Banner 8

 

57. Audits, Inspections and Investigations

Chapter Editor: Jorma Saari


Table of Contents

Tables and Figures

Safety Audits and Management Audits
Johan Van de Kerckhove

Hazard Analysis: The Accident Causation Model
Jop Groeneweg

Hardware Hazards
Carsten D. Groenberg

Hazard Analysis: Organizational Factors
Urban Kjellén

Workplace Inspection and Regulatory Enforcement
Anthony Linehan

Analysis and Reporting: Accident Investigation
Michel Monteau

Reporting and Compiling Accident Statistics
Kirsten Jorgensen

Tables

Click a link below to view table in article context.

1. Strata in quality & safety policy
2. PAS safety audit elements
3. Assessment of behaviour-control methods
4. General failure types & definitions
5. Concepts of the accident phenomenon
6. Variables characterizing an accident

Figures

Point to a thumbnail to see figure caption, click to see figure in article context.

 

DIS010F2 DIS010F1 DIS010T2 DIS020F1 DIS080F1 DIS080F2 DIS080F3 DIS080F4  DIS080F5DIS080F6 DIS080F7 DIS095F1  DIS095F1

 

Thursday, 31 March 2011 15:23

Safety Audits and Management Audits

During the 1990s, the organizational factors in safety policy are becoming increasingly important. At the same time, the views of organizations regarding safety have dramatically changed. Safety experts, most of whom have a technical training background, are thus confronted with a dual task. On the one hand, they have to learn to understand the organizational aspects and take them into account in constructing safety programmes. On the other hand, it is important that they be aware of the fact that the view of organizations is moving further and further away from the machine concept and placing a clear emphasis on less tangible and measurable factors such as organizational culture, behaviour modification, responsibility-raising or commitment. The first part of this article briefly covers developments in opinions relating to organizations, management, quality and safety. The second part of the article defines the implications of these developments for audit systems. This is then very briefly placed in a tangible context using the example of an actual safety audit system based on the International Organization for Standardization (ISO) 9001 standards.

New Opinions Concerning Organization and Safety

Changes in social-economic circumstances

The economic crisis that started to impact upon the Western world in 1973 has had a significant influence on thought and action in the field of management, quality and work safety. In the past, the accent in economic development was placed on expansion of the market, increasing exports and improving productivity. However, the emphasis gradually shifted to the reduction of losses and the improvement of quality. In order to retain and acquire customers, a more direct response was provided to their requirements and expectations. This resulted in a need for greater product differentiation, with the direct consequence of greater flexibility within organizations in order to always be able to respond to market fluctuations on a “just in time” basis. Emphasis was placed on the commitment and creativity of employees as the major competitive advantage in the economic competitive struggle. Besides increasing quality, limiting loss-making activities became an important means of improving operating results.

Safety experts enlisted in this strategy by developing and instituting “total loss control” programmes. Not only are the direct costs of accidents or the increased insurance premiums significant in these programmes, but so also are all direct or indirect unnecessary costs and losses. A study of how much production should be increased in real terms to compensate for these losses immediately reveals that reducing costs is today often more efficient and profitable than increasing production.

In this context of improved productivity, reference was recently made to the major benefits of reducing absenteeism due to sickness and stimulating employee motivation. Against the background of these developments, safety policy is increasingly and clearly taking on a new form with different accents. In the past, most corporate leaders considered work safety as merely a legal obligation, as a burden they would quickly delegate to technical specialists. Today, safety policy is more and more distinctly being viewed as a way of achieving the two aims of reducing losses and optimizing corporate policy. Safety policy is therefore increasingly evolving into a reliable barometer of the soundness of the corporation’s success with respect to these aims. In order to measure progress, increased attention is being devoted to management and safety audits.

Organizational Theory 

It is not only economic circumstances that have given company heads new insights. New visions relating to management, organizational theory, total quality care and, in the same vein, safety care, are resulting in significant changes. An important turning point in views on the organization was elaborated in the renowned work published by Peters and Waterman (1982), In Search of Excellence. This work was already espousing the ideas which Pascale and Athos (1980) discovered in Japan and described in The Art of Japanese Management. This new development can be symbolized in a sense by McKinsey’s “7-S” Framework (in Peters and Waterman 1982). In addition to three traditional management aspects (Strategy, Structure and Systems), corporations now also emphasize three additional aspects ( Staff, Skills and Style). All six of these interact to provide the input to the 7th “S”, Superordinate goals (figure 1). With this approach, a very clear accent is placed on the human-oriented aspects of the organization.

Figuer 1.The values, mission and organizational culture of a corporation according to McKinsey’s 7-S Framework

 SAF020F1

The fundamental shifts can best be demonstrated on the basis of the model presented by Scott (1978), which was also used by Peters and Waterman (1982). This model uses two approaches:

  1. The closed-system approaches deny the influence of developments from outside the organization. With the mechanistic closed approaches, the objectives of an organization are clearly defined and can be logically and rationally determined.
  2. Open-system approaches take outside influences fully into account, and the objectives are more the result of diverse processes, in which clearly irrational factors contribute to decision making. These organically open approaches more truly reflect the evolution of an organization, which is not determined mathematically or on the basis of deductive logic, but grows organically on the basis of real people and their interactions and values (figure 2).

 

Figure 2.Organizational Theories

SAF045F1

Four fields are thus created in figure 2 . Two of these (Taylorism and contingency approach) are mechanically closed, and the other two (human relations and organizational development) are organically open. There has been enormous development in management theory, moving from the traditional rational and authoritarian machine model (Taylorism) to the human-oriented organic model of human resources management (HRM).

Organizational effectiveness and efficiency are being more clearly linked to optimal strategic management, a flat organizational structure and sound quality systems. Furthermore, attention is now given to superordinate goals and significant values that have a bonding effect within the organization, such as skills (on the basis of which the organization stands out from its competitors) and a staff that is motivated to maximum creativity and flexibility by placing the emphasis on commitment and empowerment. With these open approaches, a management audit cannot limit itself to a number of formal or structural characteristics of the organization. The audit must also include a search for methods to map out less tangible and measurable cultural aspects.

From product control to total quality management

In the 1950s, quality was limited to a post-factum end product control, total quality control (TQC). In the 1970s, partly stimulated by NATO and the automotive giant Ford, the accent shifted to the achievement of the goal of total quality assurance (TQA) during the production process. It was only during the 1980s that, stimulated by Japanese techniques, attention shifted towards the quality of the total management system and total quality management (TQM) was born. This fundamental change in the quality care system has taken place cumulatively in the sense that each foregoing stage was integrated into the next. It is also clear that while product control and safety inspection are facets more closely related to a Tayloristic organizational concept, quality assurance is more associated with a socio-technical system approach where the aim is not to betray the trust of the (external) customer. TQM, finally, relates to an HRM approach by the organization as it is no longer solely the improvement of the product that is involved, but continuous improvement of the organizational aspects in which explicit attention is also devoted to the employees.

In the total quality leadership (TQL) approach of the European Foundation for Quality Management (EFQM), the emphasis is very strongly placed on the equal impact of the organization on the customer, the employees and the overall society, with the environment as the key point of attention. These objectives can be realized by including concepts such as “leadership” and “people management”.

It is clear that there is also a very important difference in emphasis between quality assurance as described in the ISO standards and the TQL approach of the EFQM. ISO quality assurance is an extended and improved form of quality inspection, focusing not only on the products and internal customers, but also on the efficiency of the technical processes. The objective of the inspection is to investigate the conformity with the procedures set out in ISO. TQM, on the other hand, endeavours to meet the expectations of all internal and external customers as well as all processes within the organization, including the more soft and human-oriented ones. The involvement, the commitment and the creativity of the employees are clearly important aspects of TQM.

From Human Error to Integrated Safety

Safety policy has evolved in a similar manner to quality care. Attention has shifted from post-factum accident analysis, with emphasis on the prevention of injuries, to a more global approach. Safety is seen more in the context of “total loss control” - a policy aimed at the avoidance of losses through management of safety involving the interaction of people, processes, materials, equipment, installations and the environment. Safety therefore focuses on the management of the processes that could lead to losses. In the initial development period of safety policy the emphasis was placed on a human error approach. Consequently, employees were given a heavy responsibility for the prevention of industrial accidents. Following a Tayloristic philosophy, conditions and procedures were drawn up and a control system was established to maintain the prescribed standards of behaviour. This philosophy may filter through into modern safety policy via the ISO 9000 concepts resulting in the imposition of a sort of implicit and indirect feeling of guilt upon the employees, with all the adverse consequences this entails for the corporate culture - for instance, a tendency may develop that performance will be impeded rather than enhanced.

At a later stage in the evolution of safety policy, it was recognized that employees carry out their work in a particular environment with well-defined working resources. Industrial accidents were considered as a multicausal event in a human/machine/environment system in which the emphasis shifted in a technical-system approach. Here again we find the analogy with quality assurance, where the accent is placed on controlling technical processes through means such as statistical process control.

Only recently, and partly stimulated by the TQM philosophy, has the emphasis in safety policy systems shifted into a social-system approach, which is a logical step in the improvement of the prevention system. In order to optimize the human/machine/environment system it is not sufficient to ensure safe machines and tools by means of a well-developed prevention policy, but there is also the need for a preventive maintenance system and the assurance of security among all technical processes. Moreover, it is of crucial importance that employees be sufficiently trained, skilled and motivated with regard to health and safety objectives. In today’s society, the latter objective can no longer be achieved through the authoritarian Tayloristic approach, as positive feedback is much more stimulating than a repressive control system that often has only negative effects. Modern management entails an open, motivating corporate culture, in which there is a common commitment to achieving key corporate objectives in a participatory, team-based approach. In the safety-culture approach, safety is an integral part of the objectives of the organizations and therefore an essential part of everyone’s task, starting with top management and passing along the entire hierarchical line down to employees on the shop floor.

Integrated safety

The concept of integrated safety immediately presents a number of central factors in an integrated safety system, the most important of which can be summarized as follows:

A clearly visible commitment from the top management. This commitment is not only given on paper, but is translated right down to the shop floor in practical achievements.

Active involvement of the hierarchical line and the central support departments. Care for safety, health and welfare is not only an integral part of everyone’s task in the production process, but is also integrated into the personnel policy, into preventive maintenance, into the design stage and into working with third parties.

Full participation of the employees. Employees are full discussion partners with whom open and constructive communication is possible, with their contribution being given full weight. Indeed, participation is of crucial importance for carrying through corporate and safety policy in an efficient and motivating way.

A suitable profile for a safety expert. The safety expert is no longer the technician or jack of all trades, but is a qualified adviser to the top management, with particular attention being devoted to optimizing the policy processes and the safety system. He or she is therefore not someone who is only technically trained, but also a person who, as a good organizer, can deal with people in an inspiring manner and collaborate in a synergetic way with other prevention experts.

A pro-active safety culture. The key aspect of an integrated safety policy is a pro-active safety culture, which includes, among other things, the following:

  • Safety, health and welfare are the key ingredients of an organization’s value system and of the objectives it seeks to attain.
  • An atmosphere of openness prevails, based on mutual trust and respect.
  • There is a high level of cooperation with a smooth flow of information and an appropriate level of coordination.
  • A pro-active policy is implemented with a dynamic system of constant improvement perfectly matching the prevention concept.
  • The promotion of safety, health and welfare is a key component of all decision-making, consultations and teamwork.
  • When industrial accidents occur, suitable preventive measures are sought, not a scapegoat.
  • Members of staff are encouraged to act on their own initiative so that they possess the greatest possible authority, knowledge and experience, enabling them to intervene in an appropriate manner in unexpected situations.
  • Processes are set in motion with a view to promoting individual and collective training to the maximum extent possible.
  • Discussions concerning challenging and attainable health, safety and welfare objectives are held on a regular basis.

 

Safety and Management Audits

General description

Safety audits are a form of risk analysis and evaluation in which a systematic investigation is carried out in order to determine the extent to which the conditions are present that provide for the development and implementation of an effective and efficient safety policy. Each audit therefore simultaneously envisions the objectives that must be realized and the best organizational circumstances to put these into practice.

Each audit system should, in principle, determine the following:

  • What is management seeking to achieve, by what means and by what strategy?
  • What are the necessary provisions in terms of resources, structures, processes, standards and procedures that are required to achieve the proposed objectives, and what has been provided? What minimum programme can be put forward?
  • What are the operational and measurable criteria that must be met by the chosen items to allow the system to function optimally?

 

The information is then thoroughly analysed to examine to what extent the current situation and the degree of achievement meet the desired criteria, followed by a report with positive feedback that emphasizes the strong points, and corrective feedback that refers to aspects requiring further improvement.

Auditing and strategies for change

Each audit system explicitly or implicitly contains a vision both of an ideal organization’s design and conceptualization, and of the best way of implementing improvements.

Bennis, Benne and Chin (1985) distinguish three strategies for planned changes, each based on a different vision of people and of the means of influencing behaviour:

  • Power-force strategies are based on the idea that the behaviour of employees can be changed by exercising sanctions.
  • Rational-empirical strategies are based on the axiom that people make rational choices depending on maximizing their own benefits.
  • Normative-re-educative strategies are based on the premise that people are irrational, emotional beings and in order to realize a real change, attention must also be devoted to their perception of values, culture, attitudes and social skills.

 

Which influencing strategy is most appropriate in a specific situation not only depends on the starting vision, but also on the actual situation and the existing organizational culture. In this respect it is very important to know which sort of behaviour to influence. The famous model devised by Danish risk specialist Rasmussen (1988) distinguishes among the following three sorts of behaviour:

  • Routine actions (skill-based behaviour) automatically follow the associated signal. Such actions are carried out without one’s consciously devoting attention to them - for example, touch-typing or manually changing gears when driving.
  • Actions in accordance with instructions (rule-based) require more conscious attention because no automatic response to the signal is present and a choice must be made between different possible instructions and rules. These are often actions which can be placed in an “ifthen” sequence, as in “If the meter rises to 50 then this valve must be closed”.
  • Actions based on knowledge and insight (knowledge-based) are carried out after a conscious interpretation and evaluation of the different problem signals and the possible alternative solutions. These actions therefore presuppose a fairly high degree of knowledge of and insight into the process concerned, and the ability to interpret unusual signals.

 

Strata in behavioural and cultural change

Based on the above, most audit systems (including those based on the ISO series of standards) implicitly depart from power-force strategies or rational-empirical strategies, with their emphasis on routine or procedural behaviour. This means that insufficient attention is paid in these audit systems to “knowledge-based behaviour” that can be influenced mainly via normative–re-educative strategies. In the typology used by Schein (1989), attention is devoted only to the tangible and conscious surface phenomena of the organizational culture and not to the deeper invisible and subconscious strata that refer more to values and fundamental presuppositions.

Many audit systems limit themselves to the question of whether a particular provision or procedure is present. It is therefore implicitly assumed that the sheer existence of this provision or procedure is a sufficient guarantee for the good functioning of the system. Besides the existence of certain measures, there are always different other “strata” (or levels of probable response) that must be addressed in an audit system to provide sufficient information and guarantees for the optimum functioning of the system.

