tff,
the person self-identifying as "Shell Management" has, over time produced a number of what Flying Lawyer has termed "extreme views", and also misinformation concerning matters on which he self-presumes to be knowledgable, such as safety and organisational safety.
Brian Abraham is just one of the people who have become publically fed up with SM's facile and misleading interventions. I understand Brian's exasperation very well, and sympathise. I am also grateful that he flags the distortions so that people who don't know that much about safety are not misled.
SM's interventions do have a plus side, however. Occasionally I feel the need to correct a particularly egregious misreprentation, and so I can write a few paragraphs summarising some aspect of the history of safety which I may not have written on before. Then a couple people here might be grateful to read it, and I myself have text I can use again when the need arises.
So here are a few paragraphs on some of Jim Reason's work (which I will be able to use again). I follow these with a couple of comments on SM's misrepresentations.
The so-called "Swiss Cheese Model" is a picture which appears in Reason's book Human Error (Cambridge U.P. 1990) as Figure 7.5. in Chapter 7, "Latent Errors and Human Disasters", in which Reason considers various well-known accidents. The caption is "The various human contributions to the breakdown of complex systems are mapped onto the basic elements of production. It is assumed that the primary systemic origins of latent failures are the fallible decisions taken by top-level plant and corporate managers. These are then transmitted via the intervening elements to the point where system defences may be breached." In order to interpret this diagram, one needs to know what the "basic elements of production" are (they are given in a similarly layered diagram, with feedback loops, in Figure 7.4). One must also buy the assumption of whence the "primary systemic origins of latent failures" derive. Reason was talking specifically about complex human organisations and complex accidents. TNI, Bhopal, Challenger, Chernobly, Herald of Free Enterprise capsize at Zeebrugge, King's Cross station underground fire.
One thing Reason does not explicitly say is that his conceptualisation in Figure 7.5 is based on a barrier-analysis conception of accidents. An aviation accident to which barrier analysis is obviously well applicable is 1988 A320 Habsheim, which involved a lot of failures in the corporate and institutional controls over the pilot's planning and behavior beforehand. An aviation accident to which it is not very well applicable is 1992 Warsaw, which was a combination of what I call a "requirements failure" (namely, the systems worked as designed, but in circumstances in which one would have preferred rather than they had done something else), and physical barrier built at the end of the runway, making the consequences of any overrun very severe.
In the intervening twenty years, most of the context (and content) of Figure 7.5 seems to have disappeared. The picture gets reproduced as the "Swiss Cheese Model" and, for example, pilots all over PPRuNe talk about "the holes in the cheese lining up" without often having the slightest idea of the analysis technique to which they are ultimately referring, or even the labels on the various "slices" of "cheese" whose holes line up.
Reason's model was specifically designed for analyses in which human error and organisational missteps and holes play a large role. I don't believe it is a general model of accident causation and as far as I know Reason has not promoted it as such. But sometimes things take on a life of their own.
The work reported in Chapter 7 of his book, including this diagram, is his own work, which has been informed by projects with many clients. Reason's group at the Uni Manchester worked with the Uni Leiden on Tripod-Delta for Shell Internationale Petroleum Maatschappij (now Shell International Exploration and Production BV). The project started in 1988. The technique was developed in various Shell operating companies in 1989-92, rolled out across Shell in 1993 and generally in 1996. The methods were developed later in REVIEW, for British Rail Research, and MESH, for British Airways Engineering, also at the Uni Manchester. The main programmer of REVIEW and MESH also wrote Tripod-Beta, which is also marketed by a Dutch firm with a similar name.
SM has suggested in previous notes here that, after Piper Alpha, other oil companies followed Shell's "lead" in developing safety cases, and has even suggested that safety cases derive from Shell's work. All of this is just wrong. I have asked him to correct himself (assuming SM is male), but he declines to do so. That may be because he simply doesn't know. He doesn't appear to know, for example, whence safety cases derive. And he doesn't appear to know who the main players in the safety-case development field are.
He seems in his latest note to be suggesting by implication that Reason's main intellectual work was also paid for by Shell. That is not what I understand. I think grants for this work, in so far as additional money was needed, came from the usual sources.
SM also presents himself as someone who knows about safety. But he doesn't know who I am, and replied rather rudely when I suggested that I know quite a lot about it.
So I wouldn't pay a whole lot of attention to what SM says, if I were you, without checking out what he says very carefully. I wish he would stop distorting matters and start producing worthwhile contributions to the ongoing safety discussion. On the other hand, if he did, then I might not have so many notes I can use again....
PBL