Stop counting what goes wrong

HITS-Learning
April 14, 20263 min read

A perfect incident record tells you incidents weren't recorded — not that your system is safe. Be better than yesterday by investing in understanding why operations succeed, not just cataloguing the ones that don't.

Safety-I versus Safety-II — shifting from measuring failures to understanding why operations succeed

For most of the history of occupational safety, progress has been measured by a single question: how many things went wrong? Lost Time Injury Frequency Rates. Total Recordable Incident Rates. Near-miss counts. Audit non-conformances. These metrics have driven genuine improvements in many industries, and the disciplines that produced them — hazard identification, barrier management, incident investigation — remain essential. The problem is not that they exist. The problem is that they are incomplete, and in some circumstances actively misleading.

A low incident rate tells you that your recorded incidents are low. It tells you nothing about whether your system is genuinely resilient — whether it has the adaptive capacity to absorb unexpected variability, whether the everyday intelligence of your workforce is functioning well, whether the conditions for a serious incident are accumulating quietly beneath a surface that appears calm. You can have a perfect incident record in the quarter before a catastrophe. Many organisations have.

Erik Hollnagel's distinction between Safety-I and Safety-II addresses this directly. Safety-I is the traditional paradigm: safety is defined as the absence of negative outcomes, and the work of safety is to identify and eliminate the causes of those outcomes. Safety-II is a different framing: safety is defined as the presence of the capacity to succeed under varying conditions, and the work of safety is to understand how the system produces acceptable outcomes and to protect and develop that capacity.

A perfect incident record tells you that nothing was recorded. It says very little about whether your system is genuinely safe.

The practical difference between these two framings is significant. Safety-I thinking leads to investigations when things go wrong and compliance auditing when they do not. Safety-II thinking leads to a continuous interest in how work is actually being done — what adaptive strategies workers are using, where the system is under strain, what informal knowledge is keeping things functioning. Both perspectives are necessary. Safety-II does not replace Safety-I. It adds a dimension of understanding that Safety-I cannot provide.

One of the more counterintuitive implications of Safety-II thinking is that expertise and experience — the things organisations most value in their workforce — are also sources of variability that need to be understood, not just leveraged. An experienced worker does not follow procedures more precisely than a novice. They adapt, interpret, and improvise more effectively. This is what makes them valuable. It is also what makes their performance harder to predict and harder to audit. Understanding how experience shapes performance — and creating environments where that understanding is shared and developed — is a different task from ensuring compliance with a checklist.

Safety-II thinking also changes the purpose of debriefs and reviews. Rather than asking "what went wrong and who is responsible?", it asks "how did the team manage this situation, what decisions were made, what would have been useful to know, what would we do differently?" This produces learning regardless of outcome — which means it produces learning far more frequently than incident-triggered review alone.

The objection that sometimes arises is practical: Safety-II is harder to measure. You cannot put "adaptive capacity" in an annual report. This is true, and it is a genuine constraint for organisations operating under compliance regimes that demand quantitative evidence. The response is not to abandon measurement but to recognise that what you can most easily measure is not necessarily what matters most. The organisations that understand their own resilience — that have genuine intelligence about how their system functions under pressure — are the ones that can have an informed conversation about both.

Count what goes wrong. You have to. But also invest in understanding why things go right. You cannot protect what you do not understand.

Gareth Lock is the founder of The Human Diver and Human in the System — two organisations built on a single conviction: that most unwanted events in high-risk environments are system failures, not people failures. Through structured courses, immersive simulations, incident investigation, and keynote speaking, he brings frameworks from military aviation and academic human factors research into the practical reality of diving and high-risk industry. His work spans recreational and technical divers learning non-technical skills for the first time, through to senior safety leaders restructuring how their organisations investigate, debrief, and learn. Everything sits under one guiding principle: be better than yesterday.

Gareth Lock

Gareth Lock is the founder of The Human Diver and Human in the System — two organisations built on a single conviction: that most unwanted events in high-risk environments are system failures, not people failures. Through structured courses, immersive simulations, incident investigation, and keynote speaking, he brings frameworks from military aviation and academic human factors research into the practical reality of diving and high-risk industry. His work spans recreational and technical divers learning non-technical skills for the first time, through to senior safety leaders restructuring how their organisations investigate, debrief, and learn. Everything sits under one guiding principle: be better than yesterday.

LinkedIn logo icon
Back to Blog