In more concrete terms, the following example concerns response to a fire emergency:

  • A given provision, instruction or procedure is present (“sound the alarm and use the extinguisher”).
  • A given instruction or procedure is also familiarly known to the parties concerned (workers know where alarms and extinguishers are located and how to activate and use them).
  • The parties concerned also know as much as possible as to the “why and wherefore” of a particular measure (employees have been trained or educated in extinguisher use and typical types of fires).
  • The employee is also motivated to apply needful measures (self preservation, save the job, etc.).
  • There is sufficient motivation, competence and ability to act in unforeseen circumstances (employees know what to do in the event fire gets out of hand, requiring professional fire-fighting response).
  • There are good human relations and an atmosphere of open communication (supervisors, managers and employees have discussed and agreed upon fire emergency response procedures).
  • Spontaneous creative processes originate in a learning organiz-ation (changes in procedures are implemented following “lessons learned” in actual fire situations).

 

Table 1  lays out some strata in quality audio safety policy.

Table 1. Strata in quality and safety policy

Strategies

Behaviour

 

Skills

Rules

Knowledge

Power-force

Human error approach
Taylorism TQC

   

Rational-empirical

 

Technical system approach
PAS TQA ISO 9000

 

Normative-re-educative

 

Social system approach TQM

Safety culture  approach PAS EFQM

 

The Pellenberg Audit System

The name Pellenberg Audit System (PAS) derives from the place where the designers gathered many times to develop the system (the Maurissens Château in Pellenberg, a building of the Catholic University of Leuven). PAS is the result of intense collaboration by an interdisciplinary team of experts with years of practical experience, both in the area of quality management and in the area of safety and environmental problems, in which a variety of approaches and experiences were brought together. The team also received support from the university science and research departments, and thus benefited from the most recent insights in the fields of management and organizational culture.

PAS encompasses an entire set of criteria that a superior company prevention system ought to meet (see table 2). These criteria are classified in accordance with the ISO standard system (quality assurance in design, development, production, installation and servicing). However, PAS is not a simple translation of the ISO system into safety, health and welfare. A new philosophy is developed, departing from the specific product that is achieved in safety policy: meaningful and safe jobs. The contract of the ISO system is replaced by the provisions of the law and by the evolving expectations that exist among the parties involved in the social field with regard to health, safety and welfare. The creation of safe and meaningful jobs is seen as an essential objective of each organization within the framework of its social responsibility. The enterprise is the supplier and the customers are the employees.

Table 2. PAS safety audit elements

 

PAS safety audit elements

Correspondence with ISO 9001

1.

Management responsibility

 

1.1.

Safety policy

4.1.1.

1.2.

Organization

 

1.2.1.

Responsibility and authority

4.1.2.1.

1.2.2.

Verification resources and personnel

4.1.2.2.

1.2.3.

Health and safety service

4.1.2.3.

1.3.

Safety management system review

4.1.3.

2.

Safety management system

4.2.

3.

Obligations

4.3.

4.

Design control

 

4.1.

General

4.4.1.

4.2.

Design and development planning

4.4.2.

4.3.

Design input

4.4.3.

4.4.

Design output

4.4.4.

4.5.

Design verification

4.4.5.

4.6.

Design changes

4.4.6.

5.

Document control

 

5.1.

Document approval and issue

4.5.1.

5.2.

Document changes/modifications

4.5.2.

6.

Purchasing and contracting

 

6.1.

General

4.6.1.

6.2.

Assessment of suppliers and contractors

4.6.2.

6.3.

Purchasing data

4.6.3.

6.4.

Third party’s products

4.7.

7.

Identification

4.8.

8.

Process control

 

8.1.

General

4.9.1.

8.2.

Process safety control

4.11.

9.

Inspection

 

9.1.

Receiving and pre-start-up inspection

4.10.1.
4.10.3.

9.2.

Periodic inspections

4.10.2.

9.3.

Inspection records

4.10.4.

9.4.

Inspection equipment

4.11.

9.5.

Inspection status

4.12.

10.

Accidents and incidents

4.13.

11.

Corrective and preventive action

4.13.
4.14.

12.

Safety records

4.16.

13.

Internal safety audits

4.17.

14.

Training

4.18.

15.

Maintenance

4.19.

16.

Statistical techniques

4.20.

 

Several other systems are integrated in the PAS system:

  • At a strategic level, the insights and requirements of ISO are of particular importance. As far as possible, these are comple-mented by the management vision as this was originally devel-oped by the European Foundation for Quality Management.
  • At a tactical level, the systematics of the “Management’s Oversight and Risk Tree” encourages people to seek out what are the necessary and sufficient conditions in order to achieve the desired safety result.
  • At an operational level a multitude of sources could be drawn upon, including existing legislation, regulations and other criteria such as the International Safety Rating System (ISRS), in which the emphasis is placed on certain concrete conditions that should guarantee the safety result.

 

The PAS constantly refers to the broader corporate policy within which the safety policy is embedded. After all, an optimum safety policy is at the same time a product and a producer of a pro-active company policy. Assuming that a safe company is at the same time an effective and efficient organization and vice versa, special attention is therefore devoted to the integration of safety policy in the overall policy. Essential ingredients of a future-oriented corporate policy include a strong corporate culture, a far-reaching commitment, the participation of the employees, a special emphasis on the quality of the work, and a dynamic system of continual improvement. Although these insights also partly form the background of the PAS, they are not always very easy to reconcile with the more formal and procedural approach of the ISO philosophy.

Formal procedures and directly identifiable results are indisputably important in safety policy. However, it is not enough to base the safety system on this approach alone. The future results of a safety policy are dependent on the present policy, on the systematic efforts, on the constant search for improvements, and particularly on the fundamental optimizing of processes that ensure durable results. This vision is incorporated in the PAS system, with strong emphasis among other things on a systematic improvement of the safety culture.

One of the main advantages of the PAS is the opportunity for synergy. By departing from the systematics of ISO, the diverse lines of approach become immediately recognizable for all those concerned with total quality management. There are clearly several opportunities for synergy between these various policy areas because in all these fields the improvement of the management processes is the key aspect. A careful purchasing policy, a sound system of preventive maintenance, good housekeeping, participatory management and the stimulation of an enterprising approach by employees are of paramount importance for all these policy areas.

The various care systems are organized in an analogous manner, based on principles such as the commitment of top management, the involvement of the hierarchical line, the active participation of employees, and a valorized contribution from the specific experts. The different systems also contain analogous policy instruments such as the policy statement, annual action plans, measuring and control systems, internal and external audits and so on. The PAS system therefore clearly invites the pursuance of an effective, cost-saving, synergetic cooperation between all these care systems.

The PAS does not offer the easiest road to achievement in the short term. Few company managers allow themselves to be seduced by a system that promises great benefits in the short term with little effort. Every sound policy requires an in-depth approach, with strong foundations being laid for future policy. More important than results in the short term is the guarantee that a system is being built up that will generate sustainable results in the future, not only in the field of safety, but also at the level of a generally effective and efficient corporate policy. In this respect working towards health, safety and welfare also means working towards safe and meaningful jobs, motivated employees, satisfied customers and an optimum operating result. All this takes place in a dynamic, pro-active atmosphere.

Summary

Continual improvement is an essential precondition for each safety audit system that seeks to reap lasting success in today’s rapidly evolving society. The best guarantee for a dynamic system of continual improvement and constant flexibility is the full commitment of competent employees who grow with the overall organization because their efforts are systematically valorized and because they are given the opportunities to develop and regularly update their skills. Within the safety audit process, the best guarantee of lasting results is the development of a learning organization in which both the employees and the organization continue to learn and evolve.

 

Back

This article examines the role of human factors in the accident causation process and reviews the various preventive measures (and their effectiveness) by which human error may be controlled, and their application to the accident causation model. Human error is an important contributing cause in at least 90 of all industrial accidents. While purely technical errors and uncontrollable physical circumstances may also contribute to accident causation, human error is the paramount source of failure. The increased sophistication and reliability of machinery means that the proportion of causes of accidents attributed to human error increases as the absolute number of accidents decreases. Human error is also the cause of many of those incidents that, although not resulting in injury or death, nevertheless result in considerable economic damage to a company. As such, it represents a major target for prevention, and it will become increasingly important. For effective safety management systems and risk identification programmes it is important to be able to identify the human component effectively through the use of general failure type analysis.

The Nature of Human Error

Human error can be viewed as the failure to reach a goal in the way that was planned, either from a local or wider perspective, due to unintentional or intentional behaviour. Those planned actions may fail to achieve the desired outcomes for the following four reasons:

1. Unintentional behaviour:

    • The actions did not go as planned (slips).
    • The action was not executed (lapses).

     

    2. Intentional behaviour:

      • The plan itself was inadequate (mistakes).
      • There were deviations from the original plan (violations).

       

      Deviations can be divided in three classes: skill-, rule- and knowledge-based errors.

        1. At the skill-based level, behaviour is guided by pre-programmed action schemes. The tasks are routine and continuous, and feedback is usually lacking.
        2. At the rule-based level, behaviour is guided by general rules. They are simple and can be applied many times in specific situations. The tasks consist of relatively frequent action sequences that start after a choice is made among rules or procedures. The user has a choice: the rules are not automatically activated, but are actively chosen.
        3. Knowledge-based behaviour is shown in completely new situations where no rules are available and where creative and analytical thinking is required.

             

            In some situations, the term human limitation would be more appropriate than human error. There also are limits to the ability to foresee the future behaviour of complex systems (Gleick 1987; Casti 1990).

            Reason and Embrey’s model, the Generic Error Modelling System (GEMS) (Reason 1990), takes into account the error-correcting mechanisms on the skill-, rule- and knowledge-based levels. A basic assumption of GEMS is that day-to-day behaviour implies routine behaviour. Routine behaviour is checked regularly, but between these feedback loops, behaviour is completely automatic. Since the behaviour is skill-based, the errors are slips. When the feedback shows a deviation from the desired goal, rule-based correction is applied. The problem is diagnosed on the basis of available symptoms, and a correction rule is automatically applied when the situation is diagnosed. When the wrong rule is applied there is a mistake.

            When the situation is completely unknown, knowledge-based rules are applied. The symptoms are examined in the light of knowledge about the system and its components. This analysis can lead to a possible solution the implementation of which constitutes a case of knowledge-based behaviour. (It is also possible that the problem cannot be solved in a given way and that further knowledge-based rules have to be applied.) All errors on this level are mistakes. Violations are committed when a certain rule is applied that is known to be inappropriate: the thinking of the worker may be that application of an alternative rule will be less time-consuming or is possibly more suitable for the present, probably exceptional, situation. The more malevolent class of violations involves sabotage, a subject that is not within the scope of this article. When organizations are attempting to eliminate human error, they should take into account whether the errors are on the skill-, rule- or knowledge-based level, as each level requires its own techniques (Groeneweg 1996).

            Influencing Human Behaviour: An Overview

            A comment often made with regard to a particular accident is, “Maybe the person did not realize it at the time, but if he or she had not acted in a certain way, the accident would not have happened.” Much of accident prevention is aimed at influencing the crucial bit of human behaviour alluded to in this remark. In many safety management systems, the solutions and policies suggested are aimed at directly influencing human behaviour. However, it is very uncommon that organizations assess how effective such methods really are. Psychologists have devoted much thought to how human behaviour can best be influenced. In this respect, the following six ways of exercising control over human error will be set forth, and an evaluation will be performed of the relative effectiveness of these methods in controlling human behaviour on a long-term basis (Wagenaar 1992). (See table 1.)

            Table 1. Six ways to induce safe behaviour and assessment of their cost-effectiveness

            No.

            Way of influencing

            Cost

            Long-term effect

            Assessment

            1

            Don’t induce safe behaviour,
            but make the system “foolproof”.

            High

            Low

            Poor

            2

            Tell those involved what to do.

            Low

            Low

            Medium

            3

            Reward and punish.

            Medium

            Medium

            Medium

            4

            Increase motivation and awareness.

            Medium

            Low

            Poor

            5

            Select trained personnel.

            High

            Medium

            Medium

            6

            Change the environment.

            High

            High

            Good

             

            Do not attempt to induce safe behaviour, but make the system “foolproof”

            The first option is to do nothing to influence the behaviour of people but to design the workplace in such a way that whatever the employee does, it will not result in any kind of undesirable outcome. It must be acknowledged that, thanks to the influence of robotics and ergonomics, designers have considerably improved on the user-friendliness of workplace equipment. However, it is almost impossible to anticipate all the different kinds of behaviour that people may evince. Besides, workers often regard so-called foolproof designs as a challenge to “beat the system”. Finally, as designers are human themselves, even very carefully foolproof-designed equipment can have flaws (e.g., Petroski 1992). The additional benefit of this approach relative to existing hazard levels is marginal, and in any event initial design and installation costs may increase exponentially.

            Tell those involved what to do

            Another option is to instruct all workers about every single activity in order to bring their behaviour fully under the control of management. This will require an extensive and not very practical task inventory and instruction control system. As all behaviour is de-automated it will to a large extent eliminate slips and lapses until the instructions become part of the routine and the effect fades away.

            It does not help very much to tell people that what they do is dangerous - most people know that very well - because they will make their own choices concerning risk regardless of attempts to persuade them otherwise. Their motivation to do so will be to make their work easier, to save time, to challenge authority and perhaps to enhance their own career prospects or claim some financial reward. Instructing people is relatively cheap, and most organizations have instruction sessions before the start of a job. But beyond such an instruction system the effectiveness of this approach is assessed to be low.

            Reward and punish

            Although reward and punishment schedules are powerful and very popular means for controlling human behaviour, they are not without problems. Reward works best only if the recipient perceives the reward to be of value at the time of receipt. Punishing behaviour that is beyond an employee’s control (a slip) will not be effective. For example, it is more cost-effective to improve traffic safety by changing the conditions underlying traffic behaviour than by public campaigns or punishment and reward programmes. Even an increase in the chances of being “caught” will not necessarily change a person’s behaviour, as the opportunities for violating a rule are still there, as is the challenge of successful violation. If the situations in which people work invite this kind of violation, people will automatically choose the undesired behaviour no matter how they are punished or rewarded. The effectiveness of this approach is rated as of medium quality, as it usually is of short-term effectiveness.

            Increase motivation and awareness

            Sometimes it is believed that people cause accidents because they lack motivation or are unaware of danger. This assumption is false, as studies have shown (e.g., Wagenaar and Groeneweg 1987). Furthermore, even if workers are capable of judging danger accurately, they do not necessarily act accordingly (Kruysse 1993). Accidents happen even to people with the best motivation and the highest degree of safety awareness. There are effective methods for improving motivation and awareness which are discussed below under “Change the environment”. This option is a delicate one: in contrast with the difficulty to further motivate people it is almost too easy to de-motivate employees to the extent that even sabotage is considered.

            The effects of motivation enhancement programmes are positive only when coupled with behaviour modification techniques such as employee involvement.

            Select trained personnel

            The first reaction to an accident is often that those involved must have been incompetent. With hindsight, the accident scenarios appear straightforward and easily preventable to someone sufficiently intelligent and properly trained, but this appearance is a deceptive one: in actual fact the employees involved could not possibly have foreseen the accident. Therefore, better training and selection will not have the desirable effect. A base level of training is however a prerequisite for safe operations. The tendency in some industries to replace experienced personnel with inexperienced and inadequately trained people is to be discouraged, as increasingly complex situations call for rule- and knowledge-based thinking that requires a level of experience that such lower-cost personnel often do not possess.

