I joined the Rail Accident Investigation Branch in 2004, after 22 years in the railway industry. I was looking forward to the opportunity to work in an exciting new venture - the UK’s first independent railway accident investigation body. And I have not been disappointed.
I have been privileged to work with a truly extraordinary team of railway professionals across every railway discipline, and I have met many hundreds of fantastic people in this vibrant sector of the UK economy. I have also seen RAIB establish a reputation for high-quality investigations that make a real difference to railway safety.
Since I am about to retire, I wanted to reflect on the learnings from 17 years of investigation. I hope that exposure to many hundreds of investigations has given me an insight into why accidents occur and the difference that the leaders of the railway industry can make.
It is well known and proven that the commitment of industry leaders makes a real difference to safety, as does their ability to communicate the values that underpin every safe and effective organisation. Since much has been written on this subject, this article will instead focus on the causation of accidents and two areas where safety leaders can make a real difference.
The first of these relates to their awareness of risk and the ways of cultivating that awareness. The second is the process of safety management assurance - the means by which industry leaders assure themselves that their risk is being effectively managed.
How do accidents happen?
I guess that every reader of this article is familiar with Professor James Reason’s famous Swiss Cheese model of accident causation. The model presents an organisation’s defences against failure as a series of slices of cheese, with holes. The holes represent weaknesses in individual parts of the system that are continually varying in size and position across the slices. Accidents take place when a hole in every slice momentarily aligns, permitting a “trajectory of accident opportunity”.
What does this model mean in the context of a railway organisation’s safety management arrangements? The slices of cheese are the control measures and the holes are the gaps in your safety defences. The safety threat is that the holes align. The risk is the combination of the likelihood that the holes align and the consequences should this occur.
Good safety management is about taking the actions needed to avoid a trajectory of accident opportunity due to holes aligning. Actions can include adding another slice of cheese (another layer of safety defence), removing or reducing the size of the holes (addressing areas of weakness), or realigning the safety defences so that the holes are very unlikely to ever align.
So, adopting the Swiss cheese model, and reflecting on 17 years of RAIB investigations, it appears that the causes of accidents fall into six distinct categories:
1: A slice of cheese was missing (a layer of safety defence was missing altogether).
2: A hole in a slice was bigger than previously thought (a safety defence was weaker than imagined).
3: Holes were able to align in a way that no one anticipated (the different layers of safety defence interacted in an unexpected manner).
4: No one spotted the existence of a hole (there was an unknown weakness in a safety defence).
5:. The potential alignment in holes was understood, but the risk of this happening was considered to be acceptable (because the risk of the safety defences failing was thought to be as low as reasonably practicable).
6: An unanticipated sequence of events resulted in one or more slices being bypassed altogether (one or more safety defences proved to be irrelevant).
In my experience as an accident investigator, managers at every level of the railway industry generally appreciate the importance of understanding the way in which their organisations deliver safety. However, given the complexity of the railway’s systems, it is often very difficult for those at the heart of an organisation to clearly picture their areas of weakness and how their safety defences interact. Consequently, in many RAIB investigations, it was concluded that a relatively obvious weakness in a safety defence had not been fully appreciated prior to the accident.
Awareness of risk
RAIB investigations reveal that organisations rarely fully understand all the threats to safety and the associated risks. In many cases, the threats to safety have been identified, but the associated risk is not always well understood. However, from time to time, investigations reveal a threat that had not been identified.
One way to conceptualise threat/risk awareness is by adapting the Johari window and the concept of knowns and unknowns popularised by the former US Secretary of Defense, Donald Rumsfeld.
Every organisation will have a range of threats/risks that it believes it understands reasonably well because the threats (i.e. hazards) are obvious and the associated risk data well understood.
For these ‘known knowns’, the challenge is to ensure that the organisation’s understanding of the risk remains valid as circumstances change.
For other threats, the risk may be less well understood, in which case the challenge is to understand better the threat and/or the associated risk.
So, how does an organisation take account of the unknown unknowns? How do you detect something that’s hidden from you?
The simple answer is that you look for it. You look for clues and weak signals that something is awry. This could be an inconsistency in the data, something said to you in an everyday conversation, or something you notice when out and about on the network.
The instruments available to every rail industry leader monitoring their organisation’s safety performance should include:
■ Eyes and ears, watching and listening.
