ABSTRACT
Research into system safety is faced with the conundrum that while there have been significant developments in the understanding of how accidents occur there has been no comparable developments in the understanding of how engineers can adequately assess and reduce risks. The archetype of a simple linear model is Heinrich's Domino model, which explains accidents as the linear propagation of a chain of causes and effects. This model was associated with one of the earliest attempts of formulating a complete theory of safety, expressed in terms of ten axioms of industrial safety. The real challenge for system safety, and therefore also for resilience engineering, is to recognise that complex systems are dynamic and that a state of dynamic stability sometimes may change into a state of dynamic instability. This change may be either abrupt, as in an accident, or slow, as in a gradual erosion of safety margins.
