Full Terms & Conditions of access and use can be found at
http://www.tandfonline.com/action/journalInformation?journalCode=tose20
International Journal of Occupational Safety and
Ergonomics
ISSN: 1080-3548 (Print) 2376-9130 (Online) Journal homepage: http://www.tandfonline.com/loi/tose20
Safety I–II, resilience and antifragility engineering:
a debate explained through an accident occurring
on a mobile elevating work platform
Alberto Martinetti, Maria Mikela Chatzimichailidou, Luisa Maida & Leo van
Dongen
To cite this article: Alberto Martinetti, Maria Mikela Chatzimichailidou, Luisa Maida & Leo van Dongen (2018): Safety I–II, resilience and antifragility engineering: a debate explained through an accident occurring on a mobile elevating work platform, International Journal of Occupational Safety and Ergonomics, DOI: 10.1080/10803548.2018.1444724
To link to this article: https://doi.org/10.1080/10803548.2018.1444724
© 2018 Central Institute for Labour Protection – National Research Institute (CIOP-PIB). Published by Informa UK Limited, trading as Taylor & Francis Group. Accepted author version posted online: 23 Feb 2018.
Published online: 24 Apr 2018. Submit your article to this journal
Article views: 217
View related articles
International Journal of Occupational Safety and Ergonomics (JOSE), 2018 https://doi.org/10.1080/10803548.2018.1444724
Safety I–II, resilience and antifragility engineering: a debate explained through an accident
occurring on a mobile elevating work platform
Alberto Martinetti a∗, Maria Mikela Chatzimichailidoub, Luisa Maidacand Leo van Dongena,d
aDesign, Production and Management Department, University of Twente, The Netherlands;bDepartment of Civil and Environmental
Engineering, Imperial College London, UK;cLand, Environment and Infrastructures Engineering Department, Polytechnic of Turin, Italy;dNS Technology Department, Netherlands Railways, The Netherlands
Occupational health and safety (OHS) represents an important field of exploration for the research community: in spite of the growth of technological innovations, the increasing complexity of systems involves critical issues in terms of degradation of the safety levels. In such a situation, new safety management approaches are now mandatory in order to face the safety implications of the current technological evolutions. Along these lines, performing risk-based analysis alone seems not to be enough anymore. The evaluation of robustness, antifragility and resilience of a socio-technical system is now indispensable in order to face unforeseen events. This article will briefly introduce the topics of Safety I and Safety II, resilience engineering and antifragility engineering, explaining correlations, overlapping aspects and synergies. Secondly, the article will discuss the applications of those paradigms to a real accident, highlighting how they can challenge, stimulate and inspire research for improving OHS conditions.
Keywords: Safety I; Safety II; resilience engineering; antifragility engineering; mobile elevating work platform
1. Introduction
Undoubtedly, socio-technical systems are becoming more complex. The interaction between the two aspects becomes tighter, no longer giving the opportunity to analyse the two parts independently. Over the last decades, as highlighted by Leverson [1], the world of engineering has faced a big technological revolution, while safety approaches are not able to follow this change, and provide the expected bene-fits in terms of increasing safety and reducing accidents.
Moreover, complexity, as the inability to evaluate the effects of actions because too many system variables inter-act [2], is dramatically increasing, forcing the risk experts and analysts to investigate less obvious systems [3]. Nowa-days, systems such as air traffic management (ATM) or railway networks are so extremely dense that a single dis-ruptive event usually causes many domino effects, reduc-ing performance and producreduc-ing issues of different severity levels.
It appears to be clear that an approach solely based on analysing what can go wrong in the case of system per-turbation cannot bring the necessary results in terms of system performance; Aven [4] remarks on the importance of achieving high robustness in a system by reducing its vulnerability. To ensure this goal we must adopt a change in mindset. We need to introduce new concepts into the risk analysis. It is also considered important to start thinking not
*Corresponding author. Email:a.martinetti@utwente.nl
only in terms of safety and resilience, but also in terms of antifragility [5].