■ Conversation, with those that really know what is happening.
■ Engagement with local managers, supervisors and safety representatives.
■ An open, honest and just culture.
■ Smart data collection and analysis.
Hidden threats
RAIB’s investigations have identified a number of reasons why threats to safety remain hidden from leaders in railway organisations. These include:
■ Inadequate data: The railway industry is very good at collecting data on things that have already happened (i.e. lagging indicators). It is much less effective at collecting data that reveals how well its management systems are functioning and the extent to which they are effective in controlling risk (leading indicators).
■ Poor reporting: All railway organisations have processes to enable staff to report safety issues. The effectiveness of these is highly dependent on the safety culture of the organisation. The real measure of the effectiveness of any reporting system is the extent to which people feel that it is safe to report their own errors.
■ Lack of requisite imagination: ‘Requisite imagination’ has been described as the ‘fine art of anticipating what might go wrong’. Risk managers at any level of an organisation need to apply requisite imagination if they are to recognise threats not revealed by their historical data, and which is outside of their immediate experience.
■ Poor intelligence: Corporate entities are reliant on good intelligence if they are to be sufficiently aware of threats to safety. Intelligence relies on both formal information flows through the organisation and a myriad of informal personal exchanges at every level. These flows of information, which are so vital to safety assurance, are easily interrupted by poor working relationships, dysfunctional management structures, or mutual distrust.
■ Lack of transparency: In order for an organisation to be aware of the threats to safety, it needs access to information. It needs to understand the design of its equipment, how it might fail, and the consequences should this happen. Barriers to accessing safety-related information can include commercial confidentiality, poor retention of documents, or the lack of expertise needed to interpret technical data.
Chronic unease
To achieve a high level of safety, leaders need to maintain a state of constant wariness concerning the management of risk - a condition often described as ‘chronic unease’. Despite sounding like a nasty medical condition, chronic unease describes a condition of unrelenting watchfulness - a persistent suspicion that all is not well and that something could go horribly wrong at any moment.
Such a mindset is of very real value in an industry such as railways, where safety is reliant on numerous safety controls that interact in a complex manner.
In a study sponsored by Royal Dutch Shell, researchers Dr Fruhen and Professor Flinn interviewed senior managers in the oil and gas industry and identified four characteristics or habits of mind underpinning chronic unease: ‘safety imagination’, vigilance, pessimism, and a tendency to worry.
Those with a strong ‘safety imagination’ are able to imagine the catastrophic consequences of precursor events (i.e. low-frequency, high-consequence accidents). Those with vigilance tend to closely monitor the environment, picking up on even weak signals of a problem. Pessimism and worry are linked to a tendency to expect failure, and tenacity in pursuit of improved safeguards.
Time and time again, RAIB investigations highlight accidents that could have been avoided had the leadership team focused on better understanding the threats to the safety of their business and the consequential risk.
For this reason, I urge everybody with a duty to deliver a safe railway to take the time to think hard about the way that they are assuring themselves that the threats to the safety of the railway have been identified, and the consequent risk understood.
Management assurance
All railway organisations must confront a range of hazards (threats to safety), and manage the resultant risk. To do so, organisations are required (by the Railways and Other Guided Transport Systems (Safety) Regulations 2006) to implement a ‘safety management system’ (SMS) to control its risks. In essence, an SMS is required to identify the control measures that have been established to manage the risk associated with the known threats to safety.
By means of risk assessment, organisations can satisfy themselves that risks are being managed so far as is reasonably practicable. However, since few organisations stand still, the SMS is also required to incorporate mechanisms to control the risk of change and to incorporate learning from experience.
Management assurance is the control mechanism that monitors and reviews the health and robustness of the SMS. It is, therefore, critical to the safe operation of any railway organisation and should be a key focus for railway safety leaders.
It provides assurance that safety defences are functioning as intended, and enables leaders to address areas of weakness. Good management assurance is about an organisation’s leaders and managers being aware of any gaps between theory and practice, and then taking action to address them.
An underlying theme in many of RAIB’s investigations has been the divergence between what the management system said should be happening, and what was actually going on.
For example, RAIB’s investigation into the accident at Margam identified that Network Rail’s management assurance system was not effective in identifying the full extent of procedural non-compliance and unsafe working practices, and so did not trigger the management actions needed to address them.
