Safety-I and Safety-II in Outdoor Programs

A Review of Linear-Based and Systems-Informed Safety Thinking


Professionals with responsibility for managing risk may have heard the terms “Safety-I” and “Safety-II” in recent years. Those who might have encountered these phrases include individuals responsible for safety in outdoor, experiential, wilderness, travel and adventure programs. But what do those terms mean? How do they apply to the day-to-day activities of outdoor safety managers?

We’ll address these questions below, and help make clear what “Safety-I” and “Safety-II” mean for those who manage risk in outdoor and related programs.


What we’ll discuss in the following pages can be summarized as follows:

  1. Safety-I describes a linear model of safety management, suitable only for simple situations

  2. Safety-II describes a safety management model informed by complex socio-technical systems theory, and is well-suited to managing complex situations

  3. These models work for managing risks in outdoor programs and elsewhere

  4. Many other terms, such as guided adaptability and Safety Differently, also describe a systems-informed safety management model

  5. Both linear (Safety-I) and systems-informed (Safety-II) risk management approaches should be used

  6. A specific systems-informed risk management model using Risk Domains and Risk Management Instruments can be employed in outdoor programs.

  7. Techniques for applying systems thinking to outdoor safety include resilience engineering (such as having extra capacity, and balancing rules and judgment), considering all risk domains, and using systems-informed planning tools such as a 'pre-mortem'

What do Safety-I and Safety-II mean?

The terms Safety-I and Safety-II refer to linear-based and systems-based safety thinking.

“Safety-I” describes an older approach to understanding risk management, based on a linear progression of causes leading to an incident.

“Safety-II” describes a more highly developed, or second-generation approach to understanding why incidents occur (and how they can be prevented)—a model that is seen as more accurately describing complex incident causation, and which is based off complex socio-technical systems theory.

(We consider “safety management” and “risk management” interchangeable, for the purposes of this discussion.)

Safety-I, or linear-based safety thinking, provides useful tools for managing risk. Safety-II, or systems-informed safety thinking, adds additional tools to how we may approach managing risks.

Ideas from both Safety-I and Safety-II should be used in a comprehensive risk management structure; one is not inherently better than the other. For optimal risk management, Safety-I and Safety-II principles should be used together.

Alternatives to the “Safety-I/Safety-II” term

The concepts described in the Safety-I/Safety-II literature have also been described using the terms ”high reliability organisations,” “resilience engineering,” and “Safety Differently.”

Although the terms “Safety-I” and “Safety-II” have entered the risk management lexicon, we can also consider using descriptors that may have, when used without immediate context, greater meaning:

Safety-I: Linear-based safety thinking

Safety-II: Systems-informed safety thinking

We’ll use both sets of terms interchangeably, below.

History of the Safety-I and Safety-II Concept

The terms “Safety-I” and “Safety-II” were coined in 2011, and most fully described in a 2014 academic textbook titled Safety-I and Safety-II, written by the eminent Danish academic Erik Hollnagel, Senior Professor at Jönköping Academy, Sweden.

The textbook provides a detailed and academically rigorous look at Safety-I and Safety-II concepts, and is well-suited for those interested in a wide-ranging intellectual dive into safety and other topics.

The concepts described by the terms Safety-I and Safety-II, however, are not entirely novel. They can be seen as a re-framing of systems thinking, specifically the application of ideas from complex socio-technical systems (STS) theory to the field of risk management.

Any concept can be explained in different ways and from a variety of perspectives. This is often useful for illuminating particular aspects of a complex concept, or exploring how the concept can be applied in certain contexts. When a set of ideas is synthesized and reframed—such as describing complex STS theory applied to safety as Safety-I/Safety-II, or describing Safety-I/Safety-II as linear-based/systems-informed safety thinking—opportunities arise for new understandings and new uses for concepts by new audiences.

Some models become more widely adopted than others. The Safety-I/Safety-II model has been applied to healthcare, aviation, and outdoor fields. How these concepts will be understood, named, and advanced in the future remains to be seen.

While the terms Safety-I and Safety-II are relatively new, the underlying idea of systems thinking is not. Systems thinking applied to the professional endeavor of risk management is relatively new, in the history of safety thinking. However, systems thinking itself is likely an ancient concept. Indigenous ideas about interconnection stretch back thousands of years, before the growth of the rational reductionist scientific mindset that one can see today.

