And what about Safety-III

(c) Erik Hollnagel, 2020

Is there a "Safety-III"?

The danger in proposing the terms "safety-I" and "safety-II" is that they are seen as representing a numerical relationship or a sequence. From this it is deceptively easy to 'conclude' that the sequence can continue to a safety-III, safety-IV, and ultimately some form of safety-n. But this 'conclusion' is based on a fundamental misinterpretation of the terms, since safety-I and safety-II were proposed to describe a rhetorical rather than a numerical relationship. (It also conveniently overlooks the deliberate use of Roman rather than Arabic numerals, see the homophone-synonym note.) The terms were proposed to juxtapose two views of safety, or rather two views on how to understand and manage the ways in which socio-technical systems work - in particular those that we call complex.

The possibility of this misunderstanding was addressed in the book. The arguments are repeated below:

Will There Be A Safety–III?

Since Safety–II represents a logical extension of Safety–I, it may well be asked whether there will not someday be a Safety–III. In order to answer that, it is necessary to keep in mind that Safety–I and Safety–II differ in their focus and therefore ultimately in their ontology. The focus of Safety–I is on things that go wrong, and the corresponding efforts are to reduce the number of things that go wrong. The focus of Safety–II is on things that go well, and the corresponding efforts are to increase the number of things that go well.

Safety–II thus represents both a different focus and a different way of looking at what happens and how it happens. Doing this will, of course, require practices that are different from those that are commonly used today. But a number of these practices already exist, either in principle or in practice, as described in Chapter 8, and can easily be taken into use. It will, of course, also be necessary to develop new methods and techniques that enable us to deal more effectively with what goes well, which are able in particular to describe, analyse, and represent the ubiquitous performance adjustments.

If the way ahead is a combination of the existing practices of Safety–I with the complementary – and to some extent novel – practices of Safety–II, then where does that leave a possible Safety–III? It has been suggested that Safety–III ‘simply’ stands for the combination of existing and novel practices. But the combination of practices is not against the idea of Safety–II, which is intended as a complement to Safety–I rather than a replacement for it ... Neither does the suggestion of a possible ‘Safety–III’ offer a new understanding of safety, a new ontology,  in the way that Safety–II does, and it may therefore not be necessary in the same way. It can, of course, not be ruled out that in some years’ time there may come a proposal for understanding safety with a definition of its own that is different from both Safety–I and Safety–II. It may also happen that the very concept of safety is gradually dissolved, at least in the way that it is used currently, as something distinctively different from, e.g., quality, productivity, efficiency, etc. If that happens – and several signs seem to indicate that it will – then the result will not be a Safety–III but rather a whole new concept or synthesis (see synesis). So while Safety–II by no means should be seen as the end of the road in the efforts to ensure that socio-technical habitats function as we need them to, it may well be the end of the road of safety as a concept in its own right.

The argument can be summarised like this: Safety-I represents a concern for managing events with unacceptable outcomes. This is done by trying to explain how things go wrong in order to prevent any reoccurrence. The focus on things that go wrong in practice exclude everything else. Safety-II represents a concern for managing how things happen regardless of whether the outcomes are acceptable or unacceptable. This is done by trying to understand how things happen in order to facilitate acceptable outcomes and dampen or prevent unacceptable outcomes.

This can also be shown graphically. If we assume that outcomes follow a normal distribution, the focus of Safety-I is shown by the red area in the figure below.

Safety-I looks at outcomes that only happen infrequently and that are unacceptable (events with unwanted outcomes or things that go wrong). Safety-II looks at all events regardless of their outcomes, but in particular at the events that occur frequentlythat lead to the expected outcomes and which therefore are seen as  'normal'.* Since Safety-II is concerned with everything that happens (and not just with things that go well or the positive surprises), there is nothing else to look at. And since Safety-II looks at all outcomes regardless of whether they are acceptable or unacceptable, there is no other way of looking at them. Safety-II, of course, has a bias towards frequent events with acceptable outcomes, but only because these traditionally have been neglected or excluded as having little or no interest.

The argument can also be made more formally:

Consider the set of all events, U, where the outcome is seen as unacceptable. Consider the set of all events, A, where the outcome is seen as acceptable. Anything that can happen must be a member of the union of the two sets, E.

For the engineering view of the safety of socio-technical systems, the focus is limited to U and the approach is that of Safety-I. For the systemic view of the safety of socio-technical systems, the focus is on E  and the approach is that of Safety-II.

There could, theoretically, be a study of only A, but it would not make much sense since it would exclude the things that go wrong, i.e., U. Since Safety-II is the study of E, it does by definition include the concerns of Safety-I. There is therefore no need of a “Safety-III”, nor is it logically possibly since there are no events that are not a member of E.

Safety-III is neither meaningful nor necessary. QED

Indeed, it would be wise to stop using safety as a noun, as something that can be managed or studied in itself, and instead to use safely as an adverb, as the way in which something is managed. The focus should therefore be on safe management rather than on safety management.

(c) Erik Hollnagel, November 01 2015, revised september 2021.

Footnote

* In Safety-I these are, ironically, described as situations where 'nothing happens'.


According to the conventional interpretation of safety, here called Safety-I, safety denotes a condition where as little as possible goes wrong, the focus of practical efforts whether in management or analysis is therefore on the occurrence of unacceptable outcomes and on how to reduce their number to an acceptable level, ideally zero and the emphasis is on how to manage safety eo ipso, as seen in the ubiquitous safety management Systems (SMS).


This approach, however leads to somewhat of a paradox since Safety in this way is defined and measured more by its absence than by its presence, as noted by Reason, (2000). According to a Safety-I perspective an accident thus represents a situation or a condition where there is or was a lack of safety. Which immediately raises the obvious question of how it is possible to learn about something if it only is studied in situations where it is not there?No known sciences can do that-- except safety science!!! And furthermore how is it possible to manage something that is not there? The simple answer is that it is impossible! THE UNACCEPTABLE OUTCOMES THAT SAFETY MANAGEMENT FOCUS ON ARE THE RESULTS OF SOMETHING THAT HAPPENED IN THE PAST,BUT DOES NOT HAPPEN ANY LONGER IT CAN THEREFORE NOT BE MANAGED!!!-- While you can manage a process  you cannot manage a product.These paradox fortunately disappears in the view proposed by Safety-II, where safety is defined as a condition where as much as possible goes well. An acceptable outcome therefore represents conditions where safety is present rather than absent, and efforts are accordingly directed at understanding how this happens and how one can ensure that it will happen also in the future. Logically, if as much as possible goes well, then as little as possible goes wrong,since in practice something cannot go well and go wrong at the same time. A Safety-II approach therefore achieves the same objective as a Safety-I approach, but does so in a completely different way. In Safety-II the concern is not to manage safety as a static outcome, hence using safety as a noun but to manage system performance safely, as a dynamic process, hence safely as an adverb. There is a crucial difference between managing safety and managing safely. The former represents a cost, since the purpose is to avoid something rather than to achieve something, while the latter represents an investment that directly contributes to productivity as well as increased revenue. It is therefore clearly more important and useful for a company to manage safely than to manage safety.


Since most work and most activities in practice go well, even though we fail to pay attention to them there will also be more cases to study sand learn from. Best of all, perhaps is that there is no need to wait for something to happen, i.e., to fail or go wrong. Something is happening all the time all we need to do is to pay attention to it

Reason, J. (2000). Safety paradoxes and safety culture. Injury Control & Safety Promotion, 7(1), 3-14.