Safety Science 47 (2009) 1007 1015. Contents lists available at ScienceDirect. Safety Science. journal homepage: www.elsevier.



Similar documents
Unit A Managing Health and Safety

An Analysis of Accidents Caused by Improper Functioning of Machine Control Systems

Occupational safety risk management in Australian mining

Accident Investigation Methods and Procedures

Methods for accident investigation

INTOSAI. Performance Audit Subcommittee - PAS. Designing performance audits: setting the audit questions and criteria

Accident Investigation

Root Cause Analysis for IT Incidents Investigation

Incident Investigation Procedure

CODE OF PRACTICE. Safety Management. Occupational Safety and Health Branch Labour Department CODE OF PRACTICE ON SAFETY MANAGEMENT 1

Chapter 1: Health & Safety Management Systems (SMS) Leadership and Organisational Safety Culture

Safety Regulation Group SAFETY MANAGEMENT SYSTEMS GUIDANCE TO ORGANISATIONS. April

EXECUTIVE SAFETY LEADERSHIP

Managing Occupational Safety and Health in Schools

GLASGOW SCHOOL OF ART OCCUPATIONAL HEALTH AND SAFETY POLICY. 1. Occupational Health and Safety Policy Statement 1

PSPMS an airline operational data model for a predictive safety performance management system

NEBOSH National Diploma in Occupational Health & Safety UNIT NDA MANAGING HEALTH AND SAFETY. element A2: LOSS CAUSATION AND INCIDENT INVESTIGATION

How To Improve Safety In The Nhs

Fit work to people: How can national occupational health regulation work in practise

Comparison of Management Oversight and Risk Tree and Tripod-Beta in Excavation Accident Analysis

3.0 Risk Assessment and Analysis Techniques and Tools

3.4.4 Description of risk management plan Unofficial Translation Only the Thai version of the text is legally binding.

HOW TO MODEL AND EVALUATE THE INCIDENT REPORTING PROCESS OF A COMPANY?

Preparation of a Rail Safety Management System Guideline

ISRS. For the health of your business SAFER, SMARTER, GREENER

Edwin Lindsay Principal Consultant. Compliance Solutions (Life Sciences) Ltd, Tel: + 44 (0) elindsay@blueyonder.co.

Controlling Risks Risk Assessment

Application of Domino Theory to Justify and Prevent Accident Occurance in Construction Sites

CFSD 21 ST CENTURY SKILL RUBRIC CRITICAL & CREATIVE THINKING

Clients in Construction Best Practice Guidance

Accident Investigation Basics

Human factors is the term used to describe the interaction

Fairfield Public Schools

The purpose of Capacity and Availability Management (CAM) is to plan and monitor the effective provision of resources to support service requirements.

)LQDQFLDO$VVXUDQFH,VVXHV RI(QYLURQPHQWDO/LDELOLW\

Safety Management Systems (SMS) guidance for organisations

PSPSOHS602A Develop OHS information and data analysis and reporting and recording processes

PLEASE DO NOT REMOVE THIS PAGE

Hazard Identification and Risk Assessment in Foundry

Pedestrian Struck By Forklift

How to investigate an Accident and Incident.

Accident Investigations -- ISRI Safety Council

The use of statistical problem solving methods for Risk Assessment

Qualitative methods for effectiveness evaluation: When numbers are not enough

The application of root cause analysis for definition of scenarios in automotive domain

Model Safety Program

THEORIES OF ACCIDENT CAUSATION

An approach for evaluating methods for risk and vulnerability assessments

EFFECTIVE ROOT CAUSE ANALYSIS AND CORRECTIVE ACTION PROCESS

Elevator Malfunction Anyone Going Down?

Applied health and safety

How To Develop Software

Nuclear Safety Council Instruction number IS-19, of October 22 nd 2008, on the requirements of the nuclear facilities management system

NORWEGIAN PROJECT MANAGEMENT PRINCIPLES APPLIED IN THE JURONG ROCK CAVERN PROJECT

PSPSOHS606A Develop and implement crisis management processes

Integrated Barrier Analysis in Operational Risk Assessment in Offshore Petroleum Operations

The challenge of corporate safety and security

Fault Tree Analysis (FTA) and Event Tree Analysis (ETA)

Position Classification Standard for Management and Program Clerical and Assistance Series, GS-0344

Managing EHS Incidents Using Integrated Managment Systems. By Matt Noth

Implementation of a Quality Management System for Aeronautical Information Services -1-

Exploring the directions and methods of business development. A comparative multiple-case study on Ikea and Vodafone

Georgia Department of Education

CONSTRUCTION HEALTH AND SAFETY, AND INJURY PREVENTION Research and develop accident and incident investigation procedures on construction sites

PERCEPTION OF BUILDING CONSTRUCTION WORKERS TOWARDS SAFETY, HEALTH AND ENVIRONMENT

THE CONCEPT OF HUMAN AND ORGANIZATIONAL FACTORS IN RISK ASSESSMENTS IN THE NORWEGIAN OFFSHORE PETROLEUM INDUSTRY

Introduction. Chapter 1

Identifying the potential roles of design-based failures on human errors in shipboard operations

ACHIEVING COMPLIANCE THROUGH PEOPLE: TRAINING SUPERVISORS TO TACKLE PROCEDURAL NON-COMPLIANCE

MODEL REGULATION SAFETY MANAGEMENT SYSTEM REGULATION. International Civil Aviation Organisation

PHARMACEUTICAL QUALITY SYSTEM Q10

Master of Science in Risk Management and Safety Engineering at Lund University, Sweden. Johan Lundin & Robert Jönsson

INCIDENT/ACCIDENT INVESTIGATION AND ANALYSIS

Elements of an Occupational Health and Safety Program

Effectiveness of Customer Relationship Management Programs

P3M3 Portfolio Management Self-Assessment

GFMAM Competency Specification for an ISO Asset Management System Auditor/Assessor First Edition, Version 2

ENVIRONMENTAL, HEALTH AND SAFETY PERSONNEL MANAGEMENT LEVELING GUIDE

TURIZAM Volume 16, Issue (2012) Financial Accountant Versus Managerial Accountant in the Hotel Business System

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

STAGE 1 COMPETENCY STANDARD FOR PROFESSIONAL ENGINEER

ALARM PERFORMANCE IMPROVEMENT DURING ABNORMAL SITUATIONS

Risk Management Services

Shell s Health, Safety and Environment (HSE) management system (see Figure 11-1) provides the framework for managing all aspects of the development.

