The danger in proposing the terms "safety-I" and "safety-II" is that they are seen as representing a numerical relationship or a sequence. From this it is deceptively easy to 'conclude' that the sequence can continue to a safety-III, safety-IV, and ultimately some form of safety-n. But this 'conclusion' is based on a fundamental misinterpretation of the terms, since safety-I and safety-II were proposed to describe a rhetorical rather than a numerical relationship. (It also conveniently overlooks the deliberate use of Roman rather than Arabic numerals, see the homophone-synonym note.) The terms were proposed to juxtapose two views of safety, or rather two views on how to understand and manage the ways in which socio-technical systems work - in particular those that we call complex.
The possibility of this misunderstanding was addressed in the book. The arguments are repeated below:
Will There Be A Safety–III?
Since Safety–II represents a logical extension of Safety–I, it may well be asked whether there will not someday be a Safety–III. In order to answer that, it is necessary to keep in mind that Safety–I and Safety–II differ in their focus and therefore ultimately in their ontology. The focus of Safety–I is on things that go wrong, and the corresponding efforts are to reduce the number of things that go wrong. The focus of Safety–II is on things that go right, and the corresponding efforts are to increase the number of things that go right.
Safety–II thus represents both a different focus and a different way of looking at what happens and how it happens. Doing this will, of course, require practices that are different from those that are commonly used today. But a number of these practices already exist, either in principle or in practice, as described in Chapter 8, and can easily be taken into use. It will, of course, also be necessary to develop new methods and techniques that enable us to deal more effectively with what goes right, which are able in particular to describe, analyse, and represent the ubiquitous performance adjustments.
If the way ahead is a combination of the existing practices of Safety–I with the complementary – and to some extent novel – practices of Safety–II, then where does that leave a possible Safety–III? It has been suggested that Safety–III ‘simply’ stands for the combination of existing and novel practices. But the combination of practices is not against the idea of Safety–II, which is intended as a complement to Safety–I rather than a replacement for it ... Neither does the suggestion of a possible ‘Safety–III’ offer a new understanding of safety, a new ontology, in the way that Safety–II does, and it may therefore not be necessary in the same way. It can, of course, not be ruled out that in some years’ time there may come a proposal for understanding safety with a definition of its own that is different from both Safety–I and Safety–II. It may also happen that the very concept of safety is gradually dissolved, at least in the way that it is used currently, as something distinctively different from, e.g., quality, productivity, efficiency, etc. If that happens – and several signs seem to indicate that it will – then the result will not be a Safety–III but rather a whole new concept or synthesis (see synesis). So while Safety–II by no means should be seen as the end of the road in the efforts to ensure that socio-technical habitats function as we need them to, it may well be the end of the road of safety as a concept in its own right.
The argument can be summarised like this: Safety-I represents a concern for managing events with unacceptable outcomes. This is done by trying to explain how things go wrong in order to prevent any reoccurrence. The focus on things that go wrong in practice exclude everything else. Safety-II represents a concern for managing how things happen regardless of whether the outcomes are acceptable or unacceptable. This is done by trying to understand how things happen in order to facilitate acceptable outcomes and dampen or prevent unacceptable outcomes.
This can also be shown graphically. If we assume that outcomes follow a normal distribution, the focus of Safety-I is shown by the red area in the figure below.
(c) Erik Hollnagel, 2017
SafetySynthesis is registered as a company in Denmark (Cvr-nr.: 35126910)
Safety-I looks at outcomes that only happen infrequently and that are unacceptable (events with unwanted outcomes or things that go wrong). Safety-II looks at all events regardless of their outcomes, but in particular at the events that occur frequentlythat lead to the expected outcomes and which therefore are seen as 'normal'.* Since Safety-II is concerned with everything that happens (and not just with things that go well or the positive surprises), there is nothing else to look at. And since Safety-II looks at all outcomes regardless of whether they are acceptable or unacceptable, there is no other way of looking at them. Safety-II, of course, has a bias towards frequent events with acceptable outcomes, but only because these traditionally have been neglected or excluded as having little or no interest.
The argument can also be made more formally:
Consider the set of all events, U, where the outcome is seen as unacceptable. Consider the set of all events, A, where the outcome is seen as acceptable. Anything that can happen must be a member of the union of the two sets, E.
For the engineering view of the safety of socio-technical systems, the focus is limited to U and the approach is that of Safety-I. For the systemic view of the safety of socio-technical systems, the focus is on E and the approach is that of Safety-II.
There could, theoretically, be a study of only A, but it would not make much sense since it would exclude the things that go wrong, i.e., U. Since Safety-II is the study of E, it does by definition include the concerns of Safety-I. There is therefore no need of a “Safety-III”, nor is it logically possibly since there are no events that are not a member of E.
*In Safety-I these are, ironically, described as situations where 'nothing happens'.
Safety-III is neither meaningful nor necessary. QED
(c) Erik Hollnagel, November 01 2015.