            A negative side-effect of instructing people very well and selecting only the highest-classified people is that behaviour can become automatic and slips occur. Selection is expensive, while the effect is not more than medium.

            Change the environment

            Most behaviour occurs as a reaction to factors in the working environment: work schedules, plans, and management expectations and demands. A change in the environment results in different behaviour. Before the working environment can be effectively changed, several problems must be solved. First, the environmental factors that cause the unwanted behaviour must be identified. Second, these factors must be controlled. Third, management must allow discussion about their role in creating the adverse working environment.

            It is more practical to influence behaviour through creating the proper working environment. The problems that should be solved before this solution can be put into practice are (1) that it must be known which environmental factors cause the unwanted behaviour, (2) that these factors must be controlled and (3) that previous management decisions must be considered (Wagenaar 1992; Groeneweg 1996). All these conditions can indeed be met, as will be argued in the remainder of this article. The effectiveness of behaviour modification can be high, even though a change of environment may be quite costly.

            The Accident Causation Model

            In order to get more insight into the controllable parts of the accident causation process, an understanding of the possible feedback loops in a safety information system is necessary. In figure 1, the complete structure of a safety information system is presented that can form the basis of managerial control of human error. It is an adapted version of the system presented by Reason et al. (1989).

            Figure 1. A safety information system 

            SAF050F1

            Accident investigation

            When accidents are investigated, substantial reports are produced and decision-makers receive information about the human error component of the accident. Fortunately, this is becoming more and more obsolete in many companies. It is more effective to analyse the “operational disturbances” that precede the accidents and incidents. If an accident is described as an operational disturbance followed by its consequences, then sliding from the road is an operational disturbance and getting killed because the driver did not wear a safety belt is an accident. Barriers may have been placed between the operational disturbance and the accident, but they failed or were breached or circumvented.

            Unsafe act auditing

            A wrong act committed by an employee is called a “substandard act” and not an “unsafe act” in this article: the notion of “unsafe” seems to limit the applicability of the term to safety, whereas it can also be applied, for example, to environmental problems. Substandard acts are sometimes recorded, but detailed information as to which slips, mistakes and violations were performed and why they were performed is hardly ever fed back to higher management levels.

            Investigating the employee’s state of mind

            Before a substandard act is committed, the person involved was in a certain state of mind. If these psychological precursors, like being in a state of haste or feeling sad, could be adequately controlled, people would not find themselves in a state of mind in which they would commit a substandard act. Since these states of mind cannot be effectively controlled, such precursors are regarded as “black box” material (figure 1).

            General failure types

            The GFT (general failure type) box in figure 1 represents the generating mechanisms of an accident - the causes of substandard acts and situations. Because these substandard acts cannot be controlled directly, it is necessary to change the working environment. The working environment is determined by 11 such mechanisms (table 2). (In the Netherlands the abbreviation GFT already exists in a completely different context, and has to do with ecologically sound waste disposal, and to avoid confusion another term is used: basic risk factors (BRFs) (Roggeveen 1994).)

            Table 2. General failure types and their definitions

            General failures

            Definitions

            1. Design (DE)

            Failures due to poor design of a whole plant as well as individual
            items of equipment

            2. Hardware (HW)

            Failures due to poor state or unavailability of equipment and tools

            3. Procedures (PR)

            Failures due to poor quality of the operating procedures with
            respect to utility, availability and comprehensiveness

            4. Error enforcing
            conditions (EC)

            Failures due to poor quality of the working environment, with
            respect to circumstances that increase the probability of mistakes

            5. Housekeeping (HK)

            Failures due to poor housekeeping

            6. Training (TR)

            Failures due to inadequate training or insufficient experience

            7. Incompatible goals(IG)

            Failures due to the poor way safety and internal welfare are
            defended against a variety of other goals like time pressure
            and a limited budget

            8. Communication (CO)

            Failures due to poor quality or absence of lines of communication
            between the various divisions, departments or employees

            9. Organization (OR)

            Failures due to the way the project is managed
            and the company is operated

            10. Maintenance
            management (MM)

            Failures due to poor quality of the maintenance procedures
            regarding quality, utility, availability and comprehensiveness

            11. Defences (DF)

            Failures due to the poor quality of the protection against hazardous
            situations

             

            The GFT box is preceded by a “decision-maker’s” box, as these people determine to a large extent how well a GFT is managed. It is management’s task to control the working environment by managing the 11 GFTs, thereby indirectly controlling the occurrence of human error.

            All these GFTs can contribute to accidents in subtle ways by allowing undesirable combinations of situations and actions to come together, by increasing the chance that certain persons will commit substandard acts and by failing to provide the means to interrupt accident sequences already in progress.

            There are two GFTs that require some further explanation: maintenance management and defences.

            Maintenance management (MM)

            Since maintenance management is a combination of factors that can be found in other GFTs, it is not, strictly speaking, a separate GFT: this type of management is not fundamentally different from other management functions. It may be treated as a separate issue because maintenance plays an important role in so many accident scenarios and because most organizations have a separate maintenance function.

            Defences (DF)

            The category of defences is also not a true GFT, as it is not related to the accident causation process itself. This GFT is related to what happens after an operational disturbance. It does not generate either psychological states of mind or substandard acts by itself. It is a reaction that follows a failure due to the action of one or more GFTs. While it is indeed true that a safety management system should focus on the controllable parts of the accident causation chain before and not after the unwanted incident, nevertheless the notion of defences can be used to describe the perceived effectiveness of safety barriers after a disturbance has occurred and to show how they failed to prevent the actual accident.

            Managers need a structure that will enable them to relate identified problems to preventive actions. Measures taken at the levels of safety barriers or substandard acts are still necessary, although these measures can never be completely successful. To trust “last line” barriers is to trust factors that are to a large extent out of management control. Management should not attempt to manage such uncontrollable external devices, but instead must try to make their organizations inherently safer at every level.

            Measuring the Level of Control over Human Error

            Ascertaining the presence of the GFTs in an organization will enable accident investigators to identify the weak and strong points in the organization. Given such knowledge, one can analyse accidents and eliminate or mitigate their causes and identify the structural weaknesses within a company and fix them before they in fact contribute to an accident.

            Accident investigation

            The task of an accident analyst is to identify contributing factors and to categorize them. The number of times a contributing factor is identified and categorized in terms of a GFT indicates the extent to which this GFT is present. This is often done by means of a checklist or computer analysis program.

            It is possible and desirable to combine profiles from different but similar types of accidents. Conclusions based upon an accumulation of accident investigations in a relatively short time are far more reliable than those drawn from a study in which the accident profile is based upon a single event. An example of such a combined profile is presented in figure 2, which shows data relating to four occurrences of one type of accident.

            Figure 2. Profile of an accident type

            SAF050F2

            Some of the GFTs - design, procedures and incompatible goals - score consistently high in all four particular accidents. This means that in each accident, factors have been identified that were related to these GFTs. With respect to the profile of accident 1, design is a problem. Housekeeping, although a major problem area in accident 1, is only a minor problem if more than the first accident is analysed. It is suggested that about ten similar types of accidents be investigated and combined in a profile before far-reaching and possibly expensive corrective measures are taken. This way, the identification of the contributing factors and subsequent categorization of these factors can be done in a very reliable way (Van der Schrier, Groeneweg and van Amerongen 1994).

             

            Identifying the GFTs within an organization pro-actively

            It is possible to quantify the presence of GFTs pro-actively, regardless of the occurrence of accidents or incidents. This is done by looking for indicators of the presence of that GFT. The indicator used for this purpose is the answer to a straightforward yes or no question. If answered in the undesired way, it is an indication that something is not functioning properly. An example of an indicator question is: “In the past three months, did you go to a meeting that turned out to be cancelled?” If the employee answers the question in the affirmative, it does not necessarily signify danger, but it is indicative of a deficiency in one of the GFTs—communication. However, if enough questions that test for a given GFT are answered in a way that indicates an undesirable trend, it is a signal to management that it does not have sufficient control of that GFT.

            To construct a system safety profile (SSP), 20 questions for each of the 11 GFTs have to be answered. Each GFT is assigned a score ranging from 0 (low level of control) to 100 (high level of control). The score is calculated relative to the industry average in a certain geographical area. An example of this scoring procedure is presented in the box. 

            The indicators are pseudo-randomly drawn from a database with a few hundred questions. No two subsequent checklists have questions in common, and questions are drawn in such a way that each aspect of the GFT is covered. Failing hardware could, for instance, be the result of either absent equipment or defective equipment. Both aspects should be covered in the checklist. The answering distributions of all questions are known, and checklists are balanced for equal difficulty.

            It is possible to compare scores obtained with different checklists, as well as those obtained for different organizations or departments or the same units over a period of time. Extensive validation tests have been done to ensure that all questions in the database have validity and that they are all indicative of the GFT to be measured. Higher scores indicate a higher level of control - that is, more questions have been answered in the “desired” way. A score of 70 indicates that this organization is ranked among the best 30 (i.e., 100 minus 70) of comparable organizations in this kind of industry. Although a score of 100 does not necessarily mean that this organization has total control over a GFT, it does means that with regard to this GFT the organization is the best in the industry.

            An example of an SSP is shown in figure 3. The weak areas of Organization 1, as exemplified by the bars in the chart, are procedures, incompatible goals, and error enforcing conditions, as they score below the industry average as shown by the dark grey area. The scores on housekeeping, hardware and defences are very good in Organization 1. On the surface, this well-equipped and tidy organization with all safety devices in place appears to be a safe place to work. Organization 2 scores exactly at the industry average. There are no major deficiencies, and although the scores on hardware, housekeeping and defences are lower, this company manages (on the average) the human error component in accidents better than Organization 1. According to the accident causation model, Organization 2 is safer than Organization 1, although this would not necessarily be apparent in comparing the organizations in “traditional” audits.

            Figure 3. Example of a system safety profile

            SAF050F3

            If these organizations had to decide where to allocate their limited resources, the four areas with below average GFTs would have priority. However, one cannot conclude that, since the other GFT scores are so favourable, resources may be safely withdrawn from their upkeep, since these resources are what have most probably kept them at so high a level in the first place.

             

             

             

             

             

             

             

             

            Conclusions

            This article has touched upon the subject of human error and accident prevention. The overview of the literature regarding control of the human error component in accidents yielded a set of six ways by which one can try to influence behaviour. Only one, restructuring the environment or modifying behaviour in order to reduce the number of situations in which people are liable to commit an error, has a reasonably favourable effect in a well-developed industrial organization where many other attempts have already been made. It will take courage on the part of management to recognize that these adverse situations exist and to mobilize the resources that are needed to effect a change in the company. The other five options do not represent helpful alternatives, as they will have little or no effect and will be quite costly.

            “Controlling the controllable” is the key principle supporting the approach presented in this article. The GFTs must be discovered, attacked and eliminated. The 11 GFTs are mechanisms that have proven to be part of the accident causation process. Ten of them are aimed at preventing operational disturbances and one (defences) is aimed at the prevention of the operational disturbance’s turning into an accident. Eliminating the impact of the GFTs has a direct bearing upon the abatement of contributing causes of accidents. The questions in the checklists are aimed at measuring the “health state” of a given GFT, from both a general and a safety point of view. Safety is viewed as an integrated part of normal operations: doing the job the way it should be done. This view is in accordance with the recent “quality oriented” management approaches. The availability of policies, procedures and management tools is not the chief concern of safety management: the question is rather whether these methods are actually used, understood and adhered to.

            The approach described in this article concentrates upon systemic factors and the way in which management decisions can be translated into unsafe conditions at the workplace, in contrast to the conventional belief that attention should be directed towards the individual workers who perform unsafe acts, their attitudes, motivations and perceptions of risk.


            An indication of the level of control your organization has over the GFT “Communication”

            In this box a list of 20 questions is presented. The questions in this list have been answered by employees of more than 250 organizations in Western Europe. These organizations were operating in different fields, ranging from chemical companies to refineries and construction companies. Normally, these questions would be tailor-made for each branch. This list serves as an example only to show how the tool works for one of the GFTs. Only those questions have been selected that have proved to be so “general” that they are applicable in at least  80% of the industries.

            In “real life” employees would not only have to answer the questions (anonymously), they would also have to motivate their answers. It is not sufficient to answer “Yes” on, for example, the indicator “Did you have to work in the past 4 weeks with an outdated procedure?” The employee would have to indicate which procedure it was and under which conditions it had to be applied. This motivation serves two goals: it increases the reliability of the answers and it provides management with information it can act upon.

            Caution is also necessary when interpreting the percentile score: in a real measurement, each organization would be matched against a representative sample of branch-related organizations for each of the 11 GFTs. The distribution of percentiles is from May 1995, and this distribution does change slightly over time.

            How to measure the “level of control”

            Answer all 20 indicators with your own situation in mind and beware of the time limits in the questions. Some of the questions might not be applicable for your situation; answer them with “n.a.” It might be impossible for you to answer some questions; answer them with a question mark“?”.

            After you have answered all questions, compare your answers with the reference answers. You get a point for each “correctly” answered question.

            Add the number of points together. Calculate the percentage of correctly answered questions by dividing the number of points by the number of questions you have answered with either “Yes” or “No”. The “n.a.” and “?” answers are not taken into account. The result is a percentage between 0 and 100.

            The measurement can be made more reliable by having more people answering the questions and by averaging their scores over the levels or functions in the organization or comparable departments.

            Twenty questions about the GFT “Communication”

            Possible answers to the questions: Y = Yes; N = No; n.a.  = not applicable; ?  = don’t know.

              1. In the past 4 weeks has the telephone directory provided you with incorrect or insufficient information?
              2. In the past 2 weeks has your telephone conversation been interrupted due to a malfunctioning of the telephone system?
              3. Have you received mail in the past week that was not relevant to you?
              4. Has there been an internal or external audit in the past 9 months of your office paper trail?
              5. Was more than 20% of the information you received in the past 4 weeks labelled “urgent”?
              6. Did you have to work in the past 4 weeks with a procedure that was difficult to read (e.g., phrasing or language problems)?
              7. Have you gone to a meeting in the past 4 weeks that turned out not to be held at all?
              8. Has there been a day in the past 4 weeks that you had five or more meetings?
              9. Is there a “suggestion box” in your organization?
              10. Have you been asked to discuss a matter in the past 3 months that later turned out to be already decided upon?
              11. Have you sent any information in the past 4 weeks that was never received?
              12. Have you received information in the past 6 months about changes in policies or procedures more than a month after it had been put into effect?
              13. Have the minutes of the last three safety meetings been sent to your management?
              14. Has “office” management stayed at least 4 hours at the location when making the last site visit?
              15. Did you have to work in the past 4 weeks with procedures with conflicting information?
              16. Have you received within 3 days feedback on requests for information in the past 4 weeks?
              17. Do people in your organization speak different languages or dialects (different mother tongue)?
              18. Was more than 80% of the feedback you received (or gave) from management in the past 6 months of a “negative nature”?
              19. Are there parts of the location/workplace where it is difficult to understand each other due to extreme noise levels?
              20. In the past 4 weeks, have tools and/or equipment been delivered that not had been ordered?