Asset Management Systems Scheme (AMS Scheme)

ACCIDENT PREVENTION PLAN. A Sample Plan for Counties

Key functions in the system of governance Responsibilities, interfaces and outsourcing under Solvency II

How to Develop a Research Protocol

Programme Regulations Business Administration with pathways in Human Resource Management, International Business and Marketing.

CHAPTER I INTRODUCTION

Subject: Establishment of a Safety Management System (SMS)

International Engineering Alliance. Glossary of Terms Ver 2: 15 September 2011

June 2010 HEALTH, SAFETY, AND ENVIRONMENT MANAGEMENT SYSTEM (HSEMS)

Transcription:

Safety Science 47 (2009) 1007 1015 Contents lists available at ScienceDirect Safety Science journal homepage: www.elsevier.com/locate/ssci Towards an evaluation of accident investigation methods in terms of their alignment with accident causation models Panagiota Katsakiori a, *, George Sakellaropoulos b, Emmanuel Manatakis a a Department of Mechanical Engineering and Aeronautics, University of Patras, 26 504 Rion, Greece b Department of Medical Physics, School of Medicine, University of Patras, Greece article info abstract Article history: Received 1 April 2008 Received in revised form 4 November 2008 Accepted 7 November 2008 Keywords: Accident causation models Accident investigation methods The purpose of this paper is to reflect on accident causation models and accident investigation methods. Theories on accident causation and the modelling of accident mechanisms, as well as a number of methods for accident investigation have been developed and described in the literature. The evolution of accident causation models over time shows a shift from the sequence of events to the representation of the whole system. Respectively, the evolution of accident investigation methods over time reveals a gradual shift from searching for a single immediate cause, to the recognition of multiple causes. In order to evaluate the accident investigation methods, specific plausible requirements were established in order to verify that a specific accident investigation method fulfils the principles of a specific accident causation model or give evidence to the degree of alignment between them. Since different models approach accident causation in different ways, methods linked to these models provide fragmentary information regarding the accident. It is therefore expected that using a combination of model-method pairs could provide a more reliable platform for accident analysis. Ó 2008 Elsevier Ltd. All rights reserved. 1. Introduction 1.1. Accident causation models Theories on accident causation and the modelling of accident mechanisms abound in the literature. The first accident causation model, also known as the domino theory, is developed by Heinrich (1941) and implies the linear one-by-one progression of events leading to the accident. Bird (1974) proposed the first update of the domino theory, which was 2 years later detailed by Bird and Loftus (1976). As certain publications highlight (Kjellén, 1987; HSC, 1993), both Heinrich and Bird s models explain accident causation as a one-dimensional sequence of events. Multi-causality of accidents was introduced by Reason (1990) by the end of the 1980s. According to Reason, the accident causation process is an interaction between latent and active failures and in order to avoid this interaction, the pro-active involvement of top management is essential. Active failures are the immediate observable causes in an accident and they are easily identified. In contrast, latent failures may be present in the system for many years, before being revealed by active failures and they are difficult to detect, as they are hidden in the organisation (e.g.: poor design, gaps in supervision, lack of training). * Corresponding author. Tel.: +30 210 6015656; fax: +30 210 6669143. E-mail address: pkatsak@upatras.gr (P. Katsakiori). In the safety science, the significant contribution of human errors to accidents is also widely recognised. Rasmussen (1987) suggested the SRK framework for Skill-, Rule-, and Knowledge-based behaviour in order to distinguish between three different levels of human cognitive control of the environment. This framework was chiefly meant to support the understanding of human cognition in different situations characterised by the level of familiarity. A well-known behaviourist model of the late 1980s, which links the work of Rasmussen and Reason and is based on attribution theory, is that of Hale and Glendon (1987). Attribution theory is concerned with how people process information in determining the causality of events (Lacroix and Dejoy, 1989). The Hale and Glendon model considers that danger is always present in the workplace and conceptualises the role of human action in controlling danger, i.e. it investigates the factors affecting the individual behaviour in the face of danger and it shows how people may, through their actions, create danger and also how they are able to control that danger and prevent harmful outcomes. According to Kingston Howlett (1996; cited by Jacinto, 2003), the Hale and Glendon model is concerned with the non-observable elements of the system: perceptions and decisions. Despite the criticism the model received, it has been recognised as valid and useful, in the context of people at all levels in organisations, and at various degrees of remoteness from the immediate danger (HSC, 1993). With the arrival of the socio-technical approach, the general theory regarding accident causation is that safety performance is influenced by internal (e.g. safety culture) or external factors (e.g. 0925-7535/$ - see front matter Ó 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.ssci.2008.11.002

