An Adapted View of Accident Causation for a Complex Web System

A few weeks back, a few other students and I gave a presentation on James Reason and his theories on human error. One of the topics we covered was accident causation in complex systems. In our presentation, I talked about the decisions and actions that led up to the King’s Cross Underground fire. Reason doesn’t apply much of his research directly to interactive systems so I thought it would be interesting to explore how the Web might fit into his framework for complex system disasters.

Reason’s framework is broken down into five planes. I’ll briefly describe each plane where necessary and then describe an event that could occur in each plane.

Fallible Decisions

In this step a high level decision maker such as the vice president of technology makes a fallible decision due to a conflict of interest between website production goals and quality assurance goals.

Event: an insufficient budget is given to the quality assurance of a particular website.

Line Management Deficiencies

Consequences of the fallible decision manifest themselves differently throughout the organization. The decision may have no effect on the design of the website, but it greatly affects quality assurance outcomes.

Event: quality assurance review begins on the website, but the insufficient budget results in a cut back on hours and time constraints on review. Because of these time constraints, every input on a particular form is not tested.

Psychological Precursors of Unsafe Acts

Psychological precursors don’t necessarily result from line management deficiencies or fallible decisions. They could arise from outside factors, but they’re mostly introduced directly by the human condition.

Event: time constraints cause stress and sleep loss, which further contribute to the potential of unsafe acts occurring.

Unsafe Acts

Unsafe acts are derived from a complex interaction of system influences and outside world. In the case of a website, the acts could be completed by users, website administrators or by the system itself. In the larger scheme, these are more than just unsafe acts. They’re unsafe acts committed in the presence of a potential hazard.

Event: a website end-user is purchasing a product and inputing information into the same form that was untested by quality assurance. This information is submitted and sent to the web server.

Inadequate Defenses

Few unsafe acts result in accidents, or in our case website errors. However, every aforementioned plane has windows of opportunity, which vary over time in their location and size. If this windows line up, the error opportunity is able to move through all planes and create an error.

Event: the web server is not able to accept information submitted and consequently generates an error.

Much of this framework seems pretty obvious, but it’s interesting to think about how very different interactive system errors can follow this same framework.