Applications of Linear And Systems-Informed Safety Thinking

Do the concepts of Safety-I and Safety-II, or linear-based and systems-informed safety thinking, apply to me?

If you’re a professional involved in an outdoor-related field, yes. These ideas can be useful across many outdoor-related disciplines—outdoor education, outdoor recreation, experiential education and experiential learning, and outdoor adventurous activities of all types. Organizations involved in Search and Rescue have applied systems thinking to managing risks. So have those in the environmental conservation/restoration field, such as with conservation corps programs.

Professionals involved in wilderness risk management, outdoor and travel risk assessment, and safety management of experiential programs worldwide can usefully apply these ideas to their program’s management of risk.

Safety-I and Safety-II, along with other systems-informed models of risk management, arose largely in response to the mechanized risk management systems in place in large industrial and bureaucratic settings such as factories, power plants, and hospitals. Many well-run, larger outdoor education programs, however, have been integrating aspects of systems-informed risk management in their practice for many years. The approaches described here will appear familiar to individuals in those organizations.

Safety-I and Safety-II Risk Management in Detail

Let’s look more closely at what Safety-I and Safety-II entail.

We recall that Safety-II, or systems-informed safety thinking, builds on the ideas Safety-I or linear-based safety thinking. We’ll look more closely at both of these approaches to managing risk.

There are many ways to explain linear-based and safety-informed thinking. Here we’ll present information that is of practical value and useful to know.

Across 180 pages, the Safety-I and Safety II text referenced above talks about many other subjects, such as a proposition to avoid the idea of ‘causality;’ these explorations may be more intellectually interesting than of direct practical use, and are not covered here.

Safety-I, or Linear-Based Safety Thinking

In linear safety thinking, an incident occurs, which has one or more, typically identifiable, causes, which lead to the incident. This progress of cause or causes à incident occurs in a logical, straight-line sequence.

This, however, is generally not how incidents, particularly major incidents, occur. But since the start of the Industrial Revolution in the 18th century, this has commonly been how incidents have been viewed.

This linear chain-of-causation thinking is exemplified in the following 13th century nursery rhyme:

For want of a nail the horseshoe was lost.

For want of a horseshoe the horse was lost.

For want of a horse the rider was lost.

For want of a rider the battle was lost.

For want of a battle the kingdom was lost.

The fishbone diagram is used to illustrate the cause-and-effect relationship. An example, showing the causes of a hiker’s slip and fall, resulting in an injury, is below.

Safety-II, or Systems-Informed Safety Thinking

A systems-informed approach to safety provides a more accurate model of how incidents, particularly major ones, occur. This model, based off of complex socio-technical systems theory, is better able to address complex incidents (or complex problems).

Examples of complex problems include preventing a critical incident, such as a permanently disabling injury. They also include the global climate emergency, and international refugee flows.

The global flow of refugees is an example of an issue existing within a complex socio-technical system.

All of these are examples of things that take place in a complex socio-technical milieu, of people and technology. Problems are best addressed by applying solutions of a level of complexity equal to that existing in the problem to be resolved. These issues, then, are best addressed using systems thinking.

Characteristics of complex problems requiring systems thinking include:

  1. Difficulty in achieving widely shared recognition that a problem even exists, and agreeing on a shared definition of the problem

  2. Difficulty identifying all the specific factors that influence the problem

  3. Limited or no influence or control over some causal elements of the problem

  4. Uncertainty about the impacts of specific interventions

  5. Incomplete information about the causes of the problem and the effectiveness of potential solutions

  6. A constantly shifting landscape where the nature of the problem itself and potential solutions are always changing

Incidents Occurring Within a Complex System

Let’s look briefly at three examples of complex incidents best resolved by applying systems thinking. The first, involving disease prevention, illustrates the complexity of systems in general; the latter two are specific to outdoor programs.

Parachuting Cats

In the early 1950s, the Dayak people in Borneo suffered from malaria.

The World Health Organization had a solution: they sprayed large amounts of the pesticide DDT to kill the mosquitoes that carried the malaria. The mosquitoes died; the malaria declined. So far, so good. But there were side effects.

Among the first was that the roofs of people’s houses began to fall down. It seemed that the DDT was killing a parasitic wasp that had previously controlled thatch-eating caterpillars.

Worse, the DDT-poisoned insects were eaten by geckoes. The geckoes, in turn, were eaten by cats. The cats died. The rat population, previously controlled by cats, boomed. People now were threatened by outbreaks of rat-borne sylvatic plague and typhus.