1008 P. Katsakiori et al. / Safety Science 47 (2009) 1007 1015 regulatory and governmental issues). Among models developed in the 1990s for the assessment of safety in this broader context, Rasmussen (1997) presented a multi-level model of a socio-technical system, with various actors, ranging from legislators, over managers and work planners, to system operators. The socio-technical system is decomposed according to organisational levels, which are then objects of study within different disciplines, and the general approach is to explicitly identify the boundaries of safe operation, make them known to the actors and give them an opportunity to learn to cope with the boundaries. According to Kirwan (2001), Rasmussen s socio-technical framework can be used to look at the causes of accidents, not merely focusing on individuals, but tracing back to the accident s real root-causes. However, this sophisticated approach is most suited for complex and high-tech organisations. In parallel with the socio-technical approach, the 1990s also witnessed new developments regarding the analysis of human and organisational errors. Two leading researchers in this field are Reason (1997) and Hollnagel (1998). Later developments of Reason s work (1997) include a more elaborate model of organisational accident causation, which shows the influence and pathway of latent failures and outlines three levels of concern: the organisation, the workplace and the person (or team). In his model, Reason considers the causal sequence, from organisational factors, to local workplace conditions, to individual (or team) unsafe acts, to failed defences and bad outcomes. Although Reason s model has had a major impact on the way in which accidents are conceptualised, O Hare (2000) criticizes it for being difficult to apply as a practical tool and he proposes his own framework, known as the wheel of misfortune. The basic structure of the model is based on Helmreich s (1990) concentric spheres representing front line personnel, local and global conditions with an associated classification scheme. Hollnagel (1998) is, as mentioned earlier, another leading theorist from the 1990s, who proposed the method CREAM (cognitive reliability and error analysis method). Hollnagel makes a distinction between causes (genotypes) and effects (phenotypes or manifestations) and describes the full context in which errors and accidents occur. If we try to make a classification of the accident models presented above, we can divide them in three major groups. The first is sequential accident models, a term also used by Hollnagel (2002), which describe the accident as a sequence of events in a specific order, e.g. the domino theory. The second is human information processing accident models, a term also used by Lehto and Salvendy (1991), which describe the accident in terms of human behaviour and actions, e.g. SRK framework by Rasmussen, CREAM by Hollnagel, the Hale and Glendon model and the third is systemic accident models, a term also used by Hollnagel (2002), such as Reason s model which include organisational and management factors and describe the performance of the whole system. This distinction is not obligatory, i.e. an accident model can be classified into different ways, based on the specific approach endorsed. Laflamme (1990) classified accident causation models that are most quoted in the literature into four different approaches: decisional, sequential, energetic and sequential and organisational models. Lehto and Salvendy (1991) made a distinction of accident causation models into three groups: general models of the accident process, models of human error and unsafe behaviour and models of human injury mechanics. Kjellén (2000) described five categories of models: causal-sequence, process, energy, logical tree and SHE-Management. Hollnagel (2002) classified the accident models into sequential, epidemiological and systemic. Attwood et al. (2006), in their literature review of occupational accident models, presented the early accident models, the models based on holistic approaches and the primarily quantitative and statistical models. Svenson (1999) states: an accident can be explained in different ways depending on the accident analysis model that is used. This is because different models focus on different aspects and are associated with different recommendations for improvement. 1.2. Accident investigation methods During the last decades, a number of methods for accident investigation have been developed and described in the literature. The selection of methods for the needs of our study was made on the basis that they are described in the literature, they show the evolution of accident investigation over time and they are either widely used or recently developed. Based on these criteria, the following methods were selected: 1.2.1. Fault tree analysis (FTA) FTA was developed in the early 1960s by the Bell Laboratories (Ferry, 1988). In FTA, an undesired event (an accident) is selected and all the possible things that can contribute to the event are diagrammed as a tree in order to show logical connections and causes leading to a specified accident. FTA is more an analytical tool for establishing relations; it does not give the investigator any particular guidance for gathering the information. The analysis starts with the top event (the undesired event) which should be carefully defined and then it proceeds backwards. The top event is linked to preceding events and conditions (such as technical factors, human actions) by two logic gates (the AND and OR gate). The use of the tree allows investigators to represent graphically the logical combinations of causes of the defined top event. In this way, a causal sequence of logical relations (necessary and/or sufficient conditions) is established. FTA is the most widely used of the tree techniques. 1.2.2. Management oversight and risk tree (MORT) Johnson developed MORT in 1973 for the U.S. Atomic Energy Commission (Johnson, 1980). In MORT, the accident is defined as an unwanted energy transfer because of inadequate energy barriers and/or controls. The method follows the energy transfer and deviation concepts. Fact finding aims at identifying hazardous forms of energy and deviations from the planned and normal production process. The MORT diagram is a logic tree (the accident being the top event) with three main branches: S-factors, the specific oversights and omissions associated with the accident being investigated, R- factors or assumed risks, which are risks known but for some reason not controlled, and M-factors, which are general characteristics of the management system that contributed to the mishap. The various elements in the tree are numbered and these numbers refer to a list with specific questions that the analyst should pose. Analysis involves going through all elements in the tree and making an assessment of each, based on two assessment levels: satisfactory and less than adequate (LTA), in order to examine the adequacy of measures. The method provides a large checklist to help investigate the facts and look for evidence, it permits a large number of problems to be identified and it prompts the investigator to look not only for direct causes, but also for causal contributions at the management and organisation levels. 1.2.3. Multilinear events sequencing (MES) Ludwig Benner developed MES in the mid 1970s (Benner, 1975). MES is a charting technique, which shows events chronologically ordered on a time-line basis. It is based on the view that an accident begins when a stable situation is disturbed. A series of events can then lead to an accident. The method distinguishes between actors, actions and events. Actors can be people, equipment, sub-

