12. Putting it all together

So, in the end, how do you evaluate whether a surprising human behavior that is revealed in a new incident represents a potentially serious threat to safety? I recommend the following steps:

1. Build a full event tree, mapping out all the plausible pathways from the initiating event or condition to outcomes. At each step, consider what the person or people involved may do, including what we would hope and expect and what they might do instead based on known human factors considerations. Consider the potential for instinctive reactions, negative transfer from previous experience, common errors, relevant cognitive biases, and so forth. This will help fill out the picture of how the initiating condition or event could potentially evolve into a catastrophic outcome.
2. Along each pathway that leads to a potentially catastrophic outcome, identify the barriers that are expected to prevent such an outcome. Consider feedback, procedures, alerting systems, and other protections. Then rate the expected effectiveness of each barrier. In general, barriers that rely completely on human behaviors should be considered weak. Also consider whether the identified barriers are completely independent of each other and can therefore be considered fully redundant, or whether there are dependencies between them that would make them less than fully redundant. I recommend this step instead of a bow tie analysis because putting the barriers right on the event pathways puts them in the appropriate context and allows them to be depicted sequentially if one backs up another. This helps clarify their conditional relationships, where a bow tie analysis may lead one to expect them to be independent.
3. Based on a qualitative assessment of the likelihood (not probability) of the human actions that lead to each hazardous pathway and the combined strengths of the barriers between those actions and catastrophic outcomes, decide whether that particular pathway or sequence of events tells a believable story about how a catastrophic outcome could occur. The objective here is to determine whether avoidance of a catastrophic outcome can be reasonably assured. If there are key points of vulnerability or fragility (decision or action points where known human factors influences make an adverse action likely), consider whether additional barriers, such as more salient feedback or new protections, could strengthen the barriers that would either prevent the action or allow graceful recovery from it.
4. If a formal decision about whether the condition should be considered a safety hazard is needed, your organization may need to formalize an acceptance criterion to make that decision. Again, I recommend that it be qualitative rather than quantitative, but these analysis steps should provide a framework for defining a criterion that's appropriate for your industry and role in it.

Of course, this is likely just the first analytic step in a longer process that may involve human-in-the-loop testing and possibly the development and testing of corrective actions.

This process is only as effective as the people doing it. Since human behaviors are the keys to the various potential pathways, the event tree should be built by experts in both the domain and in human factors. The team should be mindful of their own prior expectations and potential biases, and recognize and be willing to question their prior assumptions. Ideally, the team should be able to avoid the temptation to say, "No one would ever do this," without strong rationale to justify it. A search of prior incidents that may be precursors to the surprising behaviors can be useful here to provide either confirming or contradicting evidence.

Back Next