Two Approaches to Safety

Tim Worstall makes the following remark in response to a column by Polly Toynbee:

There was significant regulation here. What there wasn’t was responsibility. And a little more of the second can be very much more important than the first. Whether we call it the Clerk of Works, or professional responsibility, whatever, that one individual–and yes, making it one person does concentrate minds wonderfully–owns a project, the benefits and failures of it in that liability sense, tends to make things safer. On the very sensible basis that someone with their knackers potentially in the vice tends to pay attention. Box ticking doesn’t have quite the same effect.

This is absolutely correct.

In the wake of Piper Alpha, the regulations governing North Sea oil and gas operations were completely overhauled to address the many, many shortcomings that had led to the world’s worst oilfield disaster. One of them was to adopt what is known in the industry as a risk-based approach to safety, and put the responsibility to implement it on the shoulders of the operating companies.

What this means in practice is this. Each company must demonstrate, to the satisfaction of the UK HSE and – God forbid – a tribunal or court in the event of an accident, that the residual risks have been minimised to a degree which is As Low As Reasonable Practicable (ALARP). Residual risk is the term used to described the risks associated with a facility or operation which remain once mitigation and prevention measures have been implemented. This is important: playing around with highly volatile hydrocarbons is an inherently dangerous business, and there will always be risks associated with it. The requirement is not to eliminate risks entirely, as that would entail leaving the hydrocarbons in the ground, but to minimise the risks that remain once you’ve done all you can.

This is the principle of ALARP: “reasonably practicable” is an open term with no strict definition, but is well understood in the risk management industry. It recognises the fact that money spent on safety and minimising risks is a scarce resource and must be properly targetted. If open-ended safety obligations are demanded of an oil company, commercial operations will cease.

Most important is the word demonstrate, which is why I emboldened it. How a company demonstrates that it has minimised the risks associated with its operations is largely up to them, but the North Sea has developed a standard process (with associated tools and techniques) which all operators now follow. In short, it consists of:

1. Identifying potential hazards and the events they could lead to.

2. Identifying the consequences of such events should they occur, in terms of effects on humans, the environment, the asset, and the company reputation.

3. Identifying what can be done to prevent the event (preventative measures).

4.Identifying what can be done to mitigate the impact of the event, should it occur (mitigation measures).

5. How the company intends to manage the residual risks of their operations once 3 and 4 have been implemented.

This process focuses the minds of those charged with designing, building, and operating the installations to ensure the residual risks are ALARP, and can indeed be demonstrated to the satisfaction of anyone who may ask (e.g. regulatory bodies). I am heavily involved in this entire process as my day-job, and have been for years. I take the approach that if I find myself hauled in front of a court facing twenty to thirty years in an African prison for manslaughter, can I demonstrate that I did everything I could do minimise the risks associated with the installation? I am not exaggerating, I really do think this. In Nigeria I was responsible for signing off designs. Gulp.

By telling companies that they have to demonstrate their facilities and operations are as safe as they can be, and all potentially catastrophic scenarios have been thought of and addressed, it forces them to take responsibility for the complete design and operation. Moreover, it forces them to consider the installation as a whole, i.e. how the different systems interact with one another, and address the unique complexities of their particular situation.

The alternative system is one whereby clever people draw up a set of rules and regulations that must be followed, and if a company does then – in theory – the installation will be safe. This is called a prescriptive-based approach to safety. In effect it’s a giant box-ticking exercise, which involves little actual thinking on the part of the design engineers and allows them to shift responsibility to those who drafted the regulations if something goes wrong. As far as I am aware, this is how most industries are regulated: companies obtain a set of prescriptive rules and regulations and if they follow them to the letter, they are covered. Indeed, this is how the American Occupational Safety and Health Administration (OSHA) works, and this approach is applied to their own oilfields.

The shortcomings of the prescriptive-based approach are obvious, but a risk-based approach is more complicated and expensive to implement. However, the lessons from Piper Alpha might well be dusted off and re-learned in the wake of the Grenfell Tower fire. I highly doubt that the British building regulatory regime allowed banned cladding to be installed: I am reasonably certain that it was quite legal. However, they were clearly not suitable for the application, because nobody considered the cladding system as a whole as it was installed on that particular tower, and what might happen in the event of a fire. All they did was select a panel type that was approved by the regulations, comply with all the other regulations, and assume they were safe.

The problem with prescriptive regulations is that they cannot anticipate every scenario, and it only takes one unique application of a certain product or system to leave the whole thing prone to a catastrophe. Or course lessons will be learned from the Grenfell Tower fire and that particular gap will be closed, but others will remain so long as we insist on a prescriptive-based approach to safety. The irony is that all those people calling for companies to take greater responsibility for the works they carry out are likely to be the same people calling for greater regulation, which will inevitably be of the prescriptive type. The two demands are not compatible: either we tell companies to follow the regulations, or we tell them to proceed as they see fit but demonstrate to the regulators that they’ve done the job properly and take full responsibility if it later proves they haven’t.

My guess is we’ll end up with an unhealthy mess of both: companies told to follow regulations but also carry the can when those regulations prove to be inadequate, leading to increased prices, a lack of transparency, and yet more cosy partnerships and conflicts of interest between private businesses and those writing the regulations. None of this will make the public any safer.