P. Katsakiori et al. / Safety Science 47 (2009) 1007 1015 1009 stances while actions are anything carried out by an actor. Events are the unique combination of one actor plus one action. The aim of the method is to help the analyst to identify the main actors and their actions and map the relations between the events along a flexible time line. The final product is thus an accident logic chart with the events, actors and actions sequentially placed. 1.2.4. Systematic cause analysis technique (SCAT) The International Loss Control Institute (ILCI) developed SCAT in the late 1980s (Kjellén and Hovden, 1993), having its roots on the Heinrich s domino theory (1941) and its updated version by Bird (1974). SCAT is presented as a chart which contains five blocks corresponding to five stages in the accident causation process. The first block contains space to write the accident description, the second block lists the most common categories of contact that could have led to the accident. The third block lists the most common immediate causes of this contact, while the fourth block identifies underlying causes. The final block lists safety management practices that should be addressed to prevent accidents from occurring. The method makes use of checklists, which contain questions about personal and job factors (the second block) and questions corresponding to the elements of a safety management system designed by the ILCI. The preventive philosophy relies upon the removal of one of the blocks, or in erecting barriers to prevent the energy transfer in the sequence. 1.2.5. Causal tree method (CTM) Leplat (1978) originally developed CTM in the late 1970s for the French Institut National de Recherche et de Sécurité (INRS); for this reason, CTM is often called the INRS method. It belongs to the category of Tree Techniques and the basic idea is that accidents result from variations or deviations in the usual process. There are four classes of variations: those related to the individual, the task, the equipment and the environment, respectively. The tree starts with the end event (the accident) and works backwards. The facts relating to the accident are used in the construction of the causal tree. The end event is the starting point and only the facts that contributed to the accident should be selected. The analyst has to identify and list the variations and then display them in the analytic tree, showing causal relations. 1.2.6. Occupational Accident Research Unit (OARU) Kjellén and Larsson (1981) developed OARU for the Occupational Accident Research Unit (OARU) of the Royal Institute of Technology in Stockholm Sweden. The method has two levels of reasoning: describing the accident sequence, and finding the determining factors. The state of lack of control is characterised by the presence of deviations in the system. The accident sequence has three phases: the initial (when there are deviations from the normal process), the concluding phase (which is characterised by loss of control and ungoverned flow of energy), and the injury phase (where energy meets the human body and causes physical harm). Determining factors are technical, organisational and social properties of the production system that affect the accident sequence. Checklists of deviations (in the initial phase of the accident sequence) and of determining factors were developed to support the investigation. The original model has not survived the test of time (Kjellén and Hovden, 1993) and the main reason for this abandon had to do with lack of input from the (human) information-processing theory (Larsson, 1993). 1.2.7. TRIPOD TRIPOD was developed in the mid 1990s in a joint project by the University of Leiden (The Netherlands) and the University of Manchester (UK), for use in the oil industry (Wagenaar et al., 1994). TRIPOD follows Reason s accident causation model. The idea behind TRIPOD is that organisational failures are the main factors in accident causation. An accident occurs when one or more barriers (controls/defenses) fail. Unsafe acts (active failures) are the direct reason for the failure of barriers which do not just occur but they are generated by underlying mechanisms acting in organisations. These mechanisms are called general failure types (GFTs) and they cover human, organisational and technical problems. The method has 11 categories of GFTs in order to classify deficiencies in the working situation. The aim of TRIPOD analysis is to produce a profile (by means of a bar graph) of the extent to which the 11 GFTs are present in the organisation. 1.2.8. Accident evolution and barrier function (AEB) AEB was developed in 1991 by Svenson and co-workers in a study conducted for the Swedish Nuclear Power Inspectorate (SKI) and the Netherlands Institute for Advanced Study in the Humanities and Social Sciences (Svenson, 2000). The AEB approach is a stand-alone method and addresses, as a central concept, safety barriers and their functions. An accident is modelled as a series of interactions between human and technical systems. The main principle is that it is possible to stop/interrupt the development of the sequence between any two successive errors (human or technical) through adequate barrier functions (Harms-Ringdahl, 2001). Barrier function systems are systems performing the barrier functions and might consist of an operator, an instruction, an emergency control system. The aim of investigation with AEB is to describe the accident evolution in a flow diagram, showing human and technical errors. The diagram also shows barrier functions related to specific errors. If a particular accident happened, it is because all the barrier functions in the sequence must have broken, been ineffective or inexistent. 1.2.9. Integrated safety investigation methodology (ISIM) ISIM was developed in 1998 by the Transportation Safety Board (TSB) of Canada and it follows Reason s (1990) accident causation model (Ayeko, 2002). The method starts with the collection of information regarding personnel, tasks, equipment and environmental conditions involved in the occurrence in order to determine the sequence of events and identify underlying factors and unsafe conditions. The next step is to assess the level of risk associated with such unsafe conditions or underlying factors and examine the status of barriers (physical or administrative) in order to identify those that are less than adequate. ISIM forces the investigator to look beyond the actions and decisions of front-line operators and into the latent unsafe conditions in the work system that provided the opportunity for the expression of those actions. Once the safety deficiencies have been identified, options for controlling risk have to be considered. The goal of ISIM is to ensure that both accident investigation and safety deficiency analysis are integrated. The risk control option analysis is a key step of ISIM aiming at generating recommendations and strategies for safety improvement. 1.2.10. Norske Statesbaner (NSB) NSB was developed in the early 2000s by the Norwegian State Railways (Norske Statesbaner NSB) for the analysis of accidents in the Norwegian railway sector. The method integrates the approaches of both Reason (1997) and Hollnagel (2002) and focuses on human, technical and organisational interaction (Skriver et al., 2003). The method identifies the sequence of events and where barriers were broken or missing, and it uses a questionnaire, addressing factors such as procedures/documentation, training, communication, human-systems interface, tools and equipment, work preparation and local management, organisational management, work environment and task completion. The latter focuses on the task and individual characteristics.

1010 P. Katsakiori et al. / Safety Science 47 (2009) 1007 1015 1.2.11. Work accidents investigation technique (WAIT) WAIT was developed by Jacinto and Aspinwall (2003). It integrates the theoretical approaches developed by Reason (1997) and Hollnagel (2002). The method has a questionnaire and provides specific guidance for gathering the information and it comprises two sequential phases, starting with a simplified investigation followed by a second in-depth analysis. The first allows the identification of active failures in the sequence of events and the consequences. The simplified process also identifies influencing factors associated with the working environment and the workplace, for each of the identified active failures. The in-depth analysis includes the identification and analysis of individual and job factors and it finishes with the identification of organisational and management deficiencies. 1.2.12. Health and Safety Executive (HSG245) HSG245 was developed in 2004 by the Health and Safety Executive (HSE) in order to provide a workbook for employers, unions, safety representatives and safety professionals (HSE, 2004). It follows Reason s accident causation model. The starting point is the event and the method provides aids for finding facts with specific structured questions. The aim of the analysis is to set out the reasons why this happened and find immediate, underlying and root causes. Immediate cause can be the agent of injury, underlying causes are unsafe acts and conditions and root cause is the failure from which all other failings grow, often remote in time and space from the accident. A checklist with underlying and root causes is also provided. 1.2.13. Control change cause analysis (3CA) 3CA was developed by Kingston (2007) and it was originally developed as an adjunct a cooperative project run by Humber Chemical Focus and the UK HSE in 2000. Although it does not follow a specific accident causation model, it can be considered as systemic because it covers the management system. The 3CA investigator views an accident/incident as sequence of events in which unwanted changes occur. In terms of fact finding, the method is designed to identify events in the sequence which are significant in the sense that they reduce control and allow further unwanted changes to occur. With the set of significant events established, the investigator can identify barriers and controls that could have prevented them or limited their effects, can then establish the shortcomings of each barrier/control and reason about the processes and management arrangements that allowed the barrier or control problems to exist at the time of incident. 1.2.14. Objective and goal The objective of this work is to make an evaluation of the above described accident investigation methods and find the corresponding alignment with the accident causation models. Its goal is to relate accident investigation methods to the theoretical model underlying the approach, evaluate the practical value of accident causation models and their application and help investigators make a choice between the large number of methods available, based on the requirements the methods fulfil. 2. Evaluation framework of accident investigation methods In order to evaluate the accident investigation methods, specific requirements need to be established. Wagenaar and van der Schrier (1997) specified six requirements that an accident analysis method should follow: the method should be revealing, quantitative, valid, reliable, practical and consequential. Sklet (2004) compared some selected methods for accident investigation according to the following characteristics: whether the methods give a graphical description of the event sequence or not, to what degree the methods focus on safety barriers, the level of scope of the analysis, what kind of models influenced the methods (based on the distinction made by Kjellén (2000), whether the different methods are inductive, deductive, morphological or non-system oriented). The research was based on the hypothesis that different accident causation models affected the accident investigation methods. It was further hypothesized that apart from the influence of models on methods, certain attributes associated with the methods could be devised. In order to develop an accident investigation method, the user requirements should be taken into account and they should be specified in terms of the user profile, e.g. Labour Inspectors are expected to perform an accident investigation focusing on legal violations; the method should therefore fulfil, among other requirements, the legal requirement. However, certain attributes are common prerequisites in the specification of any methods, despite the differences in the selection of requirements/characteristics in various studies, as shown above. In our study, the requirements selected belong to the common prerequisites of any method and were developed from a consideration of the generally acknowledged purposes for accident investigation. In order to evaluate an accident investigation method, one requirement to consider is which group of accident models, presented in Section 1.1, influenced the methods. This requirement is a prerequisite because accident models influence the accident causation view of the investigators. Besides, the specification of requirements for the evaluation of methods comprises two useful aspects. On the one hand, an accident investigation method should be rather detailed, make a clear distinction between immediate and underlying causation factors, allow recommendations to be formulated and be practical. On the other hand, it should take into account the convergent interests of the investigators and the statisticians. The first investigate and analyse the accidents, whereas the latter compile and register data for the production of official statistics. The issue of validation is a prerequisite in this case. By testing the validation of each method, conclusions can be made if various investigators reach the same conclusions (the method is reliable) and if the method demonstrates that the findings will be present in future accident scenarios (the method is valid) (Jacinto, 2003). The selected accident investigation methods are thus evaluated according to the following requirements: Which group of accident models influenced the accident investigation methods. Whether the accident investigation methods provide a detailed description of the accident (descriptive requirement). Whether the accident investigation methods search for underlying causes (revealing requirement). Whether the accident investigation methods generate recommendations for improved safety (consequential requirement). Whether the methods have been validated (validation requirement). The need for education and training in order to use accident investigation methods (practical requirement). The application field of each method. 3. Results and discussion 3.1. Influence of models on methods Accident causation models explain possible causation mechanisms of accidents, based on rather theoretical hypotheses. One single accident causation model can provide the basis for many dif-

