Better Than a Baker's Dozen

NEWSLETTER ARTICLE

Recently Walt Boyes of Control Magazine asked me why, if we keep adding all these safety systems/programs, plants still blow-up. This triggered a memory of a 20-year-old conversation with Gary Klein of Klein Associates who had mentioned that increased use of safety systems can lead to accidents. Gary didn't remember the conversation per se, but he put me onto "Managing the Risks of Organizational Accidents" by James Reason (1997. Hants, England: Ashgate Publishing Limited.) Everything that follows is from that book, generally verbatim, from which you will learn more than from a dozen Baker Reports.

All technological organizations produce something. To the extent that productive operations expose people and assets to danger, all organizations require various forms of protection to intervene between local hazards and their possible victims and lost assets. Since protection consumes productive resources, such as people, money and materials, grossly overprotected organizations would soon go out of business. If the available protection falls far short of that needed for productive safety, then these organizations face a very high risk of suffering a catastrophic accident (which also may mean going out of business).

Despite frequent protestations to the contrary, the partnership between production and protection is rarely equal, and one of these processes will predominate. Since production creates the resources that make protection possible, its needs will generally have priority throughout most of an organization's lifetime. It is only after a bad accident or a frightening near-miss that protection comes (for a short period) uppermost in the minds of those who manage an organization.

Improvements in protection are often put in place during the period immediately following a bad event. Although the aim is to avoid a repetition of an accident, it is soon appreciated that the improved defenses confer productive advantages. Ship owners soon discovered that marine radar allowed their merchant vessels to travel at greater speed through crowded or confined seaways. In short, protective gains are frequently converted into productive advantages, leaving the organization with the same inadequate protection that prevailed before the event or with something even worse.

The presence of sophisticated defenses-in-depth, more than any other factor, has changed the character of industrial accidents. In earlier technologies, there were (and to the extent that they continue to operate, still are) a relatively large number of individual accidents. In modern technologies, such as nuclear power and air transportation, there are very few individual accidents. Their greatest danger comes from the rare, but often disastrous, organizational accidents involving causal contributions from many different people distributed widely both throughout the system and over time.

Defenses-in-depth are a mixed blessing. One of their more unfortunate consequences is that they make systems more complex, and hence more opaque, to the people who operate and manage them. Human controllers have, in many such systems, become increasingly remote, both physically and intellectually, from the productive systems which they nominally control. This allows the insidious build-up of latent conditions.

Defenses-in-depth have made modern technological systems largely immune to isolated failures. As such, they are the single feature most responsible for the emergence of organizational accidents. No one defensive layer is entirely intact. Each one possesses gaps and holes created by combinations of active failures (errors and violations committed by front line personnel) and latent conditions (the consequences of top-level decisions having delayed-action effect upon the integrity of various defensive layers).

There is no such thing as absolute safety. So long as natural hazards, human fallibility, latent conditions, and the possibility of chance conjunction continue to exist, then even the most intrinsically resistant organizations can still have accidents. By the same token, "lucky" but unsafe organizations can still escape accidents for long periods of time. Organizations can, of course, make their own luck to some degree, but never completely.

Effective safety management means actively navigating the safety space [the continuum between high resistance to accidents and high vulnerability] in order to reach and then remain within the zone of maximum resistance. To do this, managers must understand the nature of the forces acting upon the organization, as well as the kinds of information needed to fix their current position. To reach the target region and then stay there, two things are necessary: an internal "engine" to drive the organization in the right direction, and navigational aids to plot their progress.

Three ingredients are vital for driving the safety engine, all of them the province of top management. These driving forces are commitment [(1) motivation to go beyond just meeting regulations and (2) resources in money and high caliber people], competence (highly related to the organization's safety information system), and cognizance (correct awareness of the dangers that threaten the organization). Safety measures are like religion: there is a great deal of praying (process), but few miracles (product).

So why after OSHA1910.119, ISA S84, PSM, and the like do we still have fires/explosions? Because these regulations essentially provide a defense-in-depth that results in (1) enabling plants to operate closer to their safe limit and (2) a probability (although small) of all the holes/gaps in the defenses aligning to result in a catastrophic failure. Minimizing the potential for this to happen to your plant—and it can happen to the safest plants—requires both management commitment and a safety information system to allow management to know how they are doing.

 Copyright 2008 Beville Operator Performance Specialists, Inc., All Rights Reserved