                       

                      Reference answers:

                      1 = N; 2 = N; 3 = N; 4 = Y; 5 = N; 6 = N; 7 = N; 8 = N; 9 = N; 10 = N; 11 = N; 12 = N; 13 = Y; 14 = N; 15 = N; 16 = Y; 17 = N; 18 = N; 19 = Y; 20 = N.

                      Scoring GFT “Communication”

                      Percent score = (a/b) x 100

                      where a = no. of questions answered correctly

                      where b = no. of questions answered “Y” or “N”.

                      Your score %

                      Percentile

                      %

                      Equal or better

                      0-10

                      0-1

                      100

                      99

                      11-20

                      2-6

                      98

                      94

                      21-30

                      7-14

                      93

                      86

                      31-40

                      15-22

                      85

                      78

                      41-50

                      23-50

                      79

                      50

                      51-60

                      51-69

                      49

                      31

                      61-70

                      70-85

                      30

                      15

                      71-80

                      86-97

                      14

                      3

                      81-90

                      98-99

                      2

                      1

                      91-100

                      99-100

                       

                       

                      Back

                      Friday, 01 April 2011 00:48

                      Hardware Hazards

                      This article addresses “machine” hazards, those which are specific to the appurtenances and hardware used in the industrial processes associated with pressure vessels, processing equipment, powerful machines and other intrinsically risky operations. This article does not address worker hazards, which implicate the actions and behaviour of individuals, such as slipping on working surfaces, falling from elevations and hazards from using ordinary tools. This article focuses on machine hazards, which are characteristic of an industrial job environment. Since these hazards threaten anyone present and may even be a threat to neighbours and the external environment, the analysis methods and the means for prevention and control are similar to the methods used to deal with risks to the environment from industrial activities.

                      Machine Hazards

                      Good quality hardware is very reliable, and most failures are caused by secondary effects like fire, corrosion, misuse and so on. Nevertheless, hardware may be highlighted in certain accidents, because a failing hardware component is often the most conspicuous or visibly prominent link of the chain of events. Although the term hardware is used in a broad sense, illustrative examples of hardware failures and their immediate “surroundings” in accident causation have been taken from industrial workplaces. Typical candidates for investigation of “machine” hazards include but are not limited to the following:

                      • pressure vessels and pipes
                      • motors, engines, turbines and other rotating machines
                      • chemical and nuclear reactors
                      • scaffolding, bridges, etc.
                      • lasers and other energy radiators
                      • cutting and drilling machinery, etc.
                      • welding equipment.

                       

                      Effects of Energy

                      Hardware hazards can include wrong use, construction errors or frequent overload, and accordingly their analysis and mitigation or prevention can follow rather different directions. However, physical and chemical energy forms that elude human control often exist at the heart of hardware hazards. Therefore, one very general method to identify hardware hazards is to look for the energies that are normally controlled with the actual piece of equipment or machinery, such as a pressure vessel containing ammonia or chlorine. Other methods use the purpose or intended function of the actual hardware as a starting point and then look for the probable effects of malfunctions and failures. For example, a bridge failing to fulfil its primary function will expose subjects on the bridge to the risk of falling down; other effects of the collapse of a bridge will be the secondary ones of falling items, either structural parts of the bridge or objects situated on the bridge. Further down the chain of consequences, there may be derived effects related to functions in other parts of the system that were dependent on the bridge performing its function properly, such as the interruption of emergency response vehicular traffic to another incident.

                      Besides the concepts of “controlled energy” and “intended function”, dangerous substances must be addressed by asking questions such as, “How could agent X be released from vessels, tanks or pipe systems and how could agent Y be produced?” (either or both may be hazardous). Agent X might be a pressurized gas or a solvent, and agent Y might be an extremely toxic dioxin whose formation is favoured by the “right” temperatures in some chemical processes, or it could be produced by rapid oxidation, as the result of a fire. However, the possible hazards add up to much more than just the risks of dangerous substances. Conditions or influences might exist which allow the presence of a particular item of hardware to lead to harmful consequences to humans.

                      Industrial Work Environment

                      Machine hazards also involve load or stress factors that may be dangerous in the long run, such as the following:

                      • extreme working temperatures
                      • high intensities of light, noise or other stimuli
                      • inferior air quality
                      • extreme job demands or workloads.

                       

                      These hazards can be recognized and precautions taken because the dangerous conditions are already there. They do not depend on some structural change in the hardware to come about and work a harmful result, or on some special event to effect damage or injury. Long-term hazards also have specific sources in the working environment, but they must be identified and evaluated through observing workers and the jobs, instead of just analysing hardware construction and functions.

                      Dangerous hardware or machine hazards are usually exceptional and rather seldom found in a sound working environment, but cannot be avoided completely. Several types of uncontrolled energy, such as the following risk agents, can be the immediate consequence of hardware malfunction:

                      • harmful releases of dangerous gas, liquids, dusts or other substances
                      • fire and explosion
                      • high voltages
                      • falling objects, missiles, etc.
                      • electric and magnetic fields
                      • cutting, trapping, etc.
                      • displacement of oxygen
                      • nuclear radiation, x rays and laser light
                      • flooding or drowning
                      • jets of hot liquid or steam.

                       

                      Risk Agents

                      Moving objects. Falling and flying objects, liquid flows and jets of liquid or steam, such as listed, are often the first external consequences of hardware or equipment failure, and they account for a large proportion of accidents.

                      Chemical substances. Chemical hazards also contribute to worker accidents as well as affecting the environment and the public. The Seveso and Bhopal accidents involved chemical releases which affected numerous members of the public, and many industrial fires and explosions release chemicals and fumes to the atmosphere. Traffic accidents involving gasoline or chemical delivery trucks or other dangerous goods transports, unite two risk agents - moving objects and chemical substances.

                      Electromagnetic energy. Electric and magnetic fields, x rays and gamma rays are all manifestations of electromagnetism, but are often treated separately as they are encountered under rather different circumstances. However, the dangers of electromagnetism have some general traits: fields and radiation penetrate human bodies instead of just making contact on the application area, and they cannot be sensed directly, although very large intensities cause heating of the affected body parts. Magnetic fields are created by the flow of electric current, and intense magnetic fields are to be found in the vicinity of large electric motors, electric arc welding equipment, electrolysis apparatus, metal works and so forth. Electric fields accompany electric tension, and even the ordinary mains voltages of 200 to 300 volts cause the accumulation of dirt over several years, the visible sign of the field’s existence, an effect also known in connection with high-tension electrical lines, TV picture tubes, computer monitors and so on.

                      Electromagnetic fields are mostly found rather close to their sources, but electromagnetic radiation is a long-distance traveller, as radar and radio waves exemplify. Electromagnetic radiation is scattered, reflected and damped as it passes through space and meets intervening objects, surfaces, different substances and atmospheres, and the like; its intensity is therefore reduced in several ways.

                      The general character of the electromagnetic (EM) hazard sources are:

                      • Instruments are needed to detect the presence of EM fields or EM radiation.
                      • EM does not leave primary traces in the form of “contamination”.
                      • Dangerous effects are usually delayed or long-term, but immediate burns are caused in severe cases.
                      • X rays and gamma rays are damped, but not stopped, by lead and other heavy elements.
                      • Magnetic fields and x rays are stopped immediately when the source is de-energized or the equipment turned off.
                      • Electric fields can survive for long periods after turning the generating systems off.
                      • Gamma rays come from nuclear processes, and these radiation sources cannot be turned off as can many EM sources.

                       

                      Nuclear radiation. The hazards associated with nuclear radiation are of special concern to workers in nuclear power plants and in plants working with nuclear materials such as fuel manufacturing and the reprocessing, transport and storage of radioactive matter. Nuclear radiation sources are also used in medicine and by some industries for measurement and control. One most common usage is in fire alarms/smoke detectors, which use an alpha-particle emitter like americium to monitor the atmosphere.

                      Nuclear hazards are principally centred around five factors:

                      • gamma rays
                      • neutrons
                      • beta particles (electrons)
                      • alpha particles (helium nuclei)
                      • contamination.

                       

                      The hazards arise from the radioactive processes in nuclear fission and the decaying of radioactive materials. This sort of radiation is emitted from reactor processes, reactor fuel, reactor moderator material, from the gaseous fission products that may be developed, and from certain construction materials that become activated by exposure to radioactive emissions arising from reactor operation.

                      Other risk agents. Other classes of risk agents that release or emit energy include:

                      • UV radiance and laser light
                      • infrasound
                      • high-intensity sound
                      • vibration.

                       

                      Triggering the Hardware Hazards

                      Both sudden and gradual shifts from the controlled - or “safe” - condition to one with increased danger can come about through the following circumstances, which can be controlled through appropriate organizational means such as user experience, education, skills, surveillance and equipment testing:

                      • wear and overloads
                      • external impact (fire or impact)
                      • ageing and failure
                      • wrong supply (energy, raw materials)
                      • insufficient maintenance and repair
                      • control or process error
                      • misuse or misapplication
                      • hardware breakdown
                      • barrier malfunction.

                       

                      Since proper operations cannot reliably compensate for improper design and installation, it is important to consider the entire process, from selection and design through installation, use, maintenance and testing, in order to evaluate the actual state and conditions of the hardware item.

                      Hazard Case: The Pressurized Gas Tank

                      Gas can be contained in suitable vessels for storage or transport, like the gas and oxygen cylinders used by welders. Often, gas is handled at high pressure, affording a great increase in the storing capacity, but with higher accident risk. The key accidental phenomenon in pressurized gas storage is the sudden creation of a hole in the tank, with these results:

                      • the confinement function of the tank ceases
                      • the confined gas gets immediate access to the surrounding atmosphere.

                       

                      The development of such an accident depends on these factors:

                      • the type and amount of gas in the tank
                      • the situation of the hole in relation to the tank’s contents
                      • the initial size and subsequent growth rate of the hole
                      • the temperature and pressure of the gas and the equipment
                      • the conditions in the immediate environment (sources of ignition, people, etc.).

                       

                      The tank contents can be released almost immediately or over a period of time, and result in different scenarios, from the burst of free gas from a ruptured tank, to moderate and rather slow releases from small punctures.

                      The behaviour of various gases in the case of leakage

                      When developing release calculation models, it is most important to determine the following conditions affecting the system’s potential behaviour:

                      • the gas phase behind the hole (gaseous or liquid?)
                      • temperature and wind conditions
                      • the possible entry of other substances into the system or their possible presence in its surroundings
                      • barriers and other obstacles.

                       

                      The exact calculations pertaining to a release process where liquefied gas escapes from a hole as a jet and then evaporates (or alternatively, first becomes a mist of droplets) are difficult. The specification of the later dispersion of the resultant clouds is also a difficult problem. Consideration must be given to the movements and dispersion of gas releases, whether the gas forms visible or invisible clouds and whether the gas rises or stays at ground level.

                      While hydrogen is a light gas compared to any atmosphere, ammonia gas (NH3, with a molecular weight of 17.0) will rise in an ordinary air-like, oxygen-nitrogen atmosphere at the same temperature and pressure. Chlorine (Cl2, with a molecular weight of 70.9) and butane (C4H10, mol. wt.58) are examples of chemicals whose gas phases are denser than air, even at ambient temperature. Acetylene (C2H2, mol. wt. 26.0) has a density of about 0.90g/l, approaching that of air (1.0g/l), which means that in a working environment, leaking welding gas will not have a pronounced tendency to float upwards or to sink downwards; therefore it can mix easily with the atmosphere.

                      But ammonia released from a pressure vessel as a liquid will at first cool as a consequence of its evaporation, and may then escape via several steps:

                      • Pressurized, liquid ammonia emanates from the hole in tank as jet or cloud.
                      • Seas of liquid ammonia can be formed on the nearest surfaces.
                      • The ammonia evaporates, thereby cooling itself and the near environment.
                      • Ammonia gas gradually exchanges heat with surroundings and equilibrates with ambient temperatures.

                       

                      Even a cloud of light gas may not rise immediately from a liquid gas release; it may first form a fog - a cloud of droplets - and stay near the ground. The gas cloud’s movement and gradual mixing/dilution with the surrounding atmosphere depends on weather parameters and on the surrounding environment—enclosed area, open area, houses, traffic, presence of the public, workers and so on.

                      Tank Failure

                      Consequences of tank breakdown may involve fire and explosion, asphyxiation, poisoning and choking, as experience shows with gas production and gas handling systems (propane, methane, nitrogen, hydrogen, etc.), with ammonia or chlorine tanks, and with gas welding (using acetylene and oxygen). What actually initiates the formation of a hole in a tank has a strong influence on the hole “behaviour” - which in its turn influences the outflow of gas - and is crucial for the effectiveness of prevention efforts. A pressure vessel is designed and built to withstand certain conditions of use and environmental impact, and for handling a certain gas, or perhaps a choice of gases. The actual capabilities of a tank depend on its shape, materials, welding, protection, use and climate; therefore, evaluation of its adequacy as a container for dangerous gas must consider designer’s specifications, the tank’s history, inspections and tests. Critical areas include the welding seams used on most pressure vessels; the points where appurtenances such as inlets, outlets, supports and instruments are connected to the vessel; the flat ends of cylindrical tanks like railway tanks; and other aspects of even less optimal geometric shapes.

                      Welding seams are investigated visually, by x rays or by destructive test of samples, as these may reveal local defects, say, in the form of reduced strength that might endanger the overall strength of the vessel, or even be a triggering point for acute tank failure.

                      Tank strength is affected by the history of tank use - first of all by the normal wearing processes and the scratches and corrosion attacks typical of the particular industry and of the application. Other historical parameters of particular interest include:

                      • casual overpressure
                      • extreme heating or cooling (internal or external)
                      • mechanical impacts
                      • vibrations and stress
                      • substances that have been stored in or have passed through the tank
                      • substances used during cleansing, maintenance and repair.

                       

                      The construction material - steel plate, aluminium plate, concrete for non-pressurized applications, and so on - can undergo deterioration from these influences in ways that are not always possible to check without overloading or destroying the equipment during testing.

                      Accident Case: Flixborough

                      The explosion of a large cloud of cyclohexane in Flixborough (UK) in 1974, which killed 28 persons and caused extensive plant damage, serves as a very instructive case. The triggering event was the breakdown of a temporary pipe serving as a substitute in a reactor unit. The accident was “caused” by a piece of hardware breaking down, but on closer investigation it was revealed that the breakdown followed from overload, and that the temporary construction was in fact inadequate for its intended use. After two months’ service, the pipe was exposed to bending forces due to a slight pressure rise of the 10-bar (106 Pa) cyclohexane content at about 150°C. The two bellows between the pipe and the nearby reactors broke and 30 to 50 tonnes of cyclohexane was released and soon ignited, probably by a furnace some distance from the leak. (See figure 1.) A very readable account of the case is found in Kletz (1988).