P. Katsakiori et al. / Safety Science 47 (2009) 1007 1015 1011 ferent accident investigation methods. An accident causation model describes a scenario for the accident occurrence, irrespective of the specific setting. Accident investigation methods, in contrast with models, are very specific. They are practical tools, designed with the purpose of helping a specific user (person) to accomplish a specific task (investigation and analysis) in a specific setting. A certain accident investigation method is not necessarily linked to a specific accident model: it can be a tool of its own. FTA, MES, CTM and tree techniques, in general, are not based in any known theoretical model of accident causation. They simply represent the logical interrelationships between causes and events. Although, tree methods are general graphic techniques and they are not linked to a particular model of accident causation, there can be exceptions: MORT, for instance is a special predefined tree, which considers both management failures and management decisions thus, it can be classified as both a tree technique and systemic approach. However one might consider that the representation of interrelationships between causes and events which tree techniques offer, provides a theoretical simplification of an object under study and thus a model of that object. Harms-Ringdahl Fig. 1. Correspondence of accident causation models and accident investigation methods.

1012 P. Katsakiori et al. / Safety Science 47 (2009) 1007 1015 (2001) considers that FTA utilizes an accident model in terms of combinations of binary events (these events are assumed to be capable of either occurring or not). According to Leplat (1978) who developed CTM, the relations which form the basis of the tree refer to a model of the activity. SCAT is a method, which has its roots on the Heinrich s domino theory and its updated version by Bird but it also makes use of checklists, which contain questions about personal and job factors, plus another list with questions, corresponding to the elements of a safety management system designed by the ILCI; it can thus be classified as a sequential, human information processing and systemic approach. The OARU method describes the accident sequence and it can be considered that it is based on a sequential model. The systemic accident causation models influence TRIPOD, HSG245 and 3CA whereas the AEB method is a generic and standalone method, a tool of its own as the tree techniques. ISIM, NSB and WAIT include the analysis of human and system interfaces. In terms of the influence of models on methods, an example is provided in an attempt to show alignment signs of WAIT and TRI- POD with Reason s causation model, on which these two methods are explicitly based. Reason considers the causal sequence from organisational factors (latent conditions) to local workplace conditions, to individual (or team) unsafe acts (active failures) to failed defences and bad outcomes. The pathway of workplace conditions may contribute to both active and latent conditions. WAIT uses the concepts of active failures and latent conditions from Reason s model, as sub-dimensions of causal factors. The method first identifies influencing factors related to each unsafe act (active failure) in order to describe the specific context in which the active failure occurred. Once active failures and influencing factors have been identified, the investigator needs to find cause-effect relationship by looking at individual and job factors. Job factors will include some of the issues listed for the identification of immediate factors because according to Reason, local workplace factors may contribute to both active failures and latent conditions. The next step of WAIT is to find organisational and management weaknesses hidden in the organisation (latent conditions). The idea behind TRI- POD is also that organisational failures are the main factors in the accident causation. The method treats the accident occurrence as a failure/ineffectiveness of barriers (controls or defenses). The direct reason for the failure/ineffectiveness of barriers is the unsafe act (active failure). One active failure per failing control/defense is given and once the active failures are identified, the method searches for preconditions which encouraged the occurrence of active failures and latent conditions, deep rooted, longer existing problems in the organisation. In both methods, following Reason s model, the inquiry begins with the unsafe acts (active failures) and then considers the specific context of accident causation (WAIT searches for influencing factors while TRIPOD for failing controls/ defenses). In both cases, the next step is to consider the local conditions which could have shaped or provoked each active failure (WAIT searches for underlying individual and job factors while TRI- POD for preconditions) and both methods end with the identification of latent conditions. A diagram of the correspondence of accident causation models and accident investigation methods is shown in Fig. 1. 3.2. Descriptive requirement Each accident investigation method should provide guidance in order to identify the complete set of facts (events and circumstances) relevant to the accident and the theoretical understanding behind the search. Concerning the descriptive requirement, almost all accident investigation methods provide a detailed description of the events and circumstances surrounding the accident. There is an exception with the tree techniques such as FTA which may help to order the complex information about an accident that has happened, but the construction of the tree depends on the analyst s skills and ability to conduct the analysis (Wagenaar and van der Schrier, 1997) and CTM technique which requires that working conditions are well known, in order to determine unusual conditions or events. (Table 1, column 2.) 3.3. Revealing requirement Each accident investigation method should be revealing, which means that it distinguishes between events and underlying causes, in order to guarantee that the investigator will think about underlying causes, which are the less obvious reasons for an accident happening. Regarding the distinction between events and underlying causes (revealing requirement), all investigation methods satisfy the requirement except for the FTA and MES, which do not go beyond the immediate causes, and AEB. The identification of an underlying cause of an accident by using the AEB method is meaningless because the method has the objective to understand why a number of barrier functions failed and how they could be rein- Table 1 Evaluation of accident investigation methods. Accident investigation method Requirements Descriptive Revealing Consequential Validation Practical Application field FTA YES/NO NO YES/NO NO NO Technique adopted by the Dept. of Defense, USA MORT YES YES YES/NO NO NO Best suited for large and bureaucratic organisations, the technique has been applied in the nuclear industry MES YES NO YES NO YES Use at the US National Transportation Safety Board. CTM YES/NO YES NO NO YES/NO Use in many types of accidents OARU YES YES YES NO YES Use in occupational accidents AEB YES NO YES/NO NO NO Specifically intended for investigating near-misses in the nuclear industry SCAT YES YES YES/NO NO YES Use in occupational accidents across all sectors of activity TRIPOD YES YES YES/NO YES YES Use in complex accidents in the high-tech industries, and particularly for the oil industry ISIM YES YES YES NO YES Use in transportation systems, namely in aviation, railways, maritime and pipeline systems. NSB YES YES YES YES NO Developed specifically for the rail industry. WAIT YES YES YES YES YES Use in occupational accidents across all sectors of industrial activity HSG245 YES YES YES NO YES Use in occupational accidents across all sectors of activity 3CA YES YES YES/NO NO YES Use in occupational accidents across all sectors of activity Accident investigation methods are evaluated according to the following requirements: descriptive, revealing, consequential and practical. The application field of each method is also shown. YES means the method would fulfil the requirement, YES/NO means the method might fulfil the requirement, NO means the method cannot fulfil the requirement.

