• Understanding how these models and theories evolved can help us more clearly see how our teams and organizations view accidents. Often, some models or parts are going to look very familiar.
  • The latent failure model is still very common. Elements are seen in many areas of accident investigation.
  • The idea of there being latent failures in the system that eventually cause accidents when exposed to certain conditions, is a step in the right direction in understanding systemic accidents, but doesn’t explain how they’re formed or how to prevent their forming.
  • Normal accident theory tells us that accidents tend to occur and should be expected in complex systems.
  • Normal accident theory primarily looks at systems along two dimensions, coupling (loose or tight) and interaction type (linear or complex)
  • These lines aren’t as sharp as they may seem as their definitions must relate to the people who are making the assessments, so can vary.

Normal Accident Theory

Normal accident theory was formed in the mid-80’s by Charles Perrow.

In systems with a lot of defensive barriers like medicine or aviation, they’re pretty well protected against single points of failure. The paradox according to Perrow is that because of the complexity induced by these defenses and their ability to limit visibility into the system, it’s much harder to see the beginnings of an accident and also difficult to stop it when it starts.

The things that make the system reliable become some of the things that make it complex. These are systems that are very large, have many specializations (so it can take a long time to learn a particular area), and are also tightly coupled, such that a change in one area directly affects another.

Perrow moved away from the idea of an individual anything, person, component or otherwise causing an accident but instead that “system accidents” are caused by the interaction of many things.

Though the accidents themselves may come from surprising interactions across various parts of the coupled system, normal accident theory tells us that there are accidents should be unsurprising. The more tightly coupled a system is and the more complex the more likely it is that it will suffer a “normal” accident.

Types of system interactions

It’s important to differentiate here between different types of system interactions, Linear and Complex, Perrow gives some contrasting examples:

Complex SystemsLinear SystemsTight spacing of equipmentEquipment spread outProximate production stepsSegregated production stepsMany common-mode connections of components not in productionCommon-mode connections limited to power supply and environmentLimited isolation of failed componentsEasy isolation of failed componentsUnfamiliar and unintended feedback loopsFew unfamiliar and unintended feedback loopsIndirect or inferential information sourcesDirect, on-line information sourcesPersonnel specialization limits awareness of dependenciesLess personnel specializationLimited understanding of some processesExtensive understanding of all processes

In this view, systems can either be linear or complex. But they can also be tightly coupled or loosely coupled. Perrow again provides some contrasting examples:

Tight couplingLoose couplingDelays in processing not possibleProcessing delays possibleInvariant sequencesOrder of sequences can be changedBuffers and redundancies exist but are limited to what has been deliberately designed inBuffers and redundancies availableOnly one method to achieving goalAlternative methods available

Perrow saw these two properties being at odds as a big problem. He believed that a system with high interactive complexity could only cope with it well by having a decentralized organization. On the other hand, an organization that was tightly coupled needed a centralized organization.

What to do when an organization was interactively complex and tightly coupled. That is where the problem lies in Perrow’s view, since in his view, an organization can’t be both centralized and decentralized at the same time. This means that under this view, systems that occupy that space can’t be controlled well.

Of course, an organization can be centralized in some places and decentralized in others. They can be centralized in how they set and distribute policy and procedure, but still allow decentralized decision making in the field. EMS comes to mind for this. There are a lot of procedures, Federal standards, etc.., but there are problems that aren’t specifically covered that one must make decisions for when the time comes.

In normal accident theory, “human error,” is a label for the problems that occur when you have systems that are interactively complex and tightly coupled. Perrow also recognized that the label could also be influenced by politics, saying:

“Formal accident investigations usually start with an assumption that the operator must have failed, and if this attribution can be made, that is the end of serious inquiry. Finding that faulty designs were responsible would entail enormous shutdown and retrofitting costs; finding that management was responsible would threaten those in charge, but finding that operators were responsible preserves the system, with some soporific injunctions about better training.”

Issues arise in this normal accident theory because when looking at those two dimensions, complexity and coupling, it has to be relative to the people. We can’t say that a system has unintended feedback loops or that there is a limited understanding of its processes is, without considering both the human the system.

Because of this, those two dimensions cannot really be as sharply divided and separate things as normal accident theory suggests. Further, even if those measures would be true of a system, they wouldn’t necessarily stay that way. Coupling can increase during high demand periods and be lower in others.