In many jobs there will be some process for people to follow that allows for them to make some horrible mistake.

Take the example of a standard four-way intersection with a traffic light. In theory one group of people stop at a red light, and the other group enters with a green light. But only convention and fear prevent two drivers from entering the intersection at the same time and colliding. The infrastructure relies on everyone doing the right thing to prevent a crash. These crashes do happen. When they do it is easy to blame the individual, to say they must have been distracted, intoxicated, or asleep, and that may be the case. But the infrastructure allows this accident to occur.

Roundabout

Holmen, Wisconsin roundabout by Holmen High School Holmen, Wisconsin roundabout by Holmen High School

Take another example of a roundabout. In this intersection there is usually a hill or a monument in the middle to block access to the center and force drivers to go around the circle. The entrance lanes curve to force the drivers to go in the correct direction, and the curve is sharp enough to force drivers to slow down. So the worst case scenario of the traditional 4-way intersection where two drivers enter at full speed is not allowed by the infrastructure. Collisions do occur but they tend to be between cars moving in the same general direction at a lower speed. Studies have shown that roundabouts are safer than traditional intersections, with a 37% reduction in collisions and a 90% reduction in fatalities.

The idea that people will make mistakes but that the infrastructure should not allow critical failures is one of the tenets of Vision Zero

“Vision Zero recognizes that people will sometimes make mistakes, so the road system and related policies should be designed to ensure those inevitable mistakes do not result in severe injuries or fatalities. This means that system designers and policymakers are expected to improve the roadway environment, policies (such as speed management), and other related systems to lessen the severity of crashes.”

That’s great but I don’t drive that much, how does this apply to me?

The tendency is for people to design stop signs. We create processes and then put up a sign that says “Do not run if another job is still running,” “Do not promote if pipeline is not green” instead of having the systems first assert their preconditions before running. Then when people ignore the instructions and run two jobs anyway, we yell at them or fire them, or force them to write up an incident report. At a four-way stop the penalty for getting it wrong is death and people still mess it up. Do we really think that another meeting about the correct procedure to deploy database schema changes is going to get people to do it right? So when the new hire pushes the button despite the big sign saying “DO NOT PUSH BUTTON” it’s worth remembering that people make mistakes, so systems need to be designed not to allow for critical failures.