning of blame and helps inform more effective safety recommendations. Debate exists within the research literature over whether the popular and widely adopted Swiss Cheese Model (SCM) provides an out-dated view of accident causation or remains a
References (58)
- et al.
Interdisciplinary safety analysis of complex socio-technological systems based on the functional resonance accident model: an application to railway traffic supervision
Reliability Engineering & System Safety
(2011) Rating accident models and investigation methodologies
Journal of Safety Research
(1985)The use of functional resonance analysis method (FRAM) in a mid-air collision to understand some characteristics of the air traffic management system resilience
Reliability Engineering & System Safety
(2011)An integrated approach to the analysis of incident causes
Safety Science
(2011)- et al.
Applying systems thinking concepts in the analysis of major incidents and safety culture
Safety Science
(2010) - et al.
Comparing a multi-linear (STEP) and systemic (FRAM) method for accident analysis
Reliability Engineering & System Safety
(2010) - et al.
A sequential method to identify underlying causes from industrial accidents reported to the MARS database
Journal of Loss Prevention in the Process Industries
(2009) - et al.
Introducing the STAMP method in road tunnel safety assessment
Safety Science
(2012) What have we learned about learning from accidents? Post-disasters reflections
Safety Science
(2013)Occupational accident research and systems approach
Journal of Occupational Accidents
(1984)