                      Figure 1. Temporary connection between tanks at Flixborough

                      SAF030F1

                      Hazard Analysis

                      The methods that have been developed to find the risks that may be relevant to a piece of equipment, to a chemical process or to a certain operation are referred to as “hazard analysis”. These methods ask questions such as: “What may possibly go wrong?” “Could it be serious?” and “What can be done about it?” Different methods of conducting the analyses are often combined to achieve a reasonable coverage, but no such set can do more than guide or assist a clever team of analysts in their determinations. The main difficulties with hazard analysis are as follows:

                      • availability of relevant data
                      • limitations of models and calculations
                      • new and unfamiliar materials, constructions and processes
                      • system complexity
                      • limitations on human imagination
                      • limitations on practical tests.

                       

                      To produce usable risk evaluations under these circumstances it is important to stringently define the scope and the level of “ambitiousness” appropriate to the analysis at hand; for example, it is clear that one does not need the same sort of information for insurance purposes as for design purposes, or for the planning of protection schemes and the construction of emergency arrangements. Generally speaking, the risk picture must be filled in by mixing empirical techniques (i.e., statistics) with deductive reasoning and a creative imagination.

                      Different risk evaluation tools - even computer programs for risk analysis—can be very helpful. The hazard and operability study (HAZOP) and the failure mode and effect analysis (FMEA ) are commonly used methods for investigating hazards, especially in the chemical industry. The point of departure for the HAZOP method is the tracing of possible risk scenarios based on a set of guide words; for each scenario one has to identify probable causes and consequences. In the second stage, one tries to find means for reducing the probabilities or mitigating the consequences of those scenarios judged to be unacceptable. A review of the HAZOP method can be found in Charsley (1995). The FMEA method asks a series of “what if” questions for every possible risk component in order to thoroughly determine whatever failure modes may exist and then to identify the effects that they may have on system performance; such an analysis will be illustrated in the demonstration example (for a gas system) presented later in this article.

                      Fault trees and event trees and the modes of logical analysis proper to accident causation structures and probability reasoning are in no way specific to the analysis of hardware hazards, as they are general tools for system risk evaluations.

                      Tracing hardware hazards in an industrial plant

                      To identify possible hazards, information on construction and function can be sought from:

                      • actual equipment and plant
                      • substitutes and models
                      • drawings, electrical diagrams, piping and instrumentation (P/I) diagrams, etc.
                      • process descriptions
                      • control schemes
                      • operation modes and phases
                      • work orders, change orders, maintenance reports, etc.

                       

                      By selecting and digesting such information, analysts form a picture of the risk object itself, its functions and its actual use. Where things are not yet constructed - or unavailable for inspection - important observations cannot be made and the evaluation must be based entirely on descriptions, intentions and plans. Such evaluation might seem rather poor, but in fact, most practical risk evaluations are made this way, either in order to seek authoritative approval for applications to undertake new construction, or to compare the relative safety of alternative design solutions. Real life processes will be consulted for the information not shown on the formal diagrams or described verbally by interview, and to verify that the information gathered from these sources is factual and represents actual conditions. These include the following:

                      • actual practice and culture
                      • additional failure mechanisms/construction details
                      • “sneak paths” (see below)
                      • common error causes
                      • risks from external sources/missiles
                      • particular exposures or consequences
                      • past incidents, accidents and near accidents.

                       

                      Most of this additional information, especially sneak paths, is detectable only by creative, skilled observers with considerable experience, and some of the information would be almost impossible to trace with maps and diagrams. Sneak paths denote unintended and unforeseen interactions between systems, where the operation of one system affects the condition or operation of another system through other ways than the functional ones. This typically happens where functionally different parts are situated near each other, or (for example) a leaking substance drips on equipment beneath and causes a failure. Another mode of a sneak path’s action may involve the introduction of wrong substances or parts into a system by means of instruments or tools during operation or maintenance: the intended structures and their intended functions are changed through the sneak paths. By common-mode failures one means that certain conditions - like flooding, lightning or power failure - can disturb several systems at once, perhaps leading to unexpectedly large blackouts or accidents. Generally, one tries to avoid sneak-path effects and common-mode failures through proper layouts and introducing distance, insulation and diversity in working operations.

                      A Hazards Analysis Case: Gas Delivery from a Ship to a Tank

                      Figure 2 shows a system for delivery of gas from a transport ship to a storage tank. A leak could appear anywhere in this system: ship, transmission line, tank or output line; given the two tank reservoirs, a leak somewhere on the line could remain active for hours.

                      Figure 2. Transmission line for delivery of liquid gas from ship to storage tank

                      SAF030F2

                      The most critical components of the system are the following:

                      • the storage tank
                      • the pipeline or hose between the tank and the ship
                      • other hoses, lines, valves and connections
                      • the safety valve on the storage tank
                      • the emergency shut-down valves ESD 1 and 2.

                       

                      A storage tank with a large inventory of liquid gas is put at the top of this list, because it is difficult to stop a leak from a tank on short notice. The second item on the list - the connection to the ship - is critical because leaks in the pipe or hose and loose connections or couplings with worn gaskets, and variations among different ships, could release product. Flexible parts like hoses and bellows are more critical than rigid parts, and require regular maintenance and inspection. Safety devices like the pressure release valve on the top of the tank and the two emergency shut-down valves are critical, since they must be relied upon to reveal latent or developing failures.

                      Up to this point, the ranking of system components as to their importance with respect to reliability has been of a general nature only. Now, for analytical purposes, attention will be drawn to the particular functions of the system, the chief one of course being the movement of liquefied gas from the ship to the storage tank until the connected ship tank is empty. The overriding hazard is a gas leak, the possible contributory mechanisms being one of more of the following:

                      • leaking couplings or valves
                      • tank rupture
                      • rupture of pipe or hose
                      • tank breakdown.

                       

                      Application of the FMEA method

                      The central idea of the FMEA approach, or “what if” analysis, is to record explicitly, for each component of the system, its failure modes, and for every failure to find the possible consequences to the system and to the environment. For standard components like a tank, pipe, valve, pump, flowmeter and so on, the failure modes follow general patterns. In the case of a valve, for instance, failure modes could include the following conditions:

                      • The valve cannot close on demand (there is reduced flow through an “open” valve).
                      • The valve leaks (there is residual flow through a “closed” valve).
                      • The valve cannot open on demand (the valve position oscillates).

                       

                      For a pipeline, failure modes would consider items such as:

                      • a reduced flow
                      • a leak
                      • a flow stopped due to blockage
                      • a break in the line.

                       

                      The effects of leaks seem obvious, but sometimes the most important effects may not be the first effects: what happens for example, if a valve is stuck in a half-open position? An on-off valve in the delivery line that does not open completely on demand will delay the tank filling process, a non-dangerous consequence. But if the “stuck half-open” condition arises at the same time that a closing demand is made, at a time when the tank is almost full, overfilling might result (unless the emergency shut-down valve is successfully activated). In a properly designed and operated system, the probability of both these valves being stuck simultaneously will be kept rather low.

                      Plainly a safety valve’s not operating on demand could mean disaster; in fact, one might justifiably state that latent failures are constantly threatening all safety devices. Pressure relief valves, for instance, can be defective due to corrosion, dirt or paint (typically due to bad maintenance), and in the case of liquid gas, such defects in combination with the temperature decrease at a gas leak could produce ice and thereby reduce or perhaps stop the flow of material through a safety valve. If a pressure relief valve does not operate on demand, pressure may build up in a tank or in connected systems of tanks, eventually causing other leaks or tank rupture.

                      For simplicity, instruments are not shown on figure 2; there will of course be instruments related to pressure, flow and temperature, which are essential parameters for monitoring the system state, relevant signals being transmitted to operator consoles or to a control room for control and monitoring purposes. Furthermore, there will be supply lines other than those intended for materials transport - for electricity, hydraulics and so forth - and extra safety devices. A comprehensive analysis must go through these systems as well and look for the failure modes and effects of these components also. In particular, the detective work on common-mode effects and sneak paths requires one to construct the integral picture of main system components, controls, instruments, supplies, operators, working schedules, maintenance and so on.

                      Examples of common-mode effects to consider in connection with gas systems are addressed by such questions as these:

                      • Are activation signals for delivery valves and emergency shut-down valves transmitted on a common line (cable, cabling channels)?
                      • Do two given valves share the same power line?
                      • Is maintenance performed by the same person according to a given schedule?

                       

                      Even an excellently designed system with redundancy and independent power lines can suffer from inferior maintenance, where, for example, a valve and its back-up valve (the emergency shut-down valve in our case) have been left in a wrong state after a test. A prominent common-mode effect with an ammonia-handling system is the leak situation itself: a moderate leak can make all manual operations on plant components rather awkward - and delayed - due to the deployment of the required emergency protection.

                      Summary

                      The hardware components are very seldom the guilty parts in accident development; rather, there are root causes to be found in other links of the chain: wrong concepts, bad designs, maintenance errors, operator errors, management errors and so on. Several examples of the specific conditions and acts that may lead to failure development have already been given; a broad collection of such agents would take account of the following:

                      • collision
                      • corrosion, etching
                      • excessive loads
                      • failing support and aged or worn-out parts
                      • low-quality welding jobs
                      • missiles
                      • missing parts
                      • overheating or chilling
                      • vibration
                      • wrong construction material used.

                       

                      Controlling the hardware hazards in a working environment requires the review of all possible causes and respect for the conditions that are found to be critical with the actual systems. The implications of this for the organization of risk management programmes are dealt with in other articles, but, as the foregoing list clearly indicates, the monitoring and control of hardware conditions can be necessary all the way back to the choice of concepts and designs for the selected systems and processes.

                       

                      Back

                      Through industrialization, workers became organized in factories as the utilization of energy sources such as the steam engine became possible. As compared to traditional handicraft, mechanized production, with sources of higher energy at its disposal, presented new risks of accidents. As the amount of energy increased, workers were removed from the direct control of these energies. Decisions that affected safety were often made at the management level rather than by those directly exposed to these risks. At this stage of industrialization, the need for safety management became evident.

                      In the late 1920s, Heinrich formulated the first comprehensive theoretical framework for safety management, which was that safety should be sought through management decisions based on identification and analysis of accident causes. At this point in the development of safety management, accidents were attributed to failures at the worker-machine system level - that is, to unsafe acts and unsafe conditions.

                      Subsequently, various methodologies were developed for the identification and assessment of accident risks. With MORT (Management Oversight and Risk Tree), the focus shifted to the higher orders of control of accident risks - that is, to the control of conditions at the management level. The initiative to develop MORT was taken in the late 1960s by the US Energy Research and Development Administration, which wanted to improve their safety programmes in order to reduce their losses due to accidents.

                      The MORT Diagram and Underlying Principles

                      The intent of MORT was to formulate an ideal safety management system based on a synthesis of the best safety programme elements and safety management techniques then available. As the principles underlying the MORT initiative were applied to the contemporary state of the art in safety management, the largely unstructured safety literature and expertise took on the form of an analytical tree. The first version of the tree was published in 1971. Figure 1 shows the basic elements of the version of the tree that was published by Johnson in 1980. The tree also appears in a modified form in later publications on the subject of the MORT concept (see, for example, Knox and Eicher 1992).

                      Figure 1. A version of the MORT analytical tree

                      SAF040F1

                      The MORT Diagram

                      MORT is used as a practical tool in accident investigations and in evaluations of existing safety programmes. The top event of the tree in figure 1 (Johnson 1980) represents the losses (experienced or potential) due to an accident. Below this top event are three main branches: specific oversights and omissions (S), management oversights and omissions (M) and assumed risks (R). The R-branch consists of assumed risks, which are events and conditions that are known to management and that have been evaluated and accepted at the proper management level. Other events and conditions that are revealed through the evaluations following the S- and M-branches are denoted “less than adequate” (LTA).

                      The S-branch focuses on the events and conditions of the actual or potential occurrence. (In general, time is shown as one reads from left to right, and the sequence of causes is shown as one reads from bottom to top.) Haddon’s strategies (1980) for the prevention of accidents are key elements in this branch. An event is denoted an accident when a target (a person or object) is exposed to an uncontrolled transfer of energy and sustains damage. In the S-branch of MORT, accidents are prevented through barriers. There are three basic types of barriers: (1) barriers that surround and confine the energy source (the hazard), (2) barriers that protect the target and (3) barriers that separate the hazard and the target physically or in time or space. These different types of barriers are found in the development of the branches below the accidental event. Amelioration relates to the actions taken after the accident to limit the losses.

                      At the next level of the S-branch, factors are recognized which relate to the different phases of the life cycle of an industrial system. These are the project phase (design and plan), start up (operational readiness) and operation (supervision and maintenance).

                      The M-branch supports a process in which specific findings from an accident investigation or safety programme evaluation are made more general. Events and conditions of the S-branch thus often have their counterparts in the M-branch. When engaged with the system at the M-branch, the analyst’s thinking is expanded to the total management system. Thus, any recommendations will affect many other possible accident scenarios as well. The most important safety management functions can be found in the M-branch: the setting of policy, implementation and follow-up. These are the same basic elements that we find in the quality assurance principles of the ISO 9000 series published by the International Organization for Standardization (ISO).

                      When the branches of the MORT diagram are elaborated in detail, there are elements from such different fields as risk analysis, human factors analysis, safety information systems and organizational analysis. In total, about 1,500 basic events are covered by the MORT diagram.

                      Application of the MORT Diagram

                      As indicated, the MORT diagram has two immediate uses (Knox and Eicher 1992): (1) to analyse management and organizational factors relative to an accident that has happened and (2) to evaluate or audit a safety programme in relation to a significant accident that has the potential of occurring. The MORT diagram functions as a screening tool in planning the analyses and evaluations. It is also used as a checklist for comparison of actual conditions with the idealized system. In this application, MORT facilitates checking the completeness of the analysis and avoiding personal biases.

                      At bottom, MORT is made up of a collection of questions. Criteria that guide judgements as to whether specific events and conditions are satisfactory or less than adequate are derived from these questions. In spite of the directive design of the questions, the judgements made by the analyst are partly subjective. It has thus become important to ensure an adequate quality and degree of intersubjectivity among MORT analyses made by different analysts. For example, in the United States, a training programme is available for certification of MORT analysts.

                      Experiences with MORT

                      The literature on evaluations of MORT is sparse. Johnson reports significant improvements in the comprehensiveness of accident investigations after the introduction of MORT (Johnson 1980). Deficiencies at the supervisory and management levels were revealed more systematically. Experience has also been gained from evaluations of MORT applications within Finnish industry (Ruuhilehto 1993). Some limitations have been identified in the Finnish studies. MORT does not support the identification of immediate risks due to failures and disturbances. Furthermore, no capability for setting priorities is built into the MORT concept. Consequently, the results of MORT analyses need further evaluation to translate them into remedial actions. Finally, experience shows that MORT is time-consuming and requires expert participation.

                      Aside from its ability to focus on organizational and management factors, MORT has the further advantage of connecting safety with normal production activities and general management. The application of MORT will thus support general planning and control, and help reduce the frequency of production disturbances as well.