P. Katsakiori et al. / Safety Science 47 (2009) 1007 1015 1013 forced or supported by other barrier functions (Table 1, column 3). FTA and MES have a technical perspective in distinguishing the causes and they are thus rather strict about causality. This is not the case for the rest of the methods which consider the connections between technical aspects, people in the system and the organisation; an influence diagram better captures the picture of influences and plays a very informative role in accident investigation (Reason, 1997). 3.4. Consequential requirement Each accident investigation method should be consequential, meaning that it should allow specific recommendations to be formulated for accident prevention. An investigation will succeed in the prevention purpose if it can identify conditions, such that had they been otherwise, the accident would not have happened. This can be done through the generation of recommendations. FTA, MORT, AEB, SCAT, TRIPOD and 3CA do not generate specific recommendations. More precisely, FTA does not suggest corrective action for the generation of recommendations but it helps to identify problem areas that require such action. MORT identifies special oversights and omissions in the accident situation and general weaknesses in the company s management system, but there is no connection between S- and M-factors. AEB identifies broken barrier functions, reasons for why there were no barrier functions or why the existing ones failed and it suggests improvements. SCAT stops at defining the problems and is less directed at producing solutions. TRIPOD is not designed to produce specific recommendations, it only specifies problem areas visualised by the GFTs, it does not produce ready-to-use recommendations. 3CA does not produce specific recommendations, it only specifies problem areas. On the other hand, MES allows for recommendations on safety measures but these are limited by what is in the chart (mostly machines and operators). Recommendations at a higher level (e.g. policy, organisation, management) can be made, but a systematic framework does not guide them. (Table 1, column 4). 3.5. Validation requirement The validation process aims at assessing if the methods are valid and reliable. A reliable investigation method should facilitate agreement between results and different investigators/users, whereas a valid method should promote, as far as reasonably possible, correspondence between the analysis findings and reality (Jacinto, 2003). The validity of accident investigation methods is difficult to be measured. The reason is that in order to accurately predict future accident scenarios, the assumption that nothing important has changed must be made. But as accident analysis always reveals things that have changed, the condition for testing validity is not fulfilled (Wagenaar and van der Schrier, 1997). The lack of reliability of the information gathered in terms of accidents, when investigating and analyzing, can partly be attributed to methodological problems. For example, open questions provide the investigator with different information compared to closed questions (Groeneweg, 1994). Gordon et al. (2005) evaluated a human factors investigation tool for accident analysis on the basis of an inter-rater reliability assessment. The results indicated a low overall level of agreement between investigators which was expected since they had only minimal training and practice using the method. Hale et al. (1998) suggested that factors like differences in knowledge, experience and culture can affect interobserver reliability. The above reasons may constitute an explanation for the fact that no validation studies were found in the literature for most of the studied methods (Table 1, column 5). The validity of TRIPOD, NSB and WAIT has already been tested. In terms of TRIPOD, the general idea of the method is to construct a failure state profile. This is done in two modes: the reactive mode is a structured kind of accident investigation, whereas the proactive mode is a method for predicting the causal structure of future accidents on the basis of already visible symptoms (Wagenaar et al., 1994). TRIPOD s reliability was measured repeatedly and appeared to be acceptable for both its functioning modes. The method s validity was only tested and considered valid for the proactive mode by comparison with past accidents, but the reactive mode was never formally validated, other than the fact that it closely resembles the proactive method (Wagenaar and van der Schrier, 1997). A reason that the validity of TRIPOD has not been tested for the reactive mode is that the time period between the production of a profile and the accumulation of a sufficient number of accident scenarios is never left unused. The relationship between prediction and outcome is counteracted by the attempt to make the operation safer and prevent the accident reoccurrence (Wagenaar et al., 1994). NSB was tested and found capable of covering 95% of all accidents (Skriver et al., 2003). The inter-observer reliability of the method was also considered good, although the available literature does not describe how the study was conducted, nor does it provide a quantified value for its reliability. In order to provide a preliminary insight into the validity and reliability of WAIT, two studies were performed: the first was a comparison between the results of WAIT and another structured investigation method and the second was an inter-analysts reliability study (Jacinto, 2003). The results of both studies showed that WAIT is relatively well-founded and suggested the worthiness of further improvement and validation. 3.6. Practical requirement When developing an accident investigation method, it is important to think about the need for education and training in order to use it. The method should be practical, by which is meant that the analysis can be made by ordinary field safety persons, without the need for highly trained experts. FTA is not practical; it has been suggested that the application of FTA is more like an art, rather than a discipline and that the outcomes depend upon the tastes of the analysts (Wagenaar and van der Schrier, 1997). MORT is a costly and resource-intensive technique, which can only be applied by experts. These limitations, combined with its complexity, have been appointed as the main reason for its restricted application as a method of accident investigation (HSC, 1993). MES, OARU, SCAT, TRIPOD, ISIM, WAIT, HSEG245 and 3CA are easy and practical. The investigation with CTM may be performed at various levels or refinement and precision: the greater the accuracy sought, the more qualified specialists will be needed. The application of AEB requires experts from both fields interacting, i.e., human factors and technical systems experts. The use of ISIM requires specially trained investigators and analysts. After the training, these professionals are called safety investigators since they integrate the skills of accident investigators with the skills of safety assessors. The use of NSB method is restricted to trained safety personnel and requires a minimum of two days of training. (Table 1, column 6). 3.7. Application field of each method A good investigation method should also account for the specific context of the accident: this is why there exist methods best suited for aviation, or major accidents, or offshore accidents,

