EUROCONTROL—Systemic Occurrence Analysis Methodology (SOAM)—A “Reason”-based organisational methodology for analysing incidents and accidents

doi:10.1016/j.ress.2006.08.010

Reliability Engineering & System Safety

Volume 92, Issue 9, September 2007, Pages 1162-1169

https://doi.org/10.1016/j.ress.2006.08.010 Get rights and content

Abstract

The Safety Occurrence Analysis Methodology (SOAM) developed for EUROCONTROL is an accident investigation methodology based on the Reason Model of organisational accidents. The purpose of a SOAM is to broaden the focus of an investigation from human involvement issues, also known as “active failures of operational personnel” under Reason's original model, to include analysis of the latent conditions deeper within the organisation that set the context for the event. Such an approach is consistent with the tenets of Just Culture in which people are encouraged to provide full and open information about how incidents occurred, and are not penalised for errors.

A truly systemic approach is not simply a means of transferring responsibility for a safety occurrence from front-line employees to senior managers. A consistent philosophy must be applied, where the investigation process seeks to correct deficiencies wherever they may be found, without attempting to apportion blame or liability.

Introduction

As a direct result of the runway incursion accident at Milan Linate airport (Italy in October 2001) and the mid-air collision near Überlingen (Germany in July 2002), EUROCONTROL¹ established a High Level European Action Group for Air Traffic Management (ATM) Safety (AGAS) to examine existing procedures and standards. The objective was to propose enhancements in ATM safety within the States of the European Civil Aviation Conference (ECAC).

By gathering together experienced safety experts from across the industry to scrutinise all aspects of ATM safety, AGAS was able to identify the areas where most benefit will be gained by improving safety in the short term. As a consequence a Strategic Safety Action Plan was structured to provide quick implementation solutions for improving ATM safety throughout Eight High Priority Action Areas:

1.
Safety Related Human Resources in ATM.
2.
Incident Reporting and Data Sharing.
3.
Airborne Collision Avoidance System.
4.
Ground-Based Safety Nets.
5.
Runways and Runways Safety.
6.
Enforcement of ESARRs and monitoring of their implementation.
7.
Awareness of Safety Matters.
8.
Safety and Human Factors Research and Development.

The Safety Occurrence Analysis Methodology (SOAM) has been developed to support the objectives of AGAS Priority Area 2, Incident Reporting and Data Sharing, by:

•
Providing an investigation methodology that can be applied locally by a large number of trained users, across a wide variety of occurrences. Occurrence data collection would then be a dispersed rather than centralised and specialised activity, increasing the potential quantity of data analysed.
•
Establishing a dedicated investigation terminology, providing a common language for trained users that facilitates data exchange and understanding of safety lessons.
•
Supporting Just Culture principles, which are closely aligned with the philosophy underlying the investigation technique (EUROCONTROL, 2003 [3]). A comprehensive training program to roll out the new process would incorporate awareness and education on the benefits of a Just Culture and of open reporting.
•
Providing standardised principles for Air Navigation Service Providers (ANSPs), investigators and airspace users on generating valid, effective remedial actions once contributing factors are identified.
•
Providing additional structure and focus to the common taxonomy for reporting and investigating ATM safety occurrences.

Most importantly, SOAM will support one of the most critical Harmonisation² objectives, by providing a common methodology for the identification of causal factors across the aviation industry. This has the potential to enhance Data Sharing and Lesson Dissemination by:

•
Providing a simple framework (based on principles drawn from the now widely disseminated and recognised Reason Model) for sharing safety information, covering in particular the contributing factors and remedial actions.
•
Standardising the way safety improvement actions are generated.
•
Making it simpler to summarise the outcome of real investigated occurrences for briefings and publication, for example in issues of Safety News.

Section snippets

Existing EUROCONTROL tools and techniques vs. SOAM

A common approach to the reporting and assessment of ATM safety occurrences is specified within EUROCONTROL Safety Regulatory Requirement 2—ESARR 2. In the past years EUROCONTROL has progressively developed and distributed a set of valuable tools and guidance materials in support of this requirement. Despite these activities, some shortcomings have been observed in the extent to which the key objectives of ESARR 2 are currently being achieved in practice.

When developing SOAM a thorough review

SOAM approach

The investigation philosophy on which the SOAM approach is based is adapted from ICAO Annex 13, as follows: “The fundamental purpose of safety investigation is the prevention of further occurrences. It is not our task to apportion blame or liability”.³

Safety occurrences are by definition

Summary

It is axiomatic that the goal of improved system safety will be served by conducting some level of investigation into all occurrences. Achieving this goal will be substantially assisted by the availability of a simple, systemic analysis methodology that can be applied reliably to all levels of occurrence.

While highly competent investigators will always be required for complex, high level investigations, SOAM is suitable for use with all levels of occurrence, and is particularly suitable for use

Acknowledgements

The authors are grateful to Emeritus Professor James Reason for his review, helpful comments and inspiration for this work.