                      Associated Safety Management Methods and Techniques

                      With the introduction of the MORT concept in the early 1970s, a development programme started in the United States. The focal point for this programme has been the System Safety Development Center in Idaho Falls. Different MORT-associated methods and techniques in such areas as human factors analysis, safety information systems and safety analysis have resulted from this programme. An early example of a method arising from the MORT development programme is the Operational Readiness Program (Nertney 1975). This programme is introduced during the development of new industrial systems and modifications of existing ones. The aim is to ensure that, from the safety management point of view, the new or modified system is ready at the time of start-up. A condition of operational readiness presupposes that the necessary barriers and controls have been installed in the new system’s hardware, personnel and procedures. Another example of a MORT programme element is the MORT-based root cause analysis (Cornelison 1989). It is used to identify the basic safety management problems of an organization. This is done by relating the specific findings of the MORT analyses to 27 different generic safety management problems.

                      Although MORT is not intended for use directly in the collection of information during accident investigations and safety audits, in Scandinavia, the MORT questions have served as a basis for the development of a diagnostic tool used for this purpose. It is called the Safety Management and Organization Review Technique, or SMORT (Kjellén and Tinmannsvik 1989). A SMORT analysis advances backwards in steps, starting from the specific situation and ending at the general management level. The starting point (level 1) is an accident sequence or a risk situation. At level 2, the organization, system planning and technical factors related to daily operation are scrutinized. The subsequent levels include design of new systems (level 3) and higher management functions (level 4). Findings on one level are extended to the levels above. For example, results related to the accident sequence and to daily operations are used in the analysis of the company’s organization and routines for project work (level 3). Results at level 3 will not affect safety in existing operations but may be applied to the planning of new systems and modifications. SMORT also differs from MORT in the way findings are identified. At level 1, these are observable events and conditions that deviate from generally accepted norms. When organizational and management factors are brought into the analysis at levels 2 to 4, the findings are identified through value judgements made by an analysis group and verified through a quality control procedure. The aim is to ensure a mutually shared understanding of the organizational problems.

                      Summary

                      MORT has been instrumental in developments within safety management since the 1970s. It is possible to track the influence of MORT to such areas as safety research literature, literature on safety management and audit tools, and legislation on self-regulation and internal control. In spite of this impact, its limitations must be carefully considered. MORT and associated methods are normative in the sense that they prescribe how safety management programmes should be organized and executed. The ideal is a well-structured organization with clear and realistic goals and well-defined lines of responsibility and authority. MORT is thus best suited for large and bureaucratic organizations.

                       

                      Back

                      Inspection Systems

                      Auditing has been defined as “the structured process of collecting independent information on the efficiency, effectiveness and reliability of the total safety management system and drawing up plans for corrective action” (Successful Health & Safety Management 1991).

                      The workplace inspection therefore is not only the final stage in setting up a safety management programme but is also a continuing process in its maintenance. It can be conducted only where a properly devised management system for safety has been established. Such a system first envisages a formal policy statement from management setting out its principles for creating a healthy and safe working environment and then establishing the mechanisms and the structures within the organization whereby these principles will be effectively implemented. Management must furthermore be committed to providing adequate resources, both human and financial, to support the system’s mechanisms and structures. Thereafter, there must be detailed planning for safety and health, and the defining of measurable goals. Systems must be devised to ensure that safety and health performance in practice can be measured against established norms and against previous achievements. Only when this structure is in place and is operating can an effective management audit system be applied.

                      Complete safety and health management systems can be devised, produced and implemented from within the resources of larger enterprises. Additionally, there are a number of safety management control systems which are available from consultants, insurance companies, government agencies, associations and specialist companies. It is a matter for the enterprise to decide whether it should produce its own system or obtain outside services. Both alternatives are capable of producing excellent results if there is a genuine commitment by management to apply them diligently and to make them work. But for their success, they do depend heavily on the quality of the audit system.

                      Management Inspections

                      The inspection procedure must be as painstaking and objective as the company’s financial inspection. The inspection must first determine whether the company’s statement of policy on safety and health is properly reflected in the structures and mechanisms created to implement it; if not, then the inspection may recommend that the fundamental policy be reappraised or suggest adjustments or alterations to the existing structures and mechanisms. A similar process must be applied to safety and health planning, to the validity of the goal-setting norms, and to the measurement of performance. The results of any inspection must be considered by the top management of the enterprise, and any correctives must be endorsed and implemented through that authority.

                      In practice it is undesirable, and often impractical, to undertake a complete inspection of all of a system’s features and their application throughout every department of the enterprise at one time. More usually, the inspection procedure concentrates on one feature of the total safety management system throughout the plant, or alternatively on the application of all the features in one department or even subdepartment. But the objective is to cover all the features in all departments over an agreed period in order to validate the results.

                      To this extent management inspection should be regarded as a continuous process of vigilance. The need for objectivity is clearly of considerable importance. If inspections are conducted in-house then there must be a standardized inspection procedure; inspections should be undertaken by staff who have been properly trained for this purpose; and those selected as inspectors must not assess the departments in which they normally work, nor should they assess any other work in which they have a personal involvement. Where reliance is placed on consultants this problem is minimized.

                      Many major companies have adopted this type of system, either devised internally or obtained as a proprietary scheme. When the systems have been carefully followed through from policy statement to inspection, feedback and corrective actions, a substantial reduction in accident rates, which is the prime justification for the procedure, and increased profitability, which is a welcome secondary outcome, should result.

                      Inspections by Inspectorates

                      The legal framework which is designed to afford protection to people at work must be properly administered and effectively applied if the purpose of the regulatory legislation is to be achieved. Most countries have therefore adopted the broad model of an inspection service which has the duty of ensuring that safety and health legislation is enforced. Many countries see safety and health issues as part of a complete labour relations package covering industrial relations, wages and holiday agreements, and social benefits. In this model, safety and health inspections are one element of the labour inspector’s duties. A different model also exists in which the state inspectorate is exclusively concerned with safety and health legislation, so that workplace inspections concentrate solely on this aspect. Further variations are evident in the division of the inspection functions between either a national inspectorate or a regional/provincial inspectorate, or indeed, as in Italy and the United Kingdom, for example, as a working combination of both national and regional inspectorates. But whichever model is adopted, the essential function of the inspectorate is to determine compliance with the legislation by a programme of planned inspections and investigations at the workplace.

                      There can be no effective inspection system unless those who undertake this work are given adequate powers to carry it out. There is much common ground among inspectorates as regards the powers given to them by their legislators. There must always be the right of entry to premises, which is clearly fundamental for inspection. Thereafter there is the legal right to examine relevant documents, registers and reports, to interview members of the workforce either individually or collectively, to have unrestricted access to trade union representatives at the workplace, to take samples of substances or materials at use in the workplace, to take photographs and, if appropriate, to take written statements from people working at the premises.

                      Additional powers are often provided to enable inspectors to rectify conditions which might be an immediate source of danger or ill health to the workforce. Again there is a wide variety of practices. Where standards are so poor that there is an imminent risk of danger to the workforce, then an inspector may be authorized to serve a legal document on the spot prohibiting the use of the machinery or plant, or stopping the process until the risk has been effectively controlled. For a lower order of risk, inspectors can issue a legal notice formally requiring that measures be taken within a given time to improve standards. These are effective ways of rapidly improving working conditions, and are often a form of enforcement preferable to formal court proceedings, which may be cumbersome and slow in securing remediation.

                      Legal proceedings have an important place in the hierarchy of enforcement. There is an argument that because court proceedings are simply punitive and do not necessarily result in changing attitudes to safety and health at work, they should therefore be invoked only as a last resort when all other attempts at securing improvements have failed. But this view has to be set against the fact that where legal requirements have been ignored or disregarded, and where people’s safety and health have been significantly put at risk, then the law must be enforced and the courts must decide the issue. There is the further argument that those enterprises which disregard safety and health legislation may thereby enjoy an economic advantage over their competitors, who provide adequate resources to comply with their legal duties. Prosecution of those who persistently disregard their duties is therefore a deterrent to the unscrupulous, and an encouragement to those who try to observe the law.

                      Every inspection service has to determine the proper balance between providing advice and enforcing the law in the course of inspection work. A special difficulty emerges in connection with the inspection of small enterprises. Local economies, and indeed national economies, are often underpinned by industrial premises each employing fewer than 20 people; in the case of agriculture, the employment figure per unit is very much less. The function of the inspectorate in these cases is to use the workplace inspection to provide information and advice not only on legal requirements, but on practical standards and effective ways of meeting those standards. The technique must be to encourage and stimulate, rather than to immediately enforce the law by punitive action. But even here the balance is a difficult one. People at work are entitled to safety and health standards irrespective of the size of the enterprise, and it would therefore be wholly misguided for an inspection service to ignore or minimize risks and to curtail or even forgo enforcement simply to nurture the existence of the economically fragile small enterprise.

                      Consistency of Inspections

                      In the view of the complex nature of their work - with its combined needs for legal, prudential, technical and scientific skills, inspectors do not - indeed should not - adopt a mechanistic approach to inspection. This constraint, combined with a difficult balance between the advisory and enforcement functions, creates yet another concern, that of the consistency of inspection services. Industrialists and trade unions have a right to expect a consistent application of standards, whether technical or legal, by inspectors across the country. In practice this is not always easy to achieve, but it is something for which the enforcing authorities must always strive.

                      There are ways of achieving an acceptable consistency. First, the inspectorate should be as open as possible in publishing its technical standards and in publicly setting out its enforcement policies. Second, through training, the application of peer review exercises, and internal instructions, it should be able both to recognize a problem and to provide systems to deal with it. Finally, it should ensure that there are procedures for industry, the workforce, the public and the social partners to secure redress if they have a legitimate grievance over inconsistency or other forms of maladministration associated with inspection.

                      Frequency of Inspections

                      How frequently should the inspectorates undertake inspections of the workplace? Again there is considerable variation in the way this question may be answered. The International Labour Organization (ILO) holds the view that the minimum requirement should be that every workplace should receive an inspection from the enforcing authorities at least once each year. In practice, few countries manage to produce a programme of work inspection which meets this objective. Indeed, since the major economic depression in the late 1980s some governments have been curtailing inspection services by budget limitations that result in cutbacks in the number of inspectors, or by restrictions on recruiting new staff to replace those who retire.

                      There are different approaches to determine how frequently inspections should be made. One approach has been purely cyclical. Resources are deployed to provide inspection of all premises on a 2-yearly, or more likely a 4-yearly, basis. But this approach, though possibly having the appearance of equity, treats all premises as the same regardless of size or risk. Yet enterprises are manifestly diverse as regards safety and health conditions, and to the extent that they differ, this system may be regarded as mechanistic and flawed.

                      A different approach, adopted by some inspectorates, has been to attempt to draw up a programme of work based on hazard; the greater the hazard either to safety or health, the more frequent the inspection. Hence resources are applied by the inspectorate to those places where the potential for harm to the workforce is the greatest. Although this approach has merits, there are still considerable problems associated with it. First, there are difficulties in accurately and objectively assessing hazard and risk. Second, it extends very considerably the intervals between inspections of those premises where hazards and risks are considered to be low. Therefore, extended periods may elapse during which many of the workforce may have to forgo that sense of security and assurance which inspection can provide. Furthermore, the system tends to presume that hazards and risks, once assessed, do not radically change. This is far from being the case, and there is the danger that a low-rated enterprise may change or develop its production in such a way as to increase hazards and risk without the inspectorate’s being aware of the development.

                      Other approaches include inspections based on facility injury rates which are higher than the national averages for the particular industry, or immediately following a fatal injury or major catastrophe. There are no short and easy answers to the problem of determining the frequency of inspection, but what seems to be happening is that inspection services in many countries are too often significantly under-resourced, with the result that the real protection to the workforce afforded by the service is being progressively eroded.

                      Inspection Goals

                      Inspection techniques in the workplace vary according to the size and complexity of the enterprise. In smaller companies, the inspection will be comprehensive and will assess all hazards and the extent to which the risks arising from the hazards have been minimized. The inspection will therefore ensure that the employer is fully aware of safety and health problems and is given practical guidance on how they may be addressed. But even in the smallest enterprise the inspectorate should not give the impression that fault-finding and the application of suitable remedies are the function of the inspectorate and not of the employer. Employers must be encouraged by inspection to control and effectively manage safety and health problems, and they must not abdicate their responsibilities by awaiting an inspection from the enforcement authorities before taking needed action.

                      In larger companies, the emphasis of inspection is rather different. These companies have the technical and financial resources to deal with safety and health problems. They should devise both effective management systems to resolve the problems, as well as management procedures to check that the systems are working. In these circumstances, the inspection emphasis should therefore be on checking and validating the management control systems found at the workplace. The inspection should therefore not be an exhaustive examination of all items of plant and equipment to determine their safety, but rather to use selected examples to test the effectiveness or otherwise of the management systems for ensuring safety and health at work.

                      Worker Involvement in Inspections

                      Whatever the premises, a critical element in any type of inspection is contact with the workforce. In many smaller premises, there may be no formal trade union structure or indeed any workforce organization at all. However, to ensure the objectivity and acceptance of the inspection service, contact with individual workers should be an integral part of the inspection. In larger enterprises, contact should always be made with trade union or other recognized worker representatives. Legislation in some countries (Sweden and the United Kingdom, for example) gives official recognition and powers to trade union safety representatives, including the right to make workplace inspections, to investigate accidents and dangerous occurrences and in some countries (though this is exceptional) to stop plant machinery or the production process if it is imminently dangerous. Much useful information can be gained from these contacts with the workers, which should feature in every inspection, and certainly whenever the inspectorate is conducting an inspection as the result of an accident or a complaint.

                      Inspection Findings

                      The final element in an inspection is to review the inspection findings with the most senior member of management on the site. Management has the prime responsibility to comply with legal requirements on safety and health, and therefore no inspection should be complete without management’s being fully aware of the extent to which it has met those duties, and what needs to be done to secure and maintain proper standards. Certainly if any legal notices are issued as a result of an inspection, or if legal proceedings are likely, then senior management must be aware of this state of affairs at the earliest possible stage.

                      Company Inspections

                      Company inspections are an important ingredient in maintaining sound standards of safety and health at work. They are appropriate to all enterprises and, in larger companies, may be an element in the management inspection procedure. For smaller companies, it is essential to adopt some form of regular company inspection. Reliance should not be placed on the inspection services provided by the inspectorates of the enforcing authorities. These are usually far too infrequent, and should serve largely as a stimulus to improve or maintain standards, rather than be the primary source for evaluating standards. Company inspections can be undertaken by consultants or by companies who specialize in this work, but the current discussion will concentrate on inspection by the enterprise’s own personnel.

                      How frequently should company inspections be made? To some degree the answer is dependent on the hazards associated with the work and the complexity of the plant. But even in low-risk premises there should be some form of inspection on a regular (monthly, quarterly, etc.) basis. If the company employs a safety professional, then clearly the organization and the conduct of the inspection must be an important part of this function. The inspection should usually be a team effort involving the safety professional, the departmental manager or foreman, and either a trade union representative or a qualified worker, such as a safety committee member. The inspection should be comprehensive; that is to say, a close examination should be made both of the safety software (for example, systems, procedures and work permits) and the hardware (for example, machinery guarding, fire-fighting equipment, exhaust ventilation and personal protective equipment). Particular attention should be paid to “near misses” - those incidents which do not result in damages or personal injury but which have the imminent potential for serious accidental injuries. There is an expectation that after an accident resulting in absence from work, the inspection team would immediately convene to investigate the circumstances, as a matter outside the normal cycle of inspection. But even during routine workshop inspection the team should also consider the extent of minor accidental injuries which have occurred in the department since the previous inspection.