To cope with these problems, which it had itself created, the World Health Organization called in the Royal Air Force-Singapore to parachute up to 14,000 live cats into Borneo.

The presence of a complex system, where an initial intervention has unintended consequences, is evident.

Ropes Course Fatality

A 17-year-old boy suffered a fatal fall off a home-made giant swing at a ropes course in Victoria Australia in 2001.

The child fell about 10 meters to the ground on his head as he was preparing to ride upside down on a giant swing-type activity called "The Rip Swing."

The participant was attached by a single screw-gate carabiner, which was attached to a second screw-gate carabiner, which was attached to a cable. A tow rope, used by helpers on the ground to manually haul the participant to height, was attached to the second carabiner at a 90 degree angle. Although it was recognized that a participant positioned upside-down increased risks of carabiner unscrewing and head injury, this was permitted.

The investigation cited a variety of causes, including:

  • Improper use of carabiners

  • Lack of required backup or fail-safe systems, as specified in the relevant Australian Standard

  • Participant was improperly positioned upside-down, in a way in which the Rip Swing was not designed to be used

  • Victorian WorkCover Authority (the government’s health and safety agency), which had inspected the facility repeatedly over multiple years, failed to identify unsafe swing operation

  • The Camping Association of Victoria (which assessed the site as part of its voluntary accreditation program) failed to comment on the lack of fail-safe backup, and, as accreditation is voluntary, was unable to prevent future incidents due to lack of authority

  • Occupational safety legislation was deficient. The Rip Swing did not fall under Health and Safety regulations owing to a loophole which exempted any item that “relies exclusively on manual power for its operation.”

  • Government certification and inspection of adventure facilities was absent

The investigator found causes far beyond the actual ropes course device, implicating the facility operator, the health and safety agency, the industry association, and the state Legislature.

Multiple Drowning at Outdoor Education Centre

In 2008 at a well-respected outdoor center in New Zealand, seven participants on an outdoor adventure program drowned in a flood during a canyon hike through Mangatepopo Gorge. The outdoor centre had been running for over 30 years, and had numerous safety systems in place.

Yet investigations showed a variety of contributing factors, involving safety culture, equipment, staff training, administrative practices, weather agency operations, and government oversight, among others.

The factors included:

  • The organization had a history of blaming staff for accidents, rather than addressing underlying issues

  • Participant swimming ability, required by Centre policy to be assessed, was not checked, nor was there any routine system to do so

  • Program management did not read the weather map supplied to the Centre by MetService (the national weather service), which would have alerted staff about heavy rain

  • The instructor was not formally assigned a mentor, who could provide safety guidance, as described in the Centre’s policies

  • Staff to participant ratios were inadequate

  • The instructor was permitted to lead the Gorge trip without having read and signed the Risk Analysis and Management System document describing Gorge risks and management strategies, as required

  • A map of the gorge with emergency escapes was available, but was never given to the instructor. Contrary to Centre policy, the instructor was never shown and familiarized with all the emergency escapes

  • The group passed by a “high water escape” shortly before sheltering from floodwaters on a ledge, but due to inadequate instructor training and experience, did not take advantage of it

  • A radio communications system to eliminate spots of no radio reception in the canyon was not in place

  • Radio procedures were unclear to rescuers, leading to confusion and inefficient communications

  • The Instructor Handbook was not sufficiently correlated with the Risk Analysis, and the Risk Analysis document was incomplete

  • A documented history of problems with instructors with inadequate experience or program area knowledge, inadequate supervision ratios, and flood incidents was not addressed

  • The impact of financial pressure led to pressure to accept bookings even if suitable staff were not available

  • The weather report issued by MetService used by staff mistakenly omitted the word “thunderstorm,” which could have alerted staff to heavy rains

  • MetService did not follow up to address the error in its forecast

  • The New Zealand government did not ensure safety standards for outdoor adventure programs were met, for example by a licensing scheme

  • An external safety audit by the outdoor industry association was being conducted on the day of the tragedy. Despite the death and the many issues leading to it, those issues were not addressed in the audit.

Other terms used to describe the concepts of “Safety-I” and “Safety-II”

We’ve described Safety-I as linear-based safety thinking, and Safety-II as another name for systems-informed safety thinking. Theoreticians use other terms to explain these two contrasting approaches to management of risk.

