BeingSafeFeelingSafe

(c) Erik Hollnagel, 2020

Being safe or Feeling safe?

To Be Safe

Accidents are usually explained by referring to a model of how causes lead to effects. The Domino model from 1931 used the analogy of a row of domino pieces that fell one after the other. And in the 1980s, the Swiss cheese model explained accidents as combinations of active failures (or unsafe acts) and latent conditions (hazards).

All accident models share the unspoken assumption that outcomes can be understood in terms of cause-effect relations. This causality credo can be expressed as follows:

  • An accident is an effect, and therefore has a preceding cause. There is furthermore a value symmetry (or congruence) between causes and effects, which means that an accident happens because something has failed or malfunctioned: negative effects are due to negative causes.

  • The causes of an accident can be found if only enough evidence is collected (and if enough time and effort are spent to analyse the evidence). Once the causes have been found, they can be eliminated, encapsulated, or otherwise neutralised.

  • Since all accidents have causes, and since all causes can be found, it follows that all accidents can be prevented. This is the vision of zero accidents or zero harm that many companies find attractive.

According to the zero accident vision, the goal of safety management is to ensure that nothing goes wrong, whether counted as accidents, incidents, loss time injuries, etc. We will therefore be safe if we can ensure that nothing goes wrong.

To Feel Safe

Accidents are not only a hindrance to purposive human activity, but are also unexpected, even when they are imaginable. Because accidents take us by surprise, they are psychologically unpleasant. Human beings have a basic need to feel safe, to feel that nothing can harm them physically, economically, or in other ways. When something unexpected and unpleasant happens, we therefore need to restore our feeling of safety.

Finding a cause has a practical value, because knowledge of the cause is seen as necessary to prevent that the accident is repeated. But finding a cause also has psychological value because it relieves us from the anxiety that follows the unknown. This was recognised more than a century ago, when the philosopher Friedrich Nietzsche wrote that to β€œto trace something unfamiliar back to something familiar is at once a relief, a comfort and a satisfaction, while it also produces a feeling of power. The unfamiliar involves danger, anxiety and care – the fundamental instinct is to get rid of these painful circumstances. First principle – any explanation is better than none at all.”

A cause is the identification, after the fact, of a limited set of aspects of the situation that are seen as the necessary and sufficient conditions for the effect(s) to have occurred. We can therefore feel safe, if we can think of an acceptable explanation for the unexpected.

To Really Be Safe

Safety is traditionally defined as a condition where the number of unwanted outcomes (accidents / incidents / near misses) is as low as possible (Safety-I). But this deceptively simple definition is problematic because it defines safety by its opposite, by what happens when it is missing. It also means that safety is measured indirectly, not as a quality in itself, but by the consequences of its absence.

While it is natural to be concerned with what goes wrong, we should also realise that when something happens it either goes well or wrong, but not both at the same time (at least not in the macroscopic world we live in). We could therefore also look at how things go well, and define safety as a condition where as much as possible goes well (Safety-II). From this perspective, the purpose of safety management is to ensure that everyday work succeeds. This can clearly not be done if we only look at, responding to, and learn from what goes wrong. Safety management must also be proactive. That requires an understanding of the nature of successful work, of how the work environment develops and changes, and of how functions may depend on and affect each other. This understanding requires looking for patterns and relations across events rather than for causes of individual events. It is definitely more important really to be safe making sure that everything works as it should, than to feel safe by clinging to socially acceptable causes.


(Posted 2021-12-02) (c) Erik Hollnagel.







According to the conventional interpretation of safety, here called Safety-I, safety denotes a condition where as little as possible goes wrong, the focus of practical efforts whether in management or analysis is therefore on the occurrence of unacceptable outcomes and on how to reduce their number to an acceptable level, ideally zero and the emphasis is on how to manage safety eo ipso, as seen in the ubiquitous safety management Systems (SMS).


This approach, however leads to somewhat of a paradox since Safety in this way is defined and measured more by its absence than by its presence, as noted by Reason, (2000). According to a Safety-I perspective an accident thus represents a situation or a condition where there is or was a lack of safety. Which immediately raises the obvious question of how it is possible to learn about something if it only is studied in situations where it is not there?No known sciences can do that-- except safety science!!! And furthermore how is it possible to manage something that is not there? The simple answer is that it is impossible! THE UNACCEPTABLE OUTCOMES THAT SAFETY MANAGEMENT FOCUS ON ARE THE RESULTS OF SOMETHING THAT HAPPENED IN THE PAST,BUT DOES NOT HAPPEN ANY LONGER IT CAN THEREFORE NOT BE MANAGED!!!-- While you can manage a process  you cannot manage a product.These paradox fortunately disappears in the view proposed by Safety-II, where safety is defined as a condition where as much as possible goes well. An acceptable outcome therefore represents conditions where safety is present rather than absent, and efforts are accordingly directed at understanding how this happens and how one can ensure that it will happen also in the future. Logically, if as much as possible goes well, then as little as possible goes wrong,since in practice something cannot go well and go wrong at the same time. A Safety-II approach therefore achieves the same objective as a Safety-I approach, but does so in a completely different way. In Safety-II the concern is not to manage safety as a static outcome, hence using safety as a noun but to manage system performance safely, as a dynamic process, hence safely as an adverb. There is a crucial difference between managing safety and managing safely. The former represents a cost, since the purpose is to avoid something rather than to achieve something, while the latter represents an investment that directly contributes to productivity as well as increased revenue. It is therefore clearly more important and useful for a company to manage safely than to manage safety.


Since most work and most activities in practice go well, even though we fail to pay attention to them there will also be more cases to study sand learn from. Best of all, perhaps is that there is no need to wait for something to happen, i.e., to fail or go wrong. Something is happening all the time all we need to do is to pay attention to it

Reason, J. (2000). Safety paradoxes and safety culture. Injury Control & Safety Promotion, 7(1), 3-14.