                      It is important that company inspections should not seem to be consistently negative. Where faults exist it is important that they be identified and rectified, but it is equally important to commend the maintenance of good standards, to comment positively on tidiness and good housekeeping, and to reinforce by encouragement those who use personal protective equipment provided for their safety. To complete the inspection a formal written report should be made of the significant deficiencies found. Particular attention should be drawn to any shortcomings which have been identified in previous inspections but have not yet been corrected. Where there exists a works safety council, or a joint management-worker safety committee, the inspection report should be featured as a standing item on the council’s agenda. The report on the inspection must be sent to and discussed with the senior management of the enterprise, who should then determine whether action is required and, if so, authorize and support such action.

                      Even the smallest companies, where there is no safety professional, and where trade unions may not exist, should consider company inspections. Many inspectorates have produced very simple guidelines illustrating the basic concepts of safety and health, their application to a range of industries, and practical ways in which they can be applied in even the smallest enterprises. Many safety associations specifically target small businesses with publications (often free) which provide the basic information to establish safe and healthy working conditions. Armed with this sort of information and with the expenditure of very little time, the proprietor of a small business can establish reasonable standards, and can thus perhaps obviate the sort of accidents which can happen to the workforce in even the smallest business.

                       

                      Back

                      It is a paradox that the prevention of work-related accidents did not emerge very early as an absolute necessity, since health and safety is fundamental to work itself. In fact it was not until the beginning of the twentieth century that accidents at work ceased to be considered inevitable and their causation became a subject to be investigated and used as a basis for prevention. However, accident investigation long remained cursory and empirical. Historically, accidents were first conceived of as simple phenomena—that is, as resulting from a single (or principal) cause and a small number of subsidiary causes. It is now recognized that accident investigation, which is aimed at identifying the causes of the phenomenon so as to avert its reoccurrence, depends both on the concept underlying the process of investigation and on the complexity of the situation to which it is applied.

                      Causes of Accidents

                      It is indeed true that in the most precarious situations, accidents are often the result of a fairly simple sequence of a few causes that can be rapidly traced to basic technical problems that even a summary analysis can reveal (equipment badly designed, working methods undefined, etc.). On the other hand, the more closely that the material elements of work (machines, installations, the arrangement of the workplace, etc.) conform with the requirements of safe work procedures, standards and regulations, the safer the work situation becomes. The result is that an accident can then occur only when a group of exceptional conditions are present simultaneously—conditions that are becoming ever more numerous. In such cases, the injury or damage appears as the final result of a frequently complex network of causes. This complexity is actually evidence of progress in prevention, and requires appropriate methods of investigation. Table 1 lists the principal concepts of the accident phenomenon, their characteristics and implications for prevention.

                      Table 1. Principal concepts of the accident phenomenon, their characteristics and the implications for prevention

                      Concept or “accident phenomenon”

                      Significant elements (objectives, procedures, limits, etc.)

                      Main consequences for prevention

                      Basic concept (accident as
                      phenomenon with few causes or even one cause)

                      The objective is to identify “the” single or main cause
                      No particular method
                      Little time devoted to the investigation
                      Role of chance and fate often referred to

                      Simple prevention measures concerning the immediate antecedent of the injury (individual protection, instructions about taking care, protection of dangerous machines)

                      Concept focused on regulatory measures

                      Focus on looking for who is responsible; the “enquiry” essentially identifies infringements and faults   Rarely concerned about the conditions generating the situations examined

                      Prevention usually limited to reminders about existing regulatory requirements or formal instructions

                      Linear (or quasi-linear) concept (“domino” model)

                      Identification of a chronological succession of “dangerous conditions” and “dangerous acts”
                      Frequent use of checklists
                      The investigation depends very much on the investigator’s experience
                      Weak preventive component (dangerous nature of acts determined a posteriori)

                      Conclusions generally concerned with the dangerous acts

                      Multifactorial concept

                      Exhaustive research to gather the facts (circumstances, causes, factors, etc.)
                      Focus placed on the contingent character of each accident situation
                      No criteria of relevance in the facts gathered
                      Need for complex statistical treatment

                      Concept not conducive to the search for solutions case by case (clinical analysis) and better adapted to the identification of statistical aspects (trends, tables, graphs, etc.)

                      Systematic concept
                      (tree of causes, STEP)

                      Identification of the network of factors of each accident
                      Use of logical relationships
                      Need for training of investigators

                      Methods centred on clinical analysis
                      (carried out in  participatory manner)
                      Possibility of use for all undesired events
                      (incidents, breakdowns)

                       

                      Nowadays, a work accident is generally viewed as an index (or symptom) of dysfunction in a system consisting of a single production unit, such as a factory, workshop, team or work position. It is the nature of a system that its analysis requires the investigator to examine not only the elements that make up the system but also their relationships with one another and with the work environment. Within the framework of a system, the accident investigation seeks to trace to its origins the sequence of basic dysfunctions that have resulted in the accident and, more generally, the network of antecedents of the undesired event (accident, near accident or incident).

                      The application of methods of this kind, such as the STEP method (sequentially timed events plotting procedures) and the “tree of causes” method (similar to fault or event trees analyses), allows the accident process to be visualized in the form of an adjusted graph that illustrates the multicausality of the phenomenon. Because these two methods are so similar, it would represent a duplication of effort to describe them both; accordingly, this article concentrates on the tree of causes method and, where applicable, notes its main differences from the STEP method.

                      Information Useful for the Investigation

                      The initial phase of the investigation, the gathering of information, must allow the course of the accident to be described in concrete, precise and objective terms. The investigation therefore sets out to ascertain the tangible facts, taking care not to interpret them or to express an opinion about them. These are the antecedents of the accident, of which there are two types:

                      1. those of an unusual nature (changes or variations) in relation to the “normal” or expected course of the work
                      2. those of a permanent nature that have played an active part in the occurrence of the accident through the medium of or in combination with the unusual antecedents.

                       

                      For example, insufficient protection of a machine (a permanent antecedent) can turn out to be a factor in an accident if it allows the operator to take up a position in a dangerous area in order to deal with a particular incident (unusual antecedent).

                      The information gathering is carried out at the location of the accident itself as soon as possible after its occurrence. It is preferably carried out by persons who know the operation or process and who try to obtain a precise description of the work without limiting themselves to the immediate circumstances of the damage or injury. The investigation is initially effected mainly by means of interviews, if possible with the worker or operator, victims and eyewitnesses, other members of the work team, and the hierarchical supervisors. If appropriate it is completed by means of a technical investigation and the use of outside expertise.

                      The investigation seeks to identify, in order of priority, the unusual antecedents, and to determine their logical connections. An effort is made at the same time to reveal the permanent antecedents that have allowed the accident to occur. In this way the investigation is able to go back to a stage more remote than the immediate antecedents of the accident. These more remote antecedents may concern individuals, their tasks, the equipment that they use, the environment in which they function and the safety culture. By proceeding in the way just described, it is generally possible to draw up a lengthy list of antecedents, but it will usually be difficult to make immediate use of the data. The interpretation of the data is made possible thanks to a graphic representation of all the antecedents involved in the genesis of the accident—that is, a tree of causes.

                      Constructing a Tree of Causes

                      The tree of causes presents all the antecedents that have been gathered which have given rise to the accident, as well as the logical and chronological links that connect them; it is a representation of the network of antecedents that have directly or indirectly caused the injury. The tree of causes is constructed starting from the end-point of the event - that is, the injury or damage—and working backwards toward the cause by systematically asking the following questions for each antecedent that has been gathered:

                      • By which antecedent X was antecedent Y directly caused?
                      • Was antecedent X sufficient in itself to give rise to antecedent Y?
                      • If not, have there been other antecedents (X1, X2  Xn) that were equally necessary in order to give rise directly to antecedent Y?

                       

                      This set of questions can reveal three types of logical connection, summarized in figure 1, among the antecedents.

                      Figure 1. Logical links used in the "tree of causes" method

                      SAF230T2

                      The logical coherence of the tree is checked by asking the following questions for each antecedent:

                      • If X had not taken place, would Y nevertheless have occurred?
                      • In order for Y to occur, was X, and only X, necessary?

                       

                      Moreover, the construction of the tree of causes in itself induces the investigators to pursue the information-gathering, and therefore the investigation, to a point well before the accident occurred. When completed, the tree represents the network of antecedents that have given rise to the injury—they are in fact the accident factors. As an example, the accident summarized below produced the tree of causes shown in figure 2.

                      Figure 2. Tree of causes of an accident suffered by an apprentice mechanic when remounting an engine in a car

                      SAF230F1

                      Accident Summary Report: An apprentice mechanic, recently recruited, had to work alone in an emergency. A worn sling was being used to suspend an engine that had to be remounted, and during this operation the sling broke and the engine fell and injured the mechanic’s arm.

                      Analysis by the STEP Method

                      According to the STEP method (figure 3), each event is set out graphically so as to show the chronological order of its appearance, keeping one line per “agent” concerned (an agent is the person or thing that determines the course of events constituting the accident process). Each event is described precisely by indicating its beginning, duration, starting and ending place and so on. When there are several plausible hypotheses, the investigator can show them in the network of events by using the logical relationship “or”.

                      Figure 3. Example of representation possible by the STEP method

                      SAF230F2

                      Analysis by the Tree of Causes Method

                      Making use of the tree of causes for the purposes of accident analysis has two objectives:

                      • making the reoccurrence of the same accident impossible
                      • averting the occurrence of more or less similar accidents - that is, accidents whose investigation would reveal common factors with the accidents that have already occurred.

                       

                      Given the logical structure of the tree, the absence of a single antecedent would have prevented the occurrence of the accident. One judicious prevention measure would therefore suffice, in principle, to satisfy the first objective by preventing the reoccurrence of the same accident. The second objective would require that all the factors discovered should be eliminated, but in practice the antecedents are not all of equal importance for the purposes of prevention. It is therefore necessary to draw up a list of antecedents requiring reasonable and realistic preventive action. If this list is long, a choice has to be made. This choice has more chance of being appropriate if it is made within the framework of a debate between the partners concerned in the accident. Moreover, the debate will gain in clarity to the extent that it is possible to assess the cost-effectiveness of each measure proposed.

                      Effectiveness of Preventive Measures

                      The effectiveness of a preventive measure can be judged with the help of the following criteria:

                      The stability of the measure. The effects of a preventive measure must not disappear with time: informing the operators (in particular, reminding them of instructions) is not a very stable measure because its effects are often transient. The same is moreover true of some protective devices when they are easily removable.

                      The possibility of integrating safety. When a safety measure is added on - that is, when it does not contribute directly to production - it is said that safety is not integrated. Whenever this is so, it is observed that the measure tends to disappear. Generally speaking, any preventive measure entailing an additional cost for the operator should be avoided, whether it is a physiological cost (increasing the physical or nervous load), a psychological cost, a financial cost (in the case of salary or output) or even a simple loss of time.

                      The non-displacement of the risk. Some preventive measures may have indirect effects that are detrimental to safety. It is therefore always necessary to foresee the possible repercussions of a preventive measure on the system (job, team or workshop) in which it is inserted.

                      The possibility of general application (the notion of potential accident factor). This criterion reflects the concern that the same preventive action may be applicable to other jobs than the one affected by the accident under investigation. Whenever possible, an effort should be made to go beyond the particular case that has given rise to the investigation, an effort that often requires a reformulation of the problems discovered. The information obtained from an accident may thus lead to preventive action relating to factors that are unknown but present in other work situations where they have not yet given rise to accidents. For this reason they are called “potential accident factors”. This notion opens the way to the early detection of risks, mentioned later.

                      The effect on root “causes”. As a general rule, the prevention of accident factors near to the point of injury eliminates certain effects of dangerous situations, while prevention acting well upstream of the injury tends to eliminate the dangerous situations themselves. An in-depth investigation of accidents is justified to the extent that the preventive action is equally concerned with the upstream factors.

                      The time taken for application. The need to act as rapidly as possible after the occurrence of an accident so as to avoid its reoccurrence is often reflected in the application of a simple preventive measure (an instruction, for example), but this does not eliminate the need for other more lasting and more effective action. Every accident must therefore give rise to a series of proposals whose implementation is the subject of follow-up.

                      The above criteria are intended to give a better appreciation of the quality of preventive action proposed after each accident investigation. However, the final choice is not made solely on this basis, as other considerations, such as economic, cultural or social ones, must also be taken into account. Finally, the measures decided upon must obviously respect the regulations in force.

                      Accident Factors

                      The lessons drawn from each accident analysis deserve to be recorded systematically so as to facilitate passing from knowledge to action. Thus figure 4 consists of three columns. In the left-hand column are noted the accident factors requiring preventive measures. Possible preventive action is described in the middle column for each factor decided upon. After the discussion mentioned above, the action selected is recorded in this part of the document.

                      Figure 4. Lessons drawn from accidents and the use of these lessons

                      SAF230T3

                      The right-hand column covers the potential accident factors suggested by the factors listed in the left-hand column: it is considered that each accident factor discovered is often only a particular case of a more general factor known as a potential accident factor. The passage from the particular case to the more general case is often made spontaneously. However, each time that an accident factor is expressed in such a fashion that it is not possible to encounter it elsewhere than in the situation in which it has appeared, a more general formulation must be considered. In doing this, it is necessary to avoid two opposite pitfalls so as to utilize the notion of potential accident factor effectively in the early detection of risks arising later. A formulation that is too circumscribed does not permit systematic detection of the factors, whereas one that is too wide makes the notion unworkable and is of no further practical interest. The detection of potential accident factors thus presupposes their being well formulated. This detection can then be carried out in two ways, which are moreover complementary:

                      1. either by looking for the possible presence of potential factors already known at the level of a job or a wider area (workshop, service)
                      2. or by looking for jobs where a factor already determined may be observed.

                       

                      Usefulness, Effectiveness and Limitations of Accident Investigation

                      Usefulness. As compared to non-systematic investigations, methods of accident investigation based on a systematic concept have numerous advantages, which include the following:

                      • They allow the causal network of each accident to be defined collectively, from which it is easier to devise new preventive measures and foresee their impact without being limited to the direct causes of the injury.
                      • They provide those involved in the analysis with a richer and more realistic mental representation of the “accident phenomenon” that permits a global understanding of work situations.
                      • In-depth accident investigations (especially when they are extended to cover incidents and undesired events) can become a means and appropriate occasion for dialogue between management and operators.

                       

                      Effectiveness. In order to be effective, accident investigation requires that four conditions are satisfied concurrently:

                        1. an evident commitment on the part of the top management of the establishment, who must be able to ensure the systematic implementation of such procedures
                        2. training of the investigators
                        3. management, supervisors and workers fully informed concerning the aims of the investigation, its principles, the requirements of the method and the results expected
                        4. real improvements in safety conditions that will encourage those involved in future investigations.