Some terms (such as “resilience engineering”) may be more easily understood or be somewhat self-explanatory; others (such as “Safety-II”) may inherently mean little without additional context.

Alternate descriptors may approach the Safety-I – Safety-II dichotomy from a slightly different perspective, or emphasize varying aspects of the difference in the approaches to risk management. Risk managers can adopt whichever terms seem most useful for them and their context.

Centralized Control and Guided Adaptability

One alternate set of terms that attempts to describe the characteristics of Safety-I and Safety-II, used by Griffith University's David Provan and others, is centralized control and guided adaptability.

“Centralized control” refers to the process of organizing and controlling the organization and its staff through a central determination by executive management of what risks and control measures are appropriate. “Guided adaptability” refers to supporting individuals and the entire organization to continually anticipate emergent risks and—without reliance on rules established by executives—to adapt to, or effectively respond to, those novel issues and challenges.

Plan and Conform, and Plan and Revise

Other terms used to express the same two approaches include “plan and conform” and “plan and revise.” In “plan and conform,” executives develop safety management plans, and personnel follow the plans. In “plan and revise,” pre-established plans are still drawn up, but it is expected that deviation from the plan will be necessary, in order to appropriately respond to unforeseen circumstances.

Safety Differently

Sidney Dekker, also of Griffith University, uses the term “Safety Differently” to describe what Hollnagel characterizes as “Safety-II”—fundamentally, building the capacity of workers to adapt and make good decisions to effectively respond to the ever-changing risk environment, rather than focusing safety efforts on imposing rigid top-down rules on workers.

Resilience Engineering

The actions taken from a Safety-II perspective are also described as “resilience engineering.” Resilience engineering focuses on building the capacity of a system to successfully adapt so as to continue normal operations despite unanticipated challenges and deviations, based off of the understanding that in complex systems, unforeseen issues will predicably arise--but what they are, and when and how they will appear, is unknowable.

Use Both Linear and Systems-Based Safety Models

Linear-based (aka Safety-I) and systems-based (aka Safety-II) models of incident causation and prevention are based on different ideas of why incidents occur, and how the probability and severity of future mishaps may be minimized.

Both approaches have value, and in a complete risk management system, both approaches should be used.

A common mis-perception among individuals exposed to the ideas of Safety-I and Safety-II is that one is old-fashioned, obsolete, and should not be used, and the other is the shiny new model that ought to be adopted. Although even the subtitle of Hollnagel’s canonical text on the subject, Safety-I and Safety-II: The Past and Future of Safety Management, might lead one to such a conclusion, this is incorrect. In fact, both should be used—and the trick is to skillfully apply both models in the proper balance.

The benefit of using linear-based safety thinking

The linear-based understanding of safety presumes that incidents happen, from one or more usually identifiable causes. The task, then, is to find those causes, and prevent them from recurring. In this way, one prevents future incidents.

This method of risk management is useful, particularly in very simple incidents with relatively simple solutions—which may be the majority of incidents a risk manager experiences.

For instance, in the outdoor context, suppose that incident reports over several months show a trend of increasing incidents where hikers get uncomfortable itchy, blistering skin rashes due to an allergic response from contacting a plant such as poison oak or poison ivy (Toxicodendron spp.).

A linear-based response might be to add additional staff training about plant identification and avoidance, and add a clay (bentoquatam)-based blocker lotion and soap to the first aid kit.

Why is the poison oak growing more vigorously over the trail? Contributing factors could be many, and might include the global climate crisis, decreased land management agency trail maintenance budgets, or changes in hiker behavior.

It might not ever be possible to know which factors contributed and how much, and some causal factors may be difficult for an outdoor program to influence. However, even though the causes may be complex or unknown, the practical solution can be relatively simple.

The benefit of using systems-based safety thinking

The systems-informed understanding of safety recognizes that we may not know all the causes of an incident. And even if we do know some, we may not know exactly how to prevent them from influencing future outcomes.

Therefore, a sound approach is to build resilience into the organization, to reduce the probability and severity of incidents that will—likely inevitably, presuming the organization continues to exist—continue to occur.

This approach can help mitigate incidents not well-addressed by the more simple approach of the linear model of safety thinking.

In this way, Safety-II—systems-informed safety thinking—supplements Safety-I—linear-based safety thinking.