The discussion in this article focuses on the opportu-nity for new researchers who look at the safety topic to take into account new ways of performing risk analysis, to study the problem from a socio-technical perspective and more robust design solutions, which are also able to adapt to the new system conditions. Introducing the top-ics of Safety I and Safety II, resilience engineering and antifragility engineering at the same time, and highlight-ing possible overlapphighlight-ing aspects and correlations between them, this work analyses how those approaches provide different system responses to the same perturbation, using as a case study an accident that occurred on a mobile elevating work platform (MEWP).
2. What are we talking about?
As written by several authors [6,7], safety is a multi-disciplinary topic that involves different fields, such as economics, psychology, industrial technology, law and occupational hygiene among others. Consequently, it also requires different experts to play different roles. However, the roles that experts play and the methods they use to picture the problem need to fit the social and technologi-cal changes. Pillay [8,9] highlights how those approaches
© 2018 Central Institute for Labour Protection – National Research Institute (CIOP-PIB). Published by Informa UK Limited, trading as Taylor & Francis Group.
This is an Open Access article distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives License (http://creativecommons.org/licenses/ by-nc-nd/4.0/), which permits non-commercial re-use, distribution, and reproduction in any medium, provided the original work is properly cited, and is not altered, transformed, or built upon in any way.
Figure 1. Safety approach evolution through the decades. Note: Modified from Pillay [9].
of investigating and preventing accidents are evolving through the decades. He identifies three safety eras char-acterized by five ages (i.e., technological; behavioural and human error; socio-technical; cultural; resilience), during which the way to tackle accidents, incidents and disas-ters moved from Heinrich’s model and safety procedures to resilience, in which people have an important role in cop-ing with uncertain situations. Recently, as already briefly introduced, the new concept of antifragility has emerged and started becoming predominant in a variety of research fields. According to the authors, antifragility could repre-sent another step in safety evolution, reprerepre-senting the sixth age of the third era (Figure1).
Hollnagel et al. [10] stated that the most common definition of safety is the absence of calamities or, at least, low risk of incidents taking place. Safety I–II, resilience engineering and antifragility engineering tackle the same problem starting from different points. The following para-graphs will offer a definition of them, with the aim to reveal any underlining correlations and overlapping aspects.
2.1. Safety I and Safety II
As suggested by Patterson and Deutsch [11], the difference between Safety I and Safety II is both philosophical and pragmatic. It is related to which side of the fence, to which part of the glass (half-full or half-empty), the analyst is referring to as the starting point.
For several decades, the techniques of risk analysis focused on root cause analysis (RCA) with the applica-tion of several hazard identificaapplica-tion techniques in order to investigate the reasons why the system drifted from the normal working conditions. The approach is broadly used; it presents enormous advantages for learning from errors, and the knowledge gathered from the fault-cause investigation is of great importance for future situations
and processes. Even though the drawn procedures can pro-vide useful references for the execution of tasks [12], most likely this results in a policy that creates only barriers, stan-dardizes working procedures and eliminates disturbances [13], develops responses to accidents and eliminates or contains identified risks. All in all, this approach is widely known as Safety I and can be considered as the mechanism of avoiding the things that go wrong (Figure2).
On the contrary, the Safety II approach analyses the things that go right. It is based on the principle that, due to the complexity of the modern world, it becomes harder to predict side effects and consequences. Therefore, it becomes harder to control the work situations, espe-cially in socio-technical situations, resulting in a varied system performance. The coupled performance variabil-ities determine both success and failure [13]. According to that, technical systems are engineered in such a way to minimize the performance variability and operate properly, to keep the environment relatively stable, acknowledging, however, that human variability is necessary to overcome, e.g., disturbances in time and resources.
These disturbances have to be reconstructed in the case of failure to understand how these particular deviations could arise and lead to abnormal outcomes. Management of safety in this approach focuses on maximizing the ability of the system to produce a desired and acceptable outcome in the varying circumstances under which the system oper-ates. It is therefore vital to know how and why things go right [11,13].
2.2. Resilience engineering and antifragility engineering
As described by Le Coze [14], the story of resilience engi-neering is strongly attached to the evolution of cognitive
International Journal of Occupational Safety and Ergonomics (JOSE) 3
Figure 2. Safety I vs. Safety II philosophy. Note: Modified from Hollnagel et al. [10].
engineering, and the interaction between research in engi-neering and psychology [15,16]. The topic of resilience engineering has gained attention and importance in the recent literature for its potential applications in high reli-ability organizations or in systems where the high level of complexity requires a high level of adaptation from the human and machine perspectives [17].
Woods [18] identifies four different possible defini-tions of the term resilience: rebound, robustness, graceful extensibility and sustained adaptability. These keywords underline the ability of a system to respond after a dis-ruption, deal with perturbations, positively stretch near and beyond its limits [11] and manage and/or regulate the parameters in a multidimensional network [18]. From this spectrum, the need for prevention of unexpected events and better reliability, as well as the need for managing the environmental variety, are both embedded in the resilience engineering approach.
Thus, resilience engineering can be defined as the abil-ity of systems to prevent or adapt to changing conditions in order to maintain (control over) a system property [16] or a system performance. It can also be defined as the engi-neering branch of monitoring, responding and absorbing disturbances. The first involves expecting the unexpected,
the second gives the opportunity to react (in relation to its boundaries) and the third ‘stretches’ the system to current perturbations. In essence, the concept of resilience engi-neering relies on preparing for unexpected disturbances and planning for the expected situations.
Differently, antifragility engineering considers learn-ing and acquirlearn-ing knowledge as part of the process of a system. While in resilience engineering knowledge is cre-ated based on what to expect and the prevention of the unexpected, an antifragile system should be able to learn and adapt to the real unexpected circumstances. Accord-ing to this, antifragile systems are able to get benefits from disturbances in order to improve their performances in the future, enhancing in this way their adaptability to unforeseen circumstances. Thus, they will become more robust and evolve over time [19,20]. As shown in Figure3, becoming an antifragile system requires a considerable change in the entire philosophy of designing engineering systems.
No longer should the focus be on engineering for known requirements, but a system has to be designed and developed with adaptive characteristics and requirements from scratch. This approach demands structured commu-nication and feedback within the system itself [19,20].
2.3. Correlations and overlapping aspects
Sections 2.1 and 2.2 have offered a short introduction about Safety I and Safety II and about resilience and antifragility engineering. In the following, correlations and overlapping aspects will be discussed. Starting from the definitions, Table1presents the keywords that identify the four approaches.
Among the pool of keywords found, it is possible to identify some correlations and overlapping aspects (indi-cated by dotted lines) between the four approaches that clarify their strength. Figure4 explains how the different approaches influence the reaction of the system under a general perturbation, the consequence, the system’s recov-ery and the final configuration of the system based on its capabilities.
One of the conclusions drawn from Figure 4 is that when a system fails, Safety I will investigate what went wrong and Safety II will reshape the system with the pos-itive parts that worked during the perturbation towards a final configuration with a similar initial structure.
The resilience engineering approach, on the contrary, aims to create a system able to stretch its boundaries in order to find its adaptability and robustness after per-turbations. This approach will ensure the continuity of the system offering the same performance of the initial configuration.
The essential difference between resilience engineering and antifragility engineering lies mainly in the opportu-nity of a system to not merely tolerate adverse conditions and stretch its boundaries, but rather be able to strengthen
Table 1. Representative keywords of Safety I, Safety II, resilience engineering and antifragility engineering. Safety I Safety II Resilience engineering Antifragility engineering What goes wrong
[10]
What goes right [10]
Rebound [18] Beyond adaptability
RCA [21] Everyday work [10] Robustness [18] Learning [5] Barriers [22] Human variability [13] Extensibility [18] Improvement Standardize processes [22]
Rebound Adaptability [18] Evolving [19]
Note: RCA= root cause analysis.
International Journal of Occupational Safety and Ergonomics (JOSE) 5
and learn in the process [23]. The initial configuration of the system will not change at the moment that the system recovers, but will change the system according to the per-turbations. The system will learn from the conditions under which it operated, offering a wider spectrum of working situations.
3. Application: a safe MEWP, a resilient MEWP and an antifragile MEWP
This section aims to discuss a possible application of Safety I and Safety II, resilience engineering and antifragility engineering to improve the design of systems and to understand how we gain positive results from a non-fatal accident.
3.1. Overview of the accident
The accident involved a self-propelled MEWP during a maintenance operation on a drainpipe at a height of about 17 m (three-storey building).
Due to incorrect operations and to an exceeding max-imum lateral force (400 N), the MEWP lost stability. The MEWP chassis – positioned on a pavement made of cob-blestones – skidded and fell on a side-building wall. A progressive deformation of the column on the opposite brick fence reduced the falling velocity of the platform. The operator survived by jumping from the platform and grabbing on to an orange tree branch (Figure5a and5b).
MEWP overturn is a frequent cause of accidents. The potential displacement of the centre of gravity in particular stressing, loading and geometrical configurations repre-sents one of the most critical aspects for the MEWP’s stability. For MEWPs provided with stabilizers, the worst-case scenario appears in combination with the maximum horizontal outreach and maximum height. In that situation, the full machine weight loads on a single stabilizer.
It is a manufacturer’s responsibility to perform proper calculations to evaluate loads and forces (such as rated loads, structural loads, wind loads, manual forces, etc.) able to produce the most unfavourable stresses for the machine’s components during operation.
However, several stability problems are generated by non-conventional ways of using the MEWP that cause irregular manual forces. Standard No. EN 280:2013 [24] requires values of manual forces (applied at a height of 1.1 m above the work platform floor) of 200 N for MEWPs designed to carry only one person and 400 N for MEWPs designed to carry more than one person.
Exceeding the value defined by the manufacturer will produce an oscillation of the centre of gravity resulting in an overturning torque that may jeopardize the stability of the MEWPs. Unfortunately, these exceeding forces are not easy to evaluate if no detection instruments are available.
Analysing an accident thorough an investigation pro-tocol means understanding the chain of events, the root
Figure 5. Final configuration of the MEWP after the collapse: (a) street view; (b) aerial view.
Note: MEWP= mobile elevating working platform.
causes and the deviations from expected working condi-tions in order to discover where the system failed. During official investigations disposed by the prosecutor office, some of the authors deeply studied the accident through the computer-aided cause consequence for prevention tech-nique proposed by Luzzi et al. [25] and based on the well-known system approach [26] and on bowtie analysis (a combination of fault tree analysis [FTA] and event tree analysis [ETA]). On the one hand, the selected investiga-tion protocol deconstructs the chain of events; on the other, it links every single basic event with a possible corrective action:
• Accident causes chain – from the undesired event to the direct cause (top down based on FTA). Starting from the undesired event and following a chain of intermediate events, this identifies the root causes. • Possible corrective actions – most suitable
preven-tion measures development (bottom up based on ETA). Starting from the root causes – identified in
Table 2. Summary of investigation results performed with the computer-aided cause consequence for prevention technique.
Accident causes chain Possible corrective actions
1 Operator injuries Correct use of the safety belt VIII
2 Platform falling trajectory n/a VII
3 MEWP loses stability and fall beginning, stabilizers stuck against a wall, started the structure deformation
n/a VI
4 Sudden failure of an element of the gutter
Adequate information, formation and training and work procedures deriving
from risk analysis V
5 Incorrect operator behaviour, involving lateral forces exceeding the machine stability limits
Monitoring the effectiveness of the
training courses IV
RM 6 Incomplete on-board signs – instruction handbook not clear and exhaustive
Careful evaluation of the machine stabilizers positioning vs pavement characteristics
III RM
7 Careless organization: no second operator, no supervision
Responsibilities definition and supervising II
8 Non-exhaustive hazard identification leading to poor risk assessment [27]
Even if not officially required by the Italian OHS law, some risk analysis and management of yards involving the MEWPs use is obviously
necessary I
Note: MEWP= mobile elevating working platform; n/a = not applicable; OHS = Occupational health and safety; RM = risk management.
the previous step – this highlights the most suitable prevention measures in order to break the chain of intermediate causes leading to this kind of event. Table 2 summarizes the results of the computer-aided cause consequence for prevention technique applied to the accident. The left-hand column ‘Accident causes chain’ gives an overview of the events that drifted the situation away from the normal working conditions. The right-hand column ‘Possible corrective actions’ underlines possible interventions to take for preventing the occurrence of the system’s malfunction.
Employees are rarely the sole cause of accidents (as in the case of the analysed accident). Human performance is always based on complex interactions within the socio-technical system that constitute an organization [9]. Even in the presented accident, the analysis identified respon-sibilities related to both human errors (e.g., ‘incorrect operator behaviour, involving lateral forces exceeding the machine stability limits’) and to omissions in the risk management phase (e.g., ‘careless organization: no second operator, no supervision’).
3.2. How do Safety I and Safety II, resilience engineering and antifragility engineering tackle the accident?
As explained previously (Section 2), Safety I and Safety II, resilience engineering and antifragility engineering take
different perspectives and lead to different solutions. Based on the scheme proposed previously (Figure 4), Figure6 offers a comparison between those perspectives applied to the described accident.
As shown in Figure6, Safety I and Safety II focus atten-tion on looking for negative and positive aspects in order to introduce coherent preventative measures tailored for specific scenarios for breaking the chain of events, avoid-ing the occurrence of an accident in similar conditions. Regarding ‘what went wrong’: (a) an incorrect operator’s behaviour caused unexpected lateral thrusts, forcing the machine to exceed the stability limits; (b) poor work pro-cedures led to incorrect positioning of the MEWP; (c) careless organization due to no second operator and no supervision. Regarding ‘what went right’: (a) the MEWP was suitable for the context; (b) the translation system worked normally; (c) the MEWP was properly maintained. Their combination provides valuable corrective actions to enable the system to face similar human drifts and organizational defects but not comparable physical pertur-bation (lateral thrust > 400 N) that stretch the technical boundaries of the MEWP.
Differently, resilience engineering operates in a sys-tem perspective, considering perturbations as unavoidable events that force the asset to deviate from the normal oper-ative condition. From a resilience perspective, the platform should be engineered not only by evaluating loads and forces, their direction and point of application looking for the most unfavourable stresses for the components [28] in
International Journal of Occupational Safety and Ergonomics (JOSE) 7
Figure 6. Safety I and Safety II, resilience engineering and antifragility engineering comparison on the MEWP accident. Note: MEWP= mobile elevating working platform.
coherence with Standard No. EN 280:2013 [24], but also by taking into account the potential overrun of the design limits due to different load conditions and performance variabilities.
The consequence on the MEWP would be a reduction of the working capability after perturbation (lateral thrust
> 400 N) operated by specific control systems (Figure 7) that move the asset to adopt intermediate configuration(s) and bring the system to the initial configuration (i.e., with full working capability) once the perturbation stops. The introduction of load shift sensors on the stabilizers would allow the automatic balancing during stress conditions (i.e., exceeding the maximum force limit value) to reduce the overturning force.
The proposed scheme for resilience engineering intro-duces a concept essential to make a step beyond, i.e., a monitoring function that reshapes the system if a deviation is detected. A function that can help the system to learn from a perturbation.
The application of antifragility engineering to the MEWP suggests the introduction of a smart stress con-trol system (connected with the load shift sensors on the stabilizers) that analyses the system anomalies due to the perturbations. This smart system should recognize a situ-ation, elaborate it and learn from it (Figure8) in order to set-up a ‘memory of the system’, being able to face this situation permitting the same system’s performance. An algorithm will elaborate the new MEWP configuration to
Figure 7. Flow chart of a resilient solution for MEWPs. Note: MEWP= mobile elevating working platform.
Figure 8. Flow chart of an antifragile solution for MEWPs. Note: MEWP= mobile elevating working platform.
ensure same working capability. It means to offer a con-stant registered experience useful for unexpected status configurations of the system.
An antifragile MEWP would reconfigure spatially the stabilizers according to the external perturbation (lateral thrust> 400 N) in order to keep same working capability.
4. Discussion and limitations
Based on the results of the outlined analysis, several inter-esting points can be made. The fast evolution of techno-logical innovation, the development of complex systems and transformations of the working environment require
International Journal of Occupational Safety and Ergonomics (JOSE) 9
a change in thinking for safety. Systems become compli-cated in terms of relations between components, and thus it is difficult to predict rigorously each state of its evolution because the routine varies.
As already discussed, approaches based only on ‘find and fix’ peculiar to Safety I or based on the analysis of ‘what goes right’ of Safety II do not offer a sufficient level of resistance to new complex systems. Implement-ing barriers and procedures, even at an organizational level, cannot overcome the multiple perturbations that a system will experience. Proposed solutions should rely on robust-ness, resilience and antifragility principles. Concerning the explained opportunities, the modern system design should offer solutions, being able to:
• stretch design boundaries; • not fail under unexpected events;
• ensure the same working capability under stress conditions;
• learn from new situations for reshaping configura-tions and adapting to new inputs.
The applied approaches to the MEWP accident show how valuable and relevant is the benefit gained from using resilience engineering and antifragility engineering for a system. The obtained flexibility and the robust-ness ensure that a system resists external and unexpected solicitations, offering a safety level that cannot be guaran-teed with the risk analysis methodologies of the first and second eras.
Nevertheless, those innovative ways of thinking, designing and rebuilding the problem still reveal a not neg-ligible level of complexity for being correctly deployed.
Firstly, due to technical limitations not every system can be equipped with devices able to quickly modify its structure or layout according to different situations. Only recently has this been implemented in the aeronautic indus-try, e.g., special purpose aircrafts have wings made of flexible materials able to adapt their shape during the flight according to the motion [29]. Furthermore, in the auto-motive industry, high-performance vehicles use deforming components to control drag and downforce [30]. Secondly, the implementations of those solutions may not be always economically feasible for every situation. The application of systems able to learn from situations is usually inter-esting and useful in complex network systems (i.e., smart grids, dense railway networks, ATM).
Finally, yet importantly, there is a cultural barrier to break. A not negligible mindset change has to be made in how safety is thought and applied. The challenge for new safety researchers and engineers will be using the proposed methods in order to create systems able to work in a socio-technical environment providing comparable performance, level of safety and, possibly, cost-effectiveness expected by the stakeholders.
5. Conclusion
Given the potential of unexpected events that can drift into new complex systems from designed working conditions resulting in accidents or decreased performance, there is a lack of resilience engineering and antifragility engineer-ing applications for designengineer-ing systems able to face those situations. This article, for the first time to the authors’ best knowledge, offered a comparison between Safety I and Safety II approaches and the methods of resilience engi-neering and antifragility engiengi-neering by analysing a real accident on a MEWP and by discussing different solutions. This has resulted in the identification of future and critical research aspects to develop and investigate robust systems capable of: (a) stretching design boundaries; (b) ensuring stable working capability under stress conditions; (c) learn-ing from new situations for reshaplearn-ing configurations and adapting to new inputs.
The authors work towards the introduction of an inte-grated framework that will bring all four approaches together in order to deal with unexpected situations and unavoidable accidents that complex socio-technical sys-tems may face in the future.
Disclosure statement
No potential conflict of interest was reported by the authors.
ORCID
Alberto Martinetti http://orcid.org/0000-0002-9633-1431
References
[1] Leverson NG. Engineering a safer world: systems thinking applied to safety. Boston (MA): MIT Press; 2012.
[2] Pich MT, Loch CH, De Meyer A. On uncertainty, ambi-guity, and complexity in project management. Manage Sci. 2002;48(8):1008–1023.doi:10.1287/mnsc.48.8.1008.163 [3] Bristow M, Fang L, Hipe KW. System of systems
engi-neering and risk management of extreme events: con-cepts and case study. Risk Anal. 2012;32(11):1935–1955. doi:10.1111/j.1539-6924.2012.01867.x
[4] Aven T. The concept of antifragility and its implications for the practice of risk analysis. Risk Anal. 2015;35(3):476– 483.doi:10.1111/risa.12279
[5] Taleb NN. Anti-fragile: things that gain from disorder. London: Penguin; 2012.
[6] Bahn ST. OHS management: contemporary issues in Aus-tralia. Prahran (VIC): Tilde University Press; 2014. [7] Quinlan M, Bohle P, Lamm F. Managing occupational
health in safety: a multidisciplinary approach. 3rd ed. South Yarra (VIC): Victoria Palgrave Macmillan; 2010.
[8] Pillay M. Taking stock of hero harm: a review of theory on contemporary health and safety management in con-struction. In: Proceedings of the CIB W099 International Conference of Achieving Sustainable Construction Health and Safety; 2014 June 2–3; Lund, Sweden. Lund: Lund University Press, 2014. p. 75–85.
[9] Pillay M. Accident causation, prevention and safety man-agement: a review of the state-of-the-art. Procedia Manu. 2015;3:1838–1845.doi:10.1016/j.promfg.2015.07.224
[10] Hollnagel E, Wears RL, Braithwaite J. From Safety I to Safety II: a white paper. Odense: University of Southern Denmark; 2015.
[11] Patterson M, Deutsch ES. Safety-I, Safety-II and resilience engineering. Curr Probl Pediatr Adolesc Health Care. 2015;45(12):382–389.doi:10.1016/j.cppeds.2015.10.001 [12] Besnard D, Hollnagel E. I Want to believe: some myths
about the management of industrial safety. Cogn Tech-nol Work. 2014;16(1):13–23. doi:10.1007/s10111-012-0237-4
[13] European Organisation for the Safety of Air Navigation (Eurocontrol). From Safety-I to Safety-II: a white paper; Brussels: Eurocontrol; 2013. Available from:http://www. skybrary.aero/bookshelf/books/2437.pdf
[14] Le Coze JC. Vive la diversité! High reliability organisation (HRO) and resilience engineering (RE). Saf Sci. In Press. [Available online 2016 Apr 26]; [10 p]. Corrected proof available athttp://doi.org/10.1016/j.ssci.2016.04.006 [15] Rasmussen J. The role of error in organizing behaviour.
Qual Saf Health Care. 2003;12:377–383.doi:doi:10.1136/ qhc.12.5.377
[16] Woods D, Cook RI. Mistaking error. In: Hatlie MJ, Young-berg BJ, editors. Patient safety handbook. Burlington (MA): Jones & Bartlett; 2004. p. 95–108.
[17] Pettersen KA, Schulman PR. Drift, adaptation, resilience and reliability: toward an empirical clarification. Saf Sci. In Press. [Available online 2016 Mar 26]: [9 p]. Cor-rected proof available athttp://doi.org/10.1016/j.ssci.2016. 03.004
[18] Woods DD. Four concepts for resilience and the impli-cations for the future of resilience engineering. Reliab Eng Syst Safety. 2015;141:5–9. doi:10.1016/j.ress.2015. 03.018
[19] Verhulsta E. Applying systems and safety engineering prin-ciples for antifragility. Procedia Comput Sci. 2014;32:842– 849.doi:10.1016/j.procs.2014.05.500
[20] Jones KH. Engineering antifragile systems: a change in design philosophy. Procedia Comput Sci. 2014;32:870–875. doi:10.1016/j.procs.2014.05.504
[21] Andersen B, Fagerhaug T. Root cause analysis: simplified tools and techniques. Milwaukee (WI): American Society for Quality, Quality Press; 2003.
[22] Wears R. Standardization and its discontents. Cogn Technol Work. 2015;17(1):89–94.
[23] De Florio V. Antifragility = elasticity + resilience + machine learning models and algorithms for open system fidelity. Procedia Comput Sci. 2014;32:834–841. doi:10.1016/j.procs.2014.05.499
[24] European Committee for Standardization (CEN). Mobile elevating work platforms design calculations – stability criteria – construction – safety – examinations and tests. Brussels: CEN; 2013. Standard No. EN 280:2013.
[25] Luzzi R, Passannanti S, Patrucco M. Advanced technique for the in-depth analysis of occupational accidents. Chem Eng Trans. 2015;43:1219–1224.
[26] Reason JT. Human error: models and management. BMJ. 2000;320:768–770.doi:10.1136/bmj.320.7237.768 [27] Pira E, Borchiellini R, Maida L, et al. Occupational S&H
in the case of large public facilities: a specially designed and well-tested approach. Chem Eng Trans. 2015;43:2155– 2160.
[28] Cirio C, Maida L, Patrucco M, et al. Innovative technologies and related accident scenarios: the importance of the cul-ture of safety in activities involving mobile elevating work platforms. GEAM. 2016;16(1):21–30.
[29] Concilio A, Dimino I, Lecce L, et al., editors. Morph-ing wMorph-ings technologies: large commercial aircraft and civil helicopters. Oxford: Butterworth-Heinemann; 2018. [30] Ferrari S.p.A. Innovations: aerodynamics Ferrari 458 Italia.
2017 [cited 2017 Dec 6]. Available from:http://auto.ferrari. com/en_US/sports-cars-models/past-models/458-italia/#inn ovations-aerodynamics-3