                               

                              Limitations. Even when carried out very well, accident investigation suffers from a double limitation:

                              • It remains a procedure for investigating risks a posteriori (in the manner of systems analysis), with the aim of correcting existing situations. It does not therefore dispense with the need for a priori (prospective) investigations, such as the ergonomic investigation of jobs or, for complex systems, safety investigations.
                              • The usefulness of accident investigations also varies with the safety level of the establishment where they are applied. In particular, when the safety level is high (the accident rate is low or very low), it is evident that serious accidents result from the conjunction of numerous independent random factors that are relatively harmless from the safety viewpoint when considered outside the context under investigation.

                               

                              Back

                              The Need for Reporting and Compiling Accident Data

                              The primary purpose of assembling and analysing occupational accident data is to provide knowledge for use in the prevention of occupational injuries, fatalities and other forms of harm such as toxic exposures with long-term effects. These data are also useful in assessing needs for compensating victims for injuries previously incurred. Additional, more specific purposes for the compilation of accident statistics include the following:

                              • to estimate the causes and magnitude of accident problems
                              • to identify and prioritize the need for preventive measures
                              • to evaluate the effectiveness of preventive measures
                              • to monitor risks, issue warnings and conduct awareness campaigns
                              • to provide feedback for those involved in prevention.

                               

                              Often, an overview of the number of accidents occurring on an annual basis is desired. A frequency is often used for this purpose, comparing the number of accidents to a measure relating to the risk group and expressed, for example, in terms of accidents per 100,000 workers or per 100,000 working hours. Such annual counts serve the purpose of revealing variations in an accident rate from one year to another. However, while they may indicate the sorts of accidents that require the most urgent preventive action, by themselves they do not furnish guidance as to the form that this action should take.

                              The need for accident information pertains to the following three levels of function that make use of it:

                              • At the workplace level within the individual enterprise, accident data are used in local safety activities. The best opportunities for tackling specific risk factors are to be found immediately at the workplace itself.
                              • At the level of authority responsible for legislation, accident data are used to regulate the working environment and to promote safety at the workplace. It is possible not only to exert control over the workplace at this level but also to carry out general statistical analyses for use in overall preventive work.
                              • At the level of authority responsible for payments of compensation to accident victims, accident data are used to help determine rates.

                               

                              The Role of the Organization in Compiling Accident Information

                              In many countries it is a legal requirement that enterprises keep statistics of occupational accidents which result in injury, fatality or toxic exposure to a worker. The purpose of this is usually to call attention to risks that have actually led to these types of accidents, with safety activities focusing chiefly on the particular accident and the study of the event itself. However, it is more common for accident information to be collected and recorded systematically, a function that is ordinarily carried out at a higher level.

                              Since the actual circumstances of most accidents are special, wholly identical accidents seldom occur, and prevention based on the analysis of the individual accident very readily tends to become a highly specific matter. By systematically compiling accident information it is possible to obtain a broader view of those areas where specific risks are to be found, and to uncover the less obvious factors instrumental in the causation of the accident. Specific work processes, specific work teams or work with specific machinery can give rise to highly circumstantial accidents. However, a close study of the types of accidents associated with a given class of uniform work can disclose such factors as inexpedient work processes, incorrect use of materials, difficult working conditions, or lack of adequate worker instruction. An analysis of numerous recurring accidents will reveal the fundamental factors to be dealt with when preventive action is taken.

                              Reporting Accident Information to Safety Authorities

                              Legislation requiring the reporting of occupational accidents varies widely from country to country, with the differences chiefly relating to the classes of employers and others to whom the laws apply. Countries that place significant emphasis on safety at the workplace usually mandate that accident data be reported to the authority responsible for supervising compliance with safety legislation. (In some cases, legislation requires reporting of occupational accidents that result in absence from work, the duration of such absence varying from 1 to 3 days in addition to the day of the accident.) Common to most legislation is the fact that reporting is linked with some sort of penalty or compensation for the consequences of accidents.

                              For the purpose of supplying a sound foundation for the prevention of occupational accidents, it is necessary to secure accident information pertaining to all sectors and to all types of trades. A basis of comparison should be provided at the national level in order to allow prevention action to be prioritized and in order that knowledge of risks associated with tasks across different sectors may be turned to good account in preventive work. It is therefore recommended that the duty of compiling occupational accident information at the national level apply to all occupational accidents of a designated seriousness, no matter whether they concern employees of firms or the self-employed, persons working at temporary jobs or regular salary earners, or workers in the public or private sectors.

                              While employers, generally speaking, have a duty to report accidents, it is a duty carried out with varying degrees of enthusiasm. The extent of compliance with the obligation to report accidents depends on the incentives driving the employer to do so. Some countries have a rule, for instance, according to which employers will be compensated for an accident victim’s lost-time pay, an arrangement that gives them good reason to report occupational injuries. Other countries penalize employers who are found to be not reporting accidents. Where these sorts of incentives do not exist, the merely legal obligation binding upon the employer is not always observed. It is moreover recommended that occupational accident information intended for preventive applications be given to the authority responsible for preventive activities, and be kept separate from the compensating authority.

                              What Information is to be Compiled?

                              There are three basic classes of information obtainable by means of accident recording:

                              • Information identifying where the accidents occur - that is, sectors, trades, work processes and so on. This knowledge can be used to determine where preventive action is needed.
                              • Information showing how the accidents occur, the situations in which they occur and the ways in which the injuries come about. This knowledge can be used to determine the type of preventive action needed.
                              • Information relating to the nature and seriousness of the injuries, describing, for example, the parts of the body affected and the health consequences of the injuries. Such knowledge is to be used for prioritizing preventive action in order to ensure that action is taken where the risk is highest.

                              It is necessary to compile a certain basic complement of data to properly document when and where an accident occurs and to analyse how it occurs. At the enterprise level, the data that are collected are more detailed than those assembled at the national level, but reports generated at the local level will contain items of information valuable at all levels. Table 1 illustrates particular sorts of information that might be recorded by way of describing an individual accident. The items especially relevant to the task of preparing statistics relating to the accident are described more fully below.

                              Table 1. Informational variables characterizing an accident

                              Actions

                              Items

                              Step 1

                              Activity of the victim: e.g., operating a machine, performing maintenance, driving, walking, etc.

                              Component related to the activity of the victim: e.g., power press, tool, vehicle, floor, etc.

                              Step 2

                              Deviant action: e.g., explosion, structural failure, trip, lost control of, etc.

                              Component related to deviant action: e.g., pressure vessel, wall, cable, vehicle, machine, tool, etc.

                              Step 3

                              Action leading to injury: e.g., struck by, crushed, trapped, in contact with, bitten by, etc.

                              Agent of injury: e.g., brick, ground, machine, etc.

                               

                              Accident identification number. All occupational accidents must be assigned a unique identifying number. It is especially advantageous to use a numerical identifier for the purpose of computerized filing and subsequent processing.

                              Personal identification number and date. Registration of the victim is an essential part of accident identification. The number can be the worker’s birthday, employment number, social security number or some other unique identifier. Recording both a personal identification number and the date of the accident will prevent duplicated registration of the same accident event, and also enables a check to be made as to whether the accident has been reported. The link between information contained in the accident report with the personal identification number can be protected for the purpose of security.

                              Nationality. The nationality of the victim may be an especially important item of information in countries with a significantly large foreign labour force. A double-digit code number can be selected from among those listed in the DS/ISO Standard 3166.

                              Occupation. An occupation registration number can be chosen from the list of four-digit international occupation codes supplied by the International Standard Classification of Occupations (ISCO).

                              Enterprise. The name, address and identification number of the enterprise are used in the recording of accidents at the national level (although the name and address cannot be used for computer recording). The production sector of the enterprise will usually have been registered with its industrial injury insurance carrier or recorded in connection with the registration of its workforce. A numerical sector identifier can be assigned according to the five-digit NACE international classification system.

                              The work process. A vital component of information relating to occupational accidents is a description of the work process carried out at the time the accident occurred. Identification of the work process is a prerequisite for accurately targeted prevention. It should be noted that the work process is the actual work function which the victim was performing at the time of the accident and may not necessarily be identical to the work process that caused the injury, fatality or exposure.

                              The accident event. An accident event normally comprises a chain of events. There is often a tendency on the part of investigators to focus on the part of the event cycle in which the injury actually occurred. From the point of view of prevention, however, a description of that part of the event cycle in which something went wrong, and of what the victim was doing when the event occurred, is just as important.

                              The consequences of the accident. After the injured part of the body is specified and the type of injury described (this is done partly by coding from a checklist and partly from the description in the event cycle), information is recorded describing the seriousness of the injury, whether it resulted in absence from work (and for how long), or whether it was fatal or involved invalidity. Detailed information in terms of longer-duration absence from work, hospitalization, or disablement is normally available from compensation offices and the social security system.

                              For recording purposes, the examination of accident events is therefore divided into the following three information components:

                              • The activity associated with an accident is that which was being carried out by the victim at the time of the accident. It is recorded by means of an action code and a technology code. In this connection, the concept of technology is a broad one, covering such instrumentalities as machines, materials, building components and even animals. At present, there exists no international classification for technology, although Denmark has developed a classification scheme for this purpose.
                              • The injury event is the deviant event which led to the accident. This is recorded by means of a code for the deviation and by one or two codes for the technology which formed part of the deviation.
                              • The mode of injury is recorded by using a code for the manner in which the victim came into contact with the injury-causing factor and another code for the technology which caused the injury.

                               

                              The following examples illustrate the application of these categories of analysis:

                                1. In the event that a worker trips over a hose-pipe while walking and falls, striking his or her head against a table, the activity is walking, the injury event is tripping over the hose-pipe, and the mode of injury is striking the head against the table.
                                2. While a worker is standing near a wall, a tank explodes, causing the wall to collapse on the victim. The activity is merely standing near the wall, the injury event is the explosion of the tank, and the mode of injury is the impact of the wall upon the victim.

                                   

                                  Reporting Accident Information

                                  The information to be obtained for each accident can be recorded in a report form similar to that shown in figure 1.

                                  Figure 1. Sample report form

                                  SAF240F1

                                  The information from the report form can be recorded on a computer by using classification keys. (Where international classification systems can be recommended, these are mentioned in the description of the individual information variables, given above.) Classifications for the other variables used to record occupational injuries have been developed by the Danish Working Environment Service, and principles to be used in establishing a harmonized recording system form part of a proposal drafted by the European Union.

                                  The Use of Accident Statistics

                                  Accident statistics form a valuable instrument in a wide range of contexts: mapping, monitoring and warning, prioritization of areas for prevention, specific prevention measures, and information retrieval and research. One area may overlap with another, but the principles of application vary.

                                  Mapping

                                  Mapping of occupational accident data involves the extraction of predetermined sorts of information from an accumulation of registered data and the analysis of the interrelationships among them. The following examples will illustrate the utility of the mapping applications.

                                  • Mapping of industrial sectors. Data relating to industrial sectors may be mapped by extracting an appropriate selection of the reports contained in a data register and carrying out the desired analysis. If a trade such as the building industry is of particular interest, reports registered with the International Standard Industrial Classification (ISIC) and coded from 50,000 to 50,199 (building and construction) can be selected. Reports for this trade can then be mapped to show, for example, the geographical location of the enterprises, and the age, sex and occupation of each accident victim.
                                  • Mapping of injuries. If selection is based on a specific category of injuries, the reports can be extracted and mapped to show, for example, the trades in which these accidents occur, the occupational categories involved, the age groups affected, the activities in which the accidents occurred and the kind of technology most often involved.
                                  • Mapping of enterprises. An evaluation on the enterprise level of accident trends (and thus of the internal work environment of the enterprise) can be carried out by mapping the notified occupational accidents that have occurred over a given time period. In addition, the enterprise will be able to compare its individual position with regard to technology, composition of personnel and other areas of concern with the trade as a whole, and thus determine whether its status in these respects is typical of the trade. Furthermore, if a trade proves to contain a number of typical work environment problems, it will be advisable to investigate whether these problems exist within the individual enterprise.

                                   

                                  Monitoring and warning

                                  Monitoring is an ongoing surveillance process accompanied by warning of major risks, and particularly of changes in such risks. Changes observed in incoming accident reports either may be indicative of changes in the pattern of reporting, or, more seriously, may reflect genuine changes in risk factors. Major risks may be said to exist where there is a high frequency of injuries, where many serious injuries occur and where there is a large human exposure group.

                                  Establishment of priorities

                                  Establishment of priorities is the selection of the most important risk areas or work-environment problems for preventive action. Through the results of mapping surveys and monitoring and warning activities, a register of occupational accidents can be built which can contribute to this establishment of priorities, the elements of which might include the following:

                                  • risks involving serious consequences
                                  • risks which carry a high probability of injury to a large proportion of the exposure group
                                  • risks to which large groups of people are exposed.

                                   

                                  Data drawn from a register of occupational accidents can be used in the establishment of priorities on several levels, perhaps at the overall national level or at the more particular enterprise level. Whatever the level, the analyses and assessments can be made on the basis of the same principles.

                                  Prevention

                                  Analyses and documentation which are used for preventive purposes are generally highly specific and concentrated in limited areas which are, however, treated in great depth. An example of such an analysis is the campaign against fatal accidents conducted by the Danish National Labour Inspection Service. Preliminary mapping surveys identified the trades and work functions in which fatal accidents occurred. Farm tractors were selected as a focal area for analysis. The purpose of the analysis was then to determine what it was that made tractors so dangerous. Questions were investigated as to who drove them, where they were operated, when the accidents occurred and, in particular, what types of situations and events led to the accidents. The analysis produced a description of seven typical situations which most frequently led to accidents. Based on this analysis a preventive programme was formulated.

                                  The number of occupational accidents in a single enterprise is often too small to yield workable statistics for preventive analysis. An analysis of the pattern of accidents may be able to be used to prevent repetition of specific injuries, but can hardly be successful in preventing the occurrence of accidents which in one way or another differ from earlier instances. Unless the focus of investigation is quite a large enterprise, such analyses are therefore best performed on a group of enterprises of very similar nature or on a group of production processes of the same type. For example, an analysis of the lumber industry shows that accidents occurring with cutting machines principally involve finger injuries. Transport accidents predominantly consist of foot and leg injuries, and brain damage and eczema are the most common hazards in the surface-treatment trade. A more detailed analysis of the relevant work processes within the industry can reveal which situations typically cause accidents. Based on this information, experts in the relevant industry can then pinpoint when such situations are likely to arise, and the possibilities for prevention.

                                  Information retrieval and research

                                  One of the most common uses of such information systems as filing and library systems is the retrieval of information of a specific and well-defined nature for the purpose of safety research. For instance, in a study whose aim was to formulate regulations concerning work on roofs, the doubt was raised whether any particular risk was attached to such work. The prevailing belief was that people were very seldom injured by falling from roofs while working. However, in this instance, a register of occupational accidents was used to retrieve all reports in which people had been injured by falling from roofs, and a considerable number of cases were indeed discovered, confirming the importance of continuing to formulate regulations in this area.

                                   

                                  Back

                                  " DISCLAIMER: The ILO does not take responsibility for content presented on this web portal that is presented in any language other than English, which is the language used for the initial production and peer-review of original content. Certain statistics have not been updated since the production of the 4th edition of the Encyclopaedia (1998)."

                                  Contents