Safety-II does not replace Safety-I, but they complement each other in building a comprehensive risk management system well-equipped to deal with different types of risks.

Safety-II vocabulary

In Safety-I/Safety-II terminology, the Safety-II approach is framed as “don’t focus on what’s going wrong; focus on what’s going right.”

What this means is that just focusing on the causes of incidents and addressing those causes is not sufficient. Systems-informed safety thinking, after all, reminds us that incidents come about from emergent risks, or unanticipated combinations of risks.

Therefore, to successfully add the Safety-II approach to an organization accustomed to a Safety-I model, one should emphasize providing personnel with the skills, tools, values and other resources to successfully adapt to changing conditions—to emergent risks. When people use flexibility and creativity to adapt to these emergent risks, and thereby prevent incidents, that’s “what’s going right,” in Hollnagel’s terms.

Emphasizing the search for causes of past incidents—“what’s gone wrong”—and the elimination of those causes, is sometimes ineffective, in cases in which incidents spring from complex socio-technical systems, be they led outdoor activities, healthcare settings, aviation or otherwise.

In a comprehensive risk management system, the organization employs linear-based approaches to risk management, such as rules, checklists, and incident analysis. But the organization also uses systems-informed thinking, building an organization where things are mostly likely to go right. In Hollnagel’s terminology, this is a resilient system—one that maximizes “the ability to succeed under varying conditions.”

It’s not either-or: use both approaches

The importance of using both linear-based (Safety-I) and systems-based (Safety-II) models of risk management is clear. Provan et al. express this idea by saying that good risk management will “complement control with adaptability,” and in balancing the use of set structures and appropriate flexibility, “move between stability and flexibility as the context demands.”

Systems-Based Safety Thinking in Outdoor, Experiential, Wilderness, Travel and Adventure Programs

Let’s now look at how the ideas of linear-based safety thinking and systems-informed can be applied to the outdoor and experiential program context in a way that a provides practical and useable framework.

This application extends Hollnagel’s theoretical framework and includes additional elements, which can be applied to adventure, travel, wilderness and other types of outdoor and experiential programs.

The linear-based model of safety thinking reminds us that risks can be found in certain areas, such as poorly trained staff, defective equipment, and the like.

The Risk Domains model show eight areas, or domains, in which risks reside.

In addition to these eight “direct risk” domains, there are four underlying risk domains. These may indirectly affect risks, for example by influencing the regulatory environment or societal response to incidents.

However, a systems-based understanding of how incidents occur reminds us that incidents often happen due to multiple risks that combine in multiple unpredictable ways, leading to an incident.

The following illustration, then, shows the interconnections between risks in all domains, and how they may lead to an incident.

For example, a plane might crash due to a combination of inclement weather, equipment malfunction, and pilot error. Perhaps poor maintenance by ground crews, a global shortage of air traffic control agents, counterfeit components in the supply chain, and safety culture problems and shortcuts taken by the airplane manufacturer were also causes—these have all been cited as potential factors in recent airplane crashes, including those of the Boeing 737 MAX.

Although the image above shows the three components of the Risk Domains model—direct risk domains, underlying risk domains, and the network of interconnections between them and the incident—that network of causation is not always completely visible in real life.

Applying the Risk Domains Model

How, then, do we bring this model alive in managing risks of outdoor and experiential programs?

An organization performs a risk assessment (or, more accurately, multiple risk assessments, by different actors, on an ongoing basis) and identifies the risks that may reside in each risk domain for their particular organization, at least at that point in time.

The organization can then establish and maintain policies, procedures, values and systems in their organization, specific to the identified risks, to keep those risks at or below a socially acceptable level.

An example of a policy—an overarching, compulsory safety directive—might be, “a safety briefing is held prior to conducting each activity.”

A safety briefing held before a kayaking excursion.

An example of a procedure—the way something should be done, unless a clearly superior alternative exists—might be, “helmets and harnesses will be checked by a qualified staff member immediately before the participant begins rock climbing.”

An example of a value—something that is prized or held to be important—might be, “safety is important to us.”

An example of a system-- a group of interconnected elements that work together as a whole—might be a medical screening system, or a staff training system.

Include Risk Management Instruments

In addition to applying policies, procedures, values and systems to manage specific risks that have been identified as existing at an organization at a certain point in time, certain broad-based tools, or instruments, which address risks in multiple or all risk domains, can be implemented.

Eleven risk management instruments are identified below: