Safety Management Systems and Systemic Failure

James Reason, then Professor of Psychology at the University of Manchester, published his influential Human Error in 1990 and refined the Swiss Cheese Model through the 1990s. The model has been adopted in aviation (ICAO Annex 19 SMS framework), healthcare, nuclear power, and the offshore oil industry as the conceptual foundation for systemic accident investigation.

Reason distinguishes between two broad failure categories. Active failures are the unsafe acts committed by front-line workers: the operator who failed to close a valve, the pilot who misread the altitude, the nurse who gave the wrong dosage. These are visible and immediate, and they are almost always what early-stage investigations focus on. Latent conditions are the hidden failures that incubate within the organisation: a maintenance system that deferred inspection, a training programme that never covered an unusual scenario, a risk register that categorised a known hazard as acceptable because no one had been hurt yet.

The practical implication is that fixing the front-line operator who made the active failure is the least effective corrective action available. That individual will be replaced or retrained, but the latent conditions remain for the next operator in the same situation. Sustainable improvement requires identifying and closing the holes in the upstream layers: the design, the procedure, the training, the supervision, and the management culture that tolerated the precursor signals.

Bow-tie analysis emerged from the Shell and ICI major-hazard process-safety tradition in the 1980s and was formalised as a risk management tool by the Energy Institute, DNV, and others in the 2000s. Its structure is deliberate: the knot at the centre of the bow-tie is the critical event, the single most important moment to prevent. The left half shows the threat pathways and the prevention barriers. The right half shows the consequence pathways and the mitigation barriers.

1. Identify the top event (hazard release)
   This is the moment of loss of control: loss of well control, release of toxic gas, structural failure. It is specific and observable. The bow-tie is built around one top event at a time.
2. Map threats (left side)
   List the credible ways the top event can be reached. For a well, threats include failure to detect abnormal pressure, incorrect cement job, inadequate mud weight. Each threat gets its own branch, and the prevention barriers are placed as gates on each branch.
3. Map consequences (right side)
   List what happens after the top event if it is not contained. For a well blowout, consequences include explosion, fire, loss of life, environmental release. Mitigation barriers (emergency shutdown systems, evacuation procedures, BOP activation) are placed on the consequence branches.
4. Assess barrier health
   The real value of a bow-tie is in tracking whether each barrier is functioning. A bow-tie mapped against the Deepwater Horizon timeline shows which barriers were degraded, non-functioning, or bypassed before and during the critical event.

A complete SMS, as defined by ICAO Annex 19 for aviation, the International Safety Management Code (ISM Code) for shipping, OSHA's Process Safety Management standard (29 CFR 1910.119) for process industries, and industry frameworks such as API RP 75 for offshore oil, has four functional pillars: safety policy and objectives, safety risk management, safety assurance, and safety promotion.

The most common systemic failure pattern the forensic engineer encounters is the SMS that looks complete on paper and is hollow in practice. A company can have a beautiful Process Safety Management manual, a full set of procedure documents, a completed risk register, and a functioning audit schedule, and still produce a catastrophic accident, because none of those documents were treated as living controls that actually governed decisions under production pressure. The distance between the written SMS and the practiced SMS is where most organisational accidents live.

In most jurisdictions, corporate manslaughter, corporate homicide, and equivalent offences require proof that a senior management failure (not just a front-line worker's error) caused the death. The UK Corporate Manslaughter and Corporate Homicide Act 2007 requires a 'gross breach of duty of care' attributable to the 'way in which its activities are managed or organised by its senior management'. Demonstrating that breach requires exactly the kind of SMS gap analysis that Reason's framework enables.

In the United States, criminal prosecution for major industrial accidents typically runs through a mix of environmental statutes (Clean Water Act, Clean Air Act) and workplace safety regulations (OSHA) rather than a corporate manslaughter framework. Civil liability under US law allows plaintiffs to reach senior management and the corporation through theories of negligent supervision, failure to maintain a safe workplace, and negligent SMS design or execution.

• Evidence for individual failure: the operator deviated from a clear, known, and feasible procedure without justification; training records confirm the correct procedure was known and tested.
• Evidence for organisational failure: the same deviation was common and known to supervisors; the procedure was unworkable under actual operating conditions; previous similar incidents were not investigated to root cause; stop-work authority was never used despite multiple known precursors.
• Evidence for systemic failure: the SMS did not require MOC when the process changed; hazard assessments were not updated; audit findings were deferred without risk acceptance at an appropriate management level; production incentives structurally outweighed safety incentives.

The Bly Report (BP's internal investigation), the Presidential Commission report, and the US Chemical Safety Board's investigation of the Macondo well blowout together constitute one of the most thoroughly documented industrial SMS failures in history. The primary physical cause was a failure of the cement job on the production casing, which allowed hydrocarbons to migrate up the wellbore. But the cement failure was one hole in one layer. What made the accident catastrophic was the alignment of holes in every other defensive layer.

• Negative pressure test misinterpretation: the crew performed a negative pressure test to confirm wellbore integrity before temporarily abandoning the well. Anomalous pressures were observed and misinterpreted as 'bladder effect', a non-standard term that had no engineering basis. The test should have stopped operations; instead it provided false reassurance. No clear written procedure existed for interpreting the test result.
• Removal of heavy drilling mud: the crew displaced the heavy drilling mud with seawater before a secondary barrier (a lockdown sleeve) was confirmed in place. This removed a hydrostatic barrier against wellbore pressure. The Bly Report identifies this as a decision made under pressure to begin completion operations sooner.
• BOP failure: the blind shear ram of the BOP failed to seal the well. Post-accident testing by the US Bureau of Safety and Environmental Enforcement confirmed design deficiencies relevant to the pipe configuration in the well, a pre-existing hydraulic leak that had been identified and not repaired, and battery issues in the acoustic trigger. Three separate BOP failure modes converged.
• MOC absent: multiple changes to the well design were made in the final days before the blowout, including changes to the casing design and the decision to use fewer centralizers than recommended by the cement contractor Halliburton. The Presidential Commission found no evidence of formal management-of-change review for these decisions.
• Audit findings deferred: an internal BP audit of the Atlantis platform, conducted before the Macondo incident, had identified similar process-safety issues with well-control barriers. The audit findings had not been closed. The Presidential Commission noted a pattern of audit findings being generated and not acted upon.

The Deepwater Horizon investigation is a masterclass in how the same set of facts can be framed as individual human error (the crew misread the negative pressure test) or as systemic SMS failure (the company had no clear procedure for interpreting the test, a culture of schedule pressure that discouraged raising concerns, and multiple previous warning signals that were not investigated to root cause). Both framings are factually supported. In litigation, BP ultimately paid more than 65 billion US dollars in fines, damages, and cleanup costs, a figure that reflects both the direct physical harm and the depth of the organisational failure.

The challenge in presenting systemic failure evidence is making the connection between abstract organisational concepts and specific acts of commission or omission that a court can evaluate. An expert who testifies that 'the safety culture was deficient' without pointing to specific, documented, dated evidence will be attacked on cross-examination as offering impressionistic opinion. The same analysis grounded in SMS audit records, management review minutes, incident reports, and deferred corrective actions is far more durable.

The sequence that survives cross-examination typically runs: (1) state what the defendant's SMS required, citing the specific SMS document and section; (2) identify the specific evidence that this requirement was not met, citing dated records; (3) show how this gap produced the specific conditions that led to the accident, using the barrier analysis or bow-tie as the connective structure; (4) state what a competent operator in the same industry would have done, citing industry standards and comparator evidence if available. Each step is document-based and falsifiable, which is what Daubert reliability requires.