References (9)

J. Rasmussen
Human errors: a taxonomy for describing human malfunction in industrial installations
J. Occup. Accid.
(1982)
E. Edwards
Man and machine: systems for safety
EUROCONTROL. EAM2/GUI5: Harmonisation of Safety Occurrence Severity and Risk Assessment. (Edition 1.0, 2005). Brussels:...
EUROCONTROL. EAM2/GUI6: Establishment of “Just Culture” Principles in ATM Safety Data Reporting (Edition 1.0 March...

There are more references available in the full text version of this article.

Cited by (28)

A method to identify investigative blind spots (MIBS): Addressing blunt-end factors of ultra-safe organizations’ investigation-work-as-done
2022, Safety Science
Citation Excerpt :
As a starting point in assessing and the describing the performance of safety management systems we can view them as other organizations that want to safeguard against (dangerous) failure. Modern investigative processes (Licu et al., 2007) usually involve a defense-in-depth approach (Reason, 1997). Going upwards in the organization from the accident (rather than simply back in time from individual actions), barriers and situational conditions are examined.
Ultra-safe organizations, such as Air Navigation Service Providers (ANSPs), have extensive safety management organizations and generally excellent safety records with very few serious incidents and accidents. This development has been supported by increasingly advanced and effective methods. However, recent research has uncovered how the application of even advanced incident investigation methods is subject to the same pressures of the reality of everyday work, similar to other safety-critical work tasks. They may therefore also have “incidents”, where all issues are not examined with desired thoroughness, and all recommendations are not formulated or implemented with desired effectiveness. This development may be driven by different factors. For instance, the economic pressure on ANSPs is arguably high in Europe’s competitive aviation market. This speaks for an efficient and pragmatic method for investigating organizational factors affecting incident investigation work. The foundation for such a method existed in prior research, in the form of lists of risk factors for investigative work. In this paper, we present the Method for identifying Investigative Blind Spots (MIBS). We also describe, compare, and assess its development and application, at a Swedish ANSP. Incident investigators were involved in a series of semi-structured workshops to identify possible “blind spots” in their own investigation practices (investigation-work-as-done), i.e. organizational factors that impede or otherwise affect the various phases of the investigative process (investigation-work-as-imagined). This resulted in a method description with an associated set of discussion cards that ultra-safe organizations can use to address blunt-end factors of their investigation-work-as-done.
A day when (Almost) nothing happened
2022, Safety Science
Citation Excerpt :
As a result, the system broke down for the third time. The organisation analysed the event using the Systemic Occurrence Analysis Methodology (SOAM), an accident investigation methodology developed for Eurocontrol and based on James Reason’s model of organisational accidents (Licu et al., 2007). The aim of SOAM is to go beyond the “active failures of operational personnel” by including an analysis of the latent conditions within the organisation that in many ways determine the context for the event.
A fundamental safety management assumption is the need to learn from accidents, to identify their causes, and to take steps to prevent their recurrence. Safety by prevention is, however, not the only solution. Since something cannot go well and fail at the same time, another approach is to learn from situations where things go well and where “nothing” seems to happen. In the present case a computer breakdown led to the loss of most of the information in an air traffic control system. The operators managed to compensate for the missing information and keep traffic flowing, although with reduced capacity, while the technical staff managed to restart the system. The same breakdown occurred two more times during the day but in both cases the operators were able to compensate. In the evening the computer system was restored and no further breakdowns happened. The organisation investigated the event but since it focused on the technical issues the lessons learned were in terms of new checklists, improved procedures, and stricter precautions. The paper presents an analysis from a different perspective that looks at what went well. This identifies a number of things that may contribute to make performance in the future even safer.
A new methodology for assessing human contributions to occurrences (MAHCO) in Air Traffic Management utilising a Bayesian hierarchical predictive coding approach to the brain, and the benefits for just culture
2022, Transportation Research Procedia
The traditional approaches to classifying Human Error have provided a strong and beneficial approach to understanding the roles of humans in safety occurrences. However, as the demand for human performance has increased and with the rise of more automation, the line between man and machine continues to become increasingly blurred. Traditional Human Error analysis techniques are no longer sufficient for extracting the most valuable learning data from occurrences. Furthermore, there is a continuing need to strengthen Safety and Just culture. One means to achieving this is through developing ever greater trust in the ability of organisations to accurately investigate and report occurrences. This paper outlines a new 10 step approach to investigating human contribution to occurrences which is based on a version of predictive situational awareness in the brain that is derived from hierarchical predictive coding approaches. Utilising statistically based induction, the steps allow investigators to make an objective reconstruction of sub-conscious human error analysis and integrate it with traditional subjective feedback on conscious decisions made. Examples of system data that can provide further evidence to support the reconstructions is also discussed. This approach has been tested on more than 50 human factors related occurrences in Air Traffic Control in 2021/2022 and the results are introduced. It is further argued that using a refined approach and educating operators on the approach can significantly benefit Just Culture and lead to increases in trust and frequency of reporting because it will allow for the removal of biases by individual investigators. Future research should focus on validating the approach against current methods and testing it for occurrences further away from front line operators such as in non-safety related decision making.
