FRAM Model Interpreter

(c) Erik Hollnagel, 2021

FMI - the FRAM Model Interpreter
Version MMXXII

The FRAM Model Interpreter (FMI) is a software tool that can be used to interpret a FRAM model and thereby illustrate how the described activity or task may develop. This is possible because a FRAM model in principle is a kind of program - a set of instructions that control the way in which a model operates or "performs". The FMI is simply the "engine" that can interpret these instructions. The FMI provides a realisation or simulation of a given model in the sense that it evaluates the consequences of the couplings specified by the aspects of the model’s functions and thereby shows how an event can develop - or indeed whether it will develop at all. The FMI can be used to determine how the potential couplings defined in the model will be realised as actual couplings for specified conditions – an instantiation.


In the MMXXII version of the FMI, the variability of functions can be set by setting the control mode for individual functions. The control mode determiness how a function will process the upstream Outputs that are defined by the function's aspects - whether a function will consider ALL of them, ANY of them, or NONE of them. The four control modes are Strategic, Tactical, Opportunistic, and Scrambled. Further details can be found in the FMI documentation.


  • You can find a brief description of the FMI here.
  • The MacOSX version is avaliable here.
  • The Windows version is available here.
  • A Linux version is available on request.


How it works

To show how the FMI works, consider the description of how to prepare cup noodles, which is an exercise that is often used in FRAM courses. The model developed for how to prepare cup noodles may look like this (other variations are of course possible).

To confirm that the model works - and that it will lead to the desired outcome - it is necessary to go through it satep-by-step or to "execute" it. In this example the model is simple enough to go through by hand but for models with more functions or more couplings it soon becomes impractical. This is where the FMI can help. It will enable you to go through a model step-by-step while keeping track of everything that happens, especially the changes to upstream-downstream relations. It wqill, in other words, interpret the model as it has been specified by you.

If you read and initialise the model in the FMI, you will see the following screen.

You then begin the interpretation of the model. The guidance for how to do that can be found in the brief description mentioned above. The FMI will for each cycle show which functions have become active both in the FMI log and by change the colour of the function in the Function Status to green. It will also show which Outputs have become active. The status after the first step looks like this.

The interpretation will in this case come to a successful conclusion when the function <To enjoy cup noodles> is reached. The steps-by-step activation of the functions can be seen from the FMI log on screen and can og course also be saved in a session log together with more detailed information for each step.

According to the conventional interpretation of safety, here called Safety-I, safety denotes a condition where as little as possible goes wrong, the focus of practical efforts whether in management or analysis is therefore on the occurrence of unacceptable outcomes and on how to reduce their number to an acceptable level, ideally zero and the emphasis is on how to manage safety eo ipso, as seen in the ubiquitous safety management Systems (SMS).


This approach, however leads to somewhat of a paradox since Safety in this way is defined and measured more by its absence than by its presence, as noted by Reason, (2000). According to a Safety-I perspective an accident thus represents a situation or a condition where there is or was a lack of safety. Which immediately raises the obvious question of how it is possible to learn about something if it only is studied in situations where it is not there?No known sciences can do that-- except safety science!!! And furthermore how is it possible to manage something that is not there? The simple answer is that it is impossible! THE UNACCEPTABLE OUTCOMES THAT SAFETY MANAGEMENT FOCUS ON ARE THE RESULTS OF SOMETHING THAT HAPPENED IN THE PAST,BUT DOES NOT HAPPEN ANY LONGER IT CAN THEREFORE NOT BE MANAGED!!!-- While you can manage a process  you cannot manage a product.These paradox fortunately disappears in the view proposed by Safety-II, where safety is defined as a condition where as much as possible goes well. An acceptable outcome therefore represents conditions where safety is present rather than absent, and efforts are accordingly directed at understanding how this happens and how one can ensure that it will happen also in the future. Logically, if as much as possible goes well, then as little as possible goes wrong,since in practice something cannot go well and go wrong at the same time. A Safety-II approach therefore achieves the same objective as a Safety-I approach, but does so in a completely different way. In Safety-II the concern is not to manage safety as a static outcome, hence using safety as a noun but to manage system performance safely, as a dynamic process, hence safely as an adverb. There is a crucial difference between managing safety and managing safely. The former represents a cost, since the purpose is to avoid something rather than to achieve something, while the latter represents an investment that directly contributes to productivity as well as increased revenue. It is therefore clearly more important and useful for a company to manage safely than to manage safety.


Since most work and most activities in practice go well, even though we fail to pay attention to them there will also be more cases to study sand learn from. Best of all, perhaps is that there is no need to wait for something to happen, i.e., to fail or go wrong. Something is happening all the time all we need to do is to pay attention to it

Reason, J. (2000). Safety paradoxes and safety culture. Injury Control & Safety Promotion, 7(1), 3-14.