1014 P. Katsakiori et al. / Safety Science 47 (2009) 1007 1015 etc. and others that are best suited for occupational accidents (the context is different). Concerning the use of each accident investigation method, FTA is a technique adopted by the Dept. of Defence, USA. MORT is best suited for large and bureaucratic organisations; the technique has been applied in the nuclear industry. AEB is specifically intended for investigating near misses in the nuclear industry but it has been applied in fields other than nuclear power, such as traffic accident analysis (Harms-Ringdahl, 2001). MES has been in regular use for accident investigation at the US National Transportation Safety Board, particularly for accidents involving hazardous cargoes (Benner, 1975). ISIM is used in transportation systems, namely in aviation, railways, maritime and pipeline systems. CTM is quite widespread in France for the investigation and analysis of many types of accidents. OARU provides a practical tool for use in companies resulting in one-person injury. TRIPOD is used in complex accidents in the high-tech industries, and particularly for the oil industry. The NSB method was developed specifically for the rail industry. SCAT has a general use and WAIT is used in occupational accidents across all sectors of industrial activity. HSG245 and 3CA are used in the investigation of occupational accidents across all sectors of activity from line managers, supervisors, and safety specialists. (Table 1, column 7). Despite the availability of methods, detailed investigations apply in the case of major accidents, particularly in high-tech industries, nuclear/electrical power/chemical plants. This can be explained by the fact that such working environments have a highly procedural character, where detailed specifications allow for the identification of causality relations and the development of accident causation models. Despite these arguments, a better understanding and analysis of multiple causes of occupational accidents, apart from those immediately involved, is an absolute need. 4. Conclusions The evolution of accident causation models over time shows a shift from the sequence of events to the representation of the whole system. Respectively, the evolution of accident investigation methods over time reveals a gradual shift from searching for a single immediate cause, to the recognition of multiple causes, such as organisational and management weaknesses and their interactions with the working activities. Accident investigation methods have been mainly developed for use in major accidents in technologically complex systems, which is obvious in column 7 of Table 1. This constitutes a limitation to their use with ordinary occupational accidents. In the evaluation framework section, it was presumed that accident models affected methods and that methods could be evaluated by specifying common requirements. An interesting finding during this study was that although a set of plausible requirements for evaluating accident investigation methods can be established, it is important that these can be attributed to the underlying accident causation model. In other words, the requirements established should help us verify that a specific accident investigation method fulfils the principles of the specific accident causation model, or give evidence to the degree of alignment between them. From the example given in Section 3.1 where the alignment of WAIT and TRIPOD with Reason s model was described, it can be concluded that Reason s model provides descriptive information relevant to the study of accidents since it describes accident causation. The model is also revealing since it makes a distinction between active failures and latent conditions. On the other hand, it does not provide specific solutions. This is due to the fact that a model is always general in purpose, rather than applicationspecific as a method (Lehto and Salvendy, 1991). Taking into consideration that different conceptual views of the accident phenomenon affect the investigation methods used (Benner, 1985), the requirements to evaluate the methods should give evidence of the suitability of the accident model used. The effectiveness of model application is admittedly difficult to measure objectively (Lehto and Salvendy, 1991). This is why when analyzing a specific accident, the mutual dependence between causation models and investigation methods must be taken into account. Models provide knowledge regarding the fundamental mechanisms which underlie the accident scenario and methods provide the necessary information to analyse the accident in a specific setting. However, the selection made on the former, restricts our selection on the latter, although there exist methods, which are not linked to a known accident causation model. The initial step for an investigator would be to select a particular model that fits him, which in turn guides him in selecting one of relevant methods. The choice of the particular method should be based on its particular advantages and limitations regarding the requirements presented in Table 1 and can have a significant impact on the efficiency and effectiveness of an investigation because it can lead to conclusions about whether or not and how the method could meet the identified needs of the investigation. But the accident model and accident investigation method selection issues require attention. Aspects such as whether one seeks for a technical and theoretical understanding or is based on the contextual conceptions of the practitioners should be taken into consideration. Besides, the model and method selection should be tailored to the needs of the investigators (whom the findings should serve, his/her needs and ways of understanding). Since different models approach accidents in sometimes entirely different ways, methods linked to these models can provide us with only fragmentary information regarding the accident. It is therefore expected that using a combination of model-method pairs, rather than a single one, could provide a better and more reliable platform for the investigation and analysis of accidents. Acknowledgement The authors thank Dr. Celeste Jacinto (University of Lisbon, Portugal) for her valuable assistance. References Attwood, D., Khan, F., Veitch, B., 2006. Occupational accident models where have we been and where are we going? Journal of Loss Prevention in the Process Industries 19, 664 682. Ayeko, M., 2002. Integrated safety investigation method (ISIM) - investigating for risk mitigation. Paper presented at the Workshop on Investigation and Reporting of Incidents and Accidents, Glasgow, July, pp. 115 126. Benner, L., 1975. Accident investigation: multilinear events sequencing method. Journal of Safety Research 7, 67 73. Benner, L., 1985. Rating accident models and investigation methodologies. Journal of Safety Research 16, 105 126. Bird, F.E. (Ed.), 1974. Management Guide to Loss Control. Institute Press (Division of International Loss Control Institute), Atlanta. Bird, F.E., Loftus, R.G. (Eds.), 1976. Loss Control Management. Institute Press (Division of International Loss Control Institute), Loganville, Georgia. Groeneweg, J. (Ed.), 1994. Controlling the Controllable: The Management of Safety. DSWO Press, Leiden. Ferry, T.S. (Ed.), 1988. Modern Accident Investigation and Analysis. John Wiley & Sons. Gordon, R., Flin, R., Mearns, K., 2005. Designing and evaluating a human factors investigation tool (HFIT) for accident analysis. Safety Science 43, 147 171. Hale, A.R., Glendon, A.I. (Eds.), 1987. Individual behaviour in the control of danger. Industrial Safety Series, vol. 2. Elsevier, Amsterdam, Oxford. Hale, A., Heming, B., Smit, K., Rodenburg, F., van Leeuwen, N., 1998. Evaluating safety in the management of maintenance activities in the chemical process industry. Safety Science 28, 21 44. Harms-Ringdahl, L. (Ed.), 2001. Safety Analysis Principles and Practice in Occupational Safety. Taylor and Francis, London. Health and Safety Executive (HSE) (Ed.), 2004. HSG (245) Investigating Accidents and Incidents. HSE, UK.