Learning from accidents: Interactions between human factors, technology and organisations as a central element to validate risk studies
2017, Safety Science
Citation Excerpt :
Many risk management approaches derive from the multi-barrier concept developed by Reason, believing that the underlying mechanisms causing organisational accidents can be correctly identified and properly managed. Human reliability approaches such as Human Factors Analysis and Classification System – HFACS (Shappell et al., 2007), Systematic Occurrence Analysis Methodology – SOAM (Licu et al., 2007) and the Sequentially Outlining and Follow-up Integrated Analysis – SOFIA (Blajev, 2002), and accident causation analysis methods such as Bow-Tie (Zuijderduijn, 2000) and Cause-Consequence Diagrams (Nielsen, 1971) are examples, to name but a few, of risk assessment techniques deeply aligned with Reason’s approach. Contemporary approaches on accidents causality models try to apply systems theory and system thinking (e.g. Leveson, 2011) to disclose deeper factors contributing to accidents, by adding higher hierarchical levels beyond immediate events and analysing the interactions among factors and broader circumstances.
Many industries are subjected to major hazards, which are of great concern to stakeholders groups. Accordingly, efforts to control these hazards and manage risks are increasingly made, supported by improved computational capabilities and the application of sophisticated safety and reliability models. Recent events, however, have revealed that apparently rare or seemingly unforeseen scenarios, involving complex interactions between human factors, technologies and organisations, are capable of triggering major catastrophes. The purpose of this work is to enhance stakeholders’ trust in risk management by developing a framework to verify if tendencies and patterns observed in major accidents were appropriately contemplated by risk studies. This paper first discusses the main accident theories underpinning major catastrophes. Then, an accident dataset containing contributing factors from major events occurred in high-technology industrial domains serves as basis for the application of a clustering and data mining technique (self-organising maps – SOM), allowing the exploration of accident information gathered from in-depth investigations. Results enabled the disclosure of common patterns in major accidents, leading to the development of an attribute list to validate risk assessment studies to ensure that the influence of human factors, technological issues and organisational aspects was properly taken into account.
System dynamics approach for modelling the variation of organizational factors for risk control in automatic metro
2017, Safety Science
Citation Excerpt :
Based on this, many methods of risk analysis were proposed to analyse the roles of humans and organizations. These methods include the following: Human Factors Analysis and Classification System (HFACS; Shappell and Wiegmann, 2000), Safety Occurrence Analysis Methodology (SOAM; Licu et al., 2007), Accident Analysis for Humans and Organizations (AcciMap; Svedung and Rasmussen, 2002), and Events and Causal Factors (ECF; Buys and Clark, 1995). These methods categorize the organizational factors to identify the types of errors, problems, or incorrect decisions and discuss the influence of organizational factors on the actions of humans and the equipment operation.
The automatic metro inspires a new way of thinking about the development of urban transportation systems, specifically how the overall system completes the automatic functions. The insights into the potential correlation between safety and system variation are crucial for safe and effective operation management in the automatic metro. Thus, this paper propose a system dynamics (SD)-based model to construct the operational feedback mechanisms of the automatic metro through investigation, interview, and empirical analysis of the Beijing and Shanghai metro systems, covering the aspects of organization resource assignment, organizational experience and avoidance of driver error. From the model, the variation trend of the dynamic processes can be used to analyse the key elements or variables over time. Three key factors (the safety policy, delay time for organizational experience, and resource assignment coefficient), are identified to evaluate the crucial linkage between safety and variation over time. The changing trend of system risk influenced by the combination of these three factors is further analysed to demonstrate how the functionalities of organization should be synchronized with the transformation of different grades of automation. The paper specifies an explicit framework that recognizes the relationships among the automation degree, organization policy and system risk at the macro level and comprehensively reveals the adaptation process of organization corresponding to the revolution process of the automation degree of the metro.
Learning from major accidents to improve system design
2016, Safety Science
Despite the massive developments in new technologies, materials and industrial systems, notably supported by advanced structural and risk control assessments, recent major accidents are challenging the practicality and effectiveness of risk control measures designed to improve reliability and reduce the likelihood of losses. Contemporary investigations of accidents occurred in high-technology systems highlighted the connection between human-related issues and major events, which led to catastrophic consequences. Consequently, the understanding of human behavioural characteristics interlaced with current technology aspects and organisational context seems to be of paramount importance for the safety & reliability field. First, significant drawbacks related to the human performance data collection will be minimised by the development of a novel industrial accidents dataset, the Multi-attribute Technological Accidents Dataset (MATA-D), which groups 238 major accidents from different industrial backgrounds and classifies them under a common framework (the Contextual Control Model used as basis for the Cognitive Reliability and Error Analysis Method). The accidents collection and the detailed interpretation will provide a rich data source, enabling the usage of integrated information to generate input to design improvement schemes. Then, implications to improve robustness of system design and tackle the surrounding factors and tendencies that could lead to the manifestation of human errors will be effectively addressed.

View all citing articles on Scopus

View full text