Similar issues with management assurance were also identified in the investigations into the death of a train driver at Tyseley depot (report 09/2020) and the fatal accident involving a track worker at Roade in April 2020 (report 03/2021).
The RAIB investigation of the incident near Loughborough (report 10/2020), in which a train delivering new rolling stock to a storage depot passed a signal at danger, found some significant deficiencies in the way that the train operator was managing safety.
This led to a train being driven faster than was permitted on the route, and therefore being unable to stop before passing a red signal by a significant distance.
There was a gap between documented safety processes and what was happening. There also appeared to be no management awareness of how well (if at all) the company was following its own safety processes, including those related to competence management.
Certainly, good management assurance relies on formal systems. However, RAIB investigations reveal that a positive, open and honest culture is also needed if leaders are to be properly informed and protected from wishful thinking. There needs to be recognition that only very rarely are accidents caused by people who are reckless or irresponsible.
What we often observe is people trying hard to get the job done, often in a very difficult working environment. It is that commendable eagerness to complete the task that can so easily cause people to overlook the risks that they are taking. Since it relies on good information about what is really happening in the field, processes such as audit and formal management reviews have a role to play. However, more important still is the free flow of accurate intelligence between the front line and leaders.
The leader of any organisation needs to appreciate that they will never be fully assured that their risks are being managed so far as is reasonably practicable.
Management assurance is not a once-only activity, it’s a continual process of learning, questioning and challenge. It also relies on an understanding that there is always more to learn about the way that an organisation is delivering safety and its areas of weakness.
Conclusions
After 17 years at RAIB, I am encouraged by the progress that the railway industry has made in the way that it manages safety. Leaders in the railway industry ‘get’ safety and are mature in their understanding of safety management.
However, it is my view that the biggest obstacles to further improvement are risk awareness and management assurance.
With regard to risk awareness, leaders need to promote a better corporate understanding of risk. To do this, leaders need to ensure that their organisation has:
1: Relevant high-quality data and intelligence (quantitative and qualitative).
2: Sufficient analytical skills.
3: Recognised the value of imaginative thought to the identification of safety threats.
However, there is also more that needs to be done to ensure that leaders can accurately assess the effectiveness of their corporate safety management systems. It is my view, based on hundreds of ‘case studies’ (i.e. RAIB investigations), that any review of management assurance needs to answer the following fundamental, and sometimes uncomfortable, questions:
Ten difficult questions for rail industry leaders about their corporate risk awareness and management assurance.
1: Do you really understand how safety is actually achieved by your organisation, day in, day out, despite constantly varying conditions… or are you only focused on what can go wrong?
2: Do you cultivate and reward the characteristic of chronic unease in the board room… or are you a little too ready to receive positive news and plug it into a comfortable model of how well your organisation is managing safety?
3: Do you have the ‘requisite imagination’ to assess safety threats beyond your experience… or are you bound by the limits of your experience and data?
4: Do you actively seek measures of how well your safety systems are working in the real world… or do you continue to rely on lagging data which tells you everything about what has gone wrong, but very little about why?
5: Are you able to select and analyse the information you need to properly understand your safety performance… or are you drowning in a sea of data?
6. Do you really understand why your people deviate from laid-down processes… or are you simply cataloguing non-compliances with bad process?
7: Do you have an open, honest and just culture that encourages the flow of information up, down and across your organisation?… or is it just good news that flows freely?
8: Are your safety processes properly understood and embedded with those who must make them work… or are ‘things done differently away from head office’?
9: How well does your organisation learn from previous experience, and then use it to improve its safety arrangements… or are you slow to learn and reluctant to change?
10: Do you spend time out and about, watching how things are done and listening to your people… or are you trapped in a senior management ‘echo’ chamber?
Regardless of how you and your senior colleagues would answer the above questions, there’s always more that can be done to improve an organisation’s awareness of safety risk and management assurance. Certainly, this will require formal process, and leaders have a responsibility to see that these are established.
However, every bit as important is organisational culture - a culture built on imagination, openness, honesty and fairness which enables the free flow of information and ideas that is needed to understand and respond appropriately to threats to the safety of its people and customers.
It is my view, formed during 17 years of experience at RAIB, that this is the area in which industry leaders can make the biggest difference to railway safety.
Login to comment
Comments
No comments have been made yet.