Erik Hollnagel


The traditional focus of safety is on what happens when something goes wrong, when the outcomes of work differ from what were intended and expected. Safety, or rather Safety-I (Hollnagel, 2014), is defined as the absence of harm and injury and the purpose of safety management is to prevent accidents and incidents – large and small – from happening. Safety-I is about not having accidents and the challenge is to find out about their causes in order to eliminate or encapsulate them. Conventional wisdom also argues that there is more to be learnt from accidents than from incidents, more to be learnt from major accidents than from minor ones, and so on. This shows itself in practice as a clear
relationship between the severity of an event (magnitude of losses, number of injured and dead) and the time and efforts that are invested to understand what happened and to learn the right lessons.

The principles and practices of Safety-I are governed by the “logic” of the causality credo, which can be stated as follows: (1) adverse outcomes happen because something has gone wrong; (2) if enough evidence is collected it will be possible to find the causes and then eliminate, encapsulate, or otherwise neutralise them; (3) since all adverse outcomes have causes, and since all causes can be found and dealt with, it follows that all accidents can be prevented, i.e., the Zero Accident Vision. The rationale for the causality credo has been expressed as follows:
“Sound business procedure, as in fact sound common-sense procedure with regard to the arts or sciences in general, substantiates the thought that the cure of a given troublesome condition depends primarily upon knowledge of its cause and the elimination, or at least the mitigation, of that cause. That this principle applies to the prevention of industrial accidents cannot be denied. Success depends also upon the will to achieve and, later, upon ability to apply a known remedy” (Heinrich, 1931, p.

It is, of course, natural to try to be free from harm and injury, whether as a person or an organisation. Accidents and incidents are unwanted occurrences and it makes good sense to try to avoid them as far as possible. Yet in the rush to learn from what has gone wrong two important facts are missed. The first is that most of what happens, indeed nearly everything that happens, usually goes well. It would therefore seem reasonable also to try to learn something from that. Learning from failures alone is not only marginal, it is also expensive and mostly ineffective. The second fact is that if there are causes for what goes wrong then there must also be causes for what goes well. From a Safety-I perspective
the two types of causes must obviously be different; otherwise eliminating the causes of accidents would also reduce the likelihood for work to go well.

Resilience Engineering and Safety-II argue that an organisation should learn from everything that happens, from failures, from successes, and from everything in between. Adverse outcomes do not happen because something fails but because system adjustments are insufficient or inappropriate. Work that goes well is not the result of the effective elimination of hazards and risks but rather represents “an ongoing condition in which problems are momentarily under control due to compensating changes [in components]” (Weick, 1987). Safety is therefore a condition where as much as possible goes well and where consequently “nothing” happens. The coveted state of freedom from harm and injury can be achieved by focusing on the so-called “non-events”, by making sure that everything functions well and making sure that the “non-events” happen, but not by focusing on the events and by preventing that something fails.

Events and “non-events”
The practical problem is, of course, how this should be done. One obstacle is the psychological phenomenon called habituation. This means that we stop noticing something if it is always there and if it happens all the time. We quickly become so used to the adjustments and workarounds that are part of everyday work – and indeed everyday life – that we do not consider them worth mentioning. Work not only goes well all the time but we also expect it to do so. When it happens it is therefore not surprising, and we therefore gradually stop paying attention to it. The conundrum is that reliable outcomes are constant, which means that they do not attract attention. But in order to improve performance we must find ways to pay attention to them and learn from seemingly trivial details.

Terminological asymmetry
A second obstacle is the lack of readily available terminology, categories and methods. For accidents and incidents we have a well-developed terminology to describe them and their outcomes, many methods to analyse them, and a number of models to explain their purported causes. This makes it easy to notice them, to describe them, to document them, and to share that information with others. But there is no similar terminology to characterise work that goes well, let alone methods to analyse it or models to explain and understand it. Indeed, in common parlance an absence of accidents means that “nothing” happens. And if “nothing” happens then there is clearly nothing that can be observed and
nothing that can be learnt. This is, however, essentially a chicken or egg dilemma, since once we find ways to describe what happens every day, to perceive what cannot be seen, it becomes obvious that there is much of value to learn.

Work-as-Imagined and Work-as-Done
Planning what to do rests on assumptions about how regular the work context is, what the demands and resources will be, how reliably others will perform, and so on. Trying to anticipate what may happen is, however, not like playing a game of chess. No actual situations are as orderly and constrained as a board game, and the ‘opposition’ in real life rarely behaves as imagined but seems either not to follow the rules or to follow different rules. The planned work – Work-as-Imagined – will therefore never correspond precisely to the actual work – Work-as-Done – no matter how meticulous the planning is. In order to do their work, people and organisations must adjust what they do to match the conditions – unless, of course, they are powerful enough to adjust the conditions to match their plans. The adjustments will furthermore be approximate rather than precise for the very reasons that make them necessary in the first place.

It is important to point out that the issue is not whether WAD is ‘ right’ and WAI is ‘wrong’, or vice versa. WAI and WAD are simply and irreconcilably different. People manage to do their work despite rather than because of all the instructions, policies, procedures and rules that they have been given by well-intentioned policy makers, system designers, and managers. It is essential that organisations try to learn from that rather than pass it in silence.

Resilience engineering and Safety-II have convincingly argued that performance variability and performance adjustments on the whole are strengths rather than liabilities, and that they are the primary reason why socio-technical systems function as well as they do. Humans are extremely adept at finding effective ways to overcome problems at work, and this capability is crucial for safety and productivity throughout an organisation. It therefore stands to reason that there are valuable insights to be gained from looking at Work-as-Done, which means looking at and learning from work that goes well. An added bonus is that it in the long run may strengthen a culture of inquiry and wisdom and gradually weaken the conditioned tendency to focus on the negative.


Resilience, Learning from what goes well


Download here