P. Katsakiori et al. / Safety Science 47 (2009) 1007 1015 1015 Health and Safety Commission (HSC), 1993. Third Report: Organising for Safety. ACSNI Human Factors Study Group. HMSO, London. Heinrich, W.H. (Ed.), 1941. Industrial Accident Prevention. McGraw-Hill, New York. Helmreich, R., 1990. Human factors aspects of the Air Ontario crash at Dryden, Ontario. In: Final Report of the Commission of Inquiry into the Air Ontario Crash at Dryden, Ontario. Minister of Supply and Services, Ottowa. Hollnagel, E. (Ed.), 1998. Cognitive Reliability and Error Analysis Method CREAM. Elsevier Science. Hollnagel, E., 2002. Understanding accidents from root causes to performance variability. Paper presented at the 7th IEEE Human Factors Meeting, Scottsdale, Arizona. Jacinto, C., 2003. A structured method for the investigation and analysis of occupational accidents. Unpublished Ph.D. Thesis, School of Engineering, Mechanical and Manufacturing Engineering, University of Birmingham, UK. Jacinto, C., Aspinwall, E., 2003. Work accidents investigation technique (WAIT) part I. Safety Science Monitor 1 (IV-2). Johnson, W.G. (Ed.), 1980. MORT Safety Assurance Systems. Marcel Dekker Inc, New York. Kingston, J., 2007. 3CA Investigator s manual, NRI-3. <http://www.nri.eu.com/ NRI3-beta.pdf>. Kirwan, B., 2001. Coping with accelerating socio-technical systems. Safety Science 37, 77 107. Kjellén, U., Larsson, T.J., 1981. Investigating accidents and reducing risks a dynamic approach. Journal of Occupational Accidents 3, 129 140. Kjellén, U., 1987. Deviations and the feedback control of accidents. In: Rasmussen, J., Dunkan, K., Leplat, J. (Eds.), New Technology and Human Error. John Wiley and Sons, Chichester, pp. 143 156. Kjellén, U., Hovden, J., 1993. Reducing risks by deviation control a retrospective into research strategy. Safety Science 16, 417 438. Kjellén, U. (Ed.), 2000. Prevention of Accidents through Experience Feedback. Taylor and Francis, London. Lacroix, D.V., DeJoy, D.M., 1989. Causal attributions to effort and supervisory response to workplace accidents. Journal of Occupational Accidents 11, 97 109. Laflamme, L., 1990. A better understanding of occupational accident genesis to improve safety in the workplace. Journal of Occupational Accidents 12, 155 165. Larsson, T.J., 1993. Investigating accidents and reducing risks a dynamic approach (Kjellén and Larsson, 1981) its relevance for injury prevention. Safety Science 16, 439 443. Lehto, M., Salvendy, G., 1991. Models of accident causation and their application: review and reappraisal. Journal of Engineering and Technology Management 8, 173 205. Leplat, J., 1978. Accident analysis and work analysis. Journal of Occupational Accidents 1, 331 340. O Hare, D., 2000. The wheel of misfortune: a taxonomic approach to human factors in accident investigation and analysis in aviation and other complex systems. Ergonomics 43, 2001 2019. Rasmussen, J., 1987. Cognitive control and human error mechanisms. In: Rasmussen, J., Dunkan, K., Leplat, J. (Eds.), New Technology and Human Error. John Wiley and Sons, Chichester, pp. 53 61. Rasmussen, J., 1997. Risk management in a dynamic society: a modelling problem. Safety Science 27, 183 213. Reason, J. (Ed.), 1990. Human Error. University Press, Cambridge. Reason, J. (Ed.), 1997. Managing the Risks of Organisational Accidents. Ashgate Publishing Ltd, Aldershot Hants. Sklet, S., 2004. Comparison of some selected methods for accident investigation. Journal of Hazardous Materials 111, 29 37. Skriver, J., Haukenes, H., Alme, I., 2003. Accident investigation at Norwegian State Railways: a socio-technical methodology. Paper presented at the JRC/ESReDA Seminar on Safety Investigation of Accidents, Petten, Netherlands, May, pp. 170 176. Svenson, O., 1999. On models of incidents and accidents. Paper presented at the 7th European Conference on Cognitive Science Approaches to Process Control, Villeneuve d Ascq, France, September, pp. 169 174. Svenson, O., 2000. Accident Analysis and Barrier Function (AEB) Method Manual for Incident Analysis. Stockholm University, SKI Project Number 97176 (Full report available at http://www.irisk.se/ref.htm). Wagenaar, W.A., Groeneweg, J., Hudson, P.W., Reason, J.T., 1994. Promoting safety in the oil industry. Ergonomics 37, 1999 2013. Wagenaar, W.A., van der Schrier, J., 1997. Accident analysis the goal, and how to get there. Safety Science 26, 25 33.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information