Share

28 thoughts on “Two Approaches to Safety

  1. In Britain today we seem to spend endless amounts of time dealing will all manner of Health And Safety crap – regulations that are often ridiculously excessive solutions to non-problems.

    Fire safety regulations do not fall into this category. They are vitally important. And yet they seem to be almost routinely flouted.

    An American friend pointed out to me the other day that in the US, fire regulations are usually enforced by Fire Departments – the same people (or at least the same organisations) who will be putting their lives in danger by running into the building to rescue people if there is actually a fire. They are usually humourless in the way they do this task. In the UK, fire safety regulations are enforced by different bodies that don’t quite have the same incentives.

  2. Fire safety regulations do not fall into this category. They are vitally important. And yet they seem to be almost routinely flouted.

    I expect because they are complicated and require genuine competence to draft, implement, and enforce. When it comes to genuine competence and British housing, there appears to be a yawning chasm between the two.

  3. What works for private companies may not necessarily work for public institutions or persons such as a “Clerk of Works”. Remember, we have many, many Ministers who “take full responsibility” when some colossal fuck up occurs and to which absolutely nothing happens.

    I can’t see why the Clerk of Works wouldn’t end up being some Blairite fixer who practices saying in front of a mirror “I take full responsibility” and “Our thoughts and prayers are with the families at this difficult time” but otherwise will have no competency whatsoever, or in fact responsibility.

  4. All this information you (and some others) are providing is great for those of us with a non-engineering background trying to decipher the misinformation around Grenfell.

    There is a lot of interested bull being bandied about (by the usual suspects who refuse to let a good crisis escape unused).

    Just sent a link to my engineering university student twins; hopefully this will be of interest to them.

  5. When it comes to genuine competence and British housing, there appears to be a yawning chasm between the two.

    Understatement of the week, yes.

  6. In part it’s a matter of aligning authority with responsibility. Think of university labs: what is the main use research students make of fire extinguishers? Propping open fire doors. Unless you’re prepared to discipline their supervisors as well as the students, progress will be hard to come by.

    If I’m responsible for the safety of some manufacturing plant I have to have the authority to stop production if I think it necessary. If someone has the authority to overrule me, it’s got to be clear that the responsibility has transferred to him.

    If I am allowed to combine authority with responsibility, it means that if disaster strikes the people above me are responsible only to the extent to which (i) they appointed me badly, or (ii) they failed in their duty of oversight (which would include matters of policy). The automatic call for the CEO to be sacked is bullshit: you need to be far more analytical than that. If investigation shows that the rot goes right to the top, don’t just sack him, jail him.

    I imagine that active safety in residential property is a tricky business: you can’t effectively stop tenants having chip pan fires (though their fellow tenants might try to enforce a ban by threats of violence). Without the right to expel tenants speedily it’s hard to ensure that stairways are kept clear, however regular your inspections. If many of your tenants are very stupid, or illiterate, drunken or drugged, or don’t speak English, or are from a culture that pays no heed to the notion of a common good, it’s going to be especially hard. So it’s vital (literally vital) that the building be constructed, modified, and managed for passive safety. Which takes us back to the matter of cladding, and indeed to the wisdom of high tower blocks in the first place.

  7. If I’m responsible for the safety of some manufacturing plant I have to have the authority to stop production if I think it necessary. If someone has the authority to overrule me, it’s got to be clear that the responsibility has transferred to him.

    That was one of the major changes brought in after Piper Alpha: the Offshore Installation Manager (OIM) has the authority to shut down production. Previously he didn’t.

    If I am allowed to combine authority with responsibility…

    In my experience, a prominent feature of modern organisations is that authority and responsibility are hopelessly misaligned and usually lie with completely different people.

  8. I also have had significant exposure to both types of safety legislation and overall prefer a risk based system. I don’t think that it is correct to say that in a prescriptive legislative environment if you injure someone and have met the minimum prescribed requirement your organisation is in the clear. I think you will find that many legislative and risk based systems for that matter also legislate that you cannot cause harm. In simple terms your organisation has failed if it causes harm irrespective of the level of safety management in place.

    Codes of Practice quite often come into both systems as well. They are used as a guide, but in the event of an injury you had better hope that your ALARP was at least as robust as that in the code.

    My experience with Clerk of Works in the UK was lets see how good we are by what we can sneak past him, so there is a problem right there. And no, he wasn’t responsible and it still is the directors, nothing has changed on that score, I know this as a director.

    But even with the professional risk based engineering school, it still ends up drifting towards the least effective controls being administration ie paperwork. Most of the debate, argument, cost, demonstration, brownie points unfortunately still end up being around paperwork or more paperwork. As a shareholder and a director, I am quite happy to invest in elimination, substitution and engineering controls (like lockout boxes on the other thread) but paperwork is mostly a waste of time that takes our focus away from safety and efficiency. PPE the least effective control is a good thing though.

    Oh and if you are going to even contemplate appearing in an African court to defend your company on a safety incident then you haven’t done your safety induction.

  9. “Fire safety regulations do not fall into this category”

    I think it might have been the London Fire Brigade that created the Hazchem placarding system for transport of hazardous materials which has to be the best of its kind in the world.

  10. @Tim:
    In my experience, a prominent feature of modern organisations is that authority and responsibility are hopelessly misaligned and usually lie with completely different people.

    This is so widespread I think it may in fact be deliberate. It’s a way for the high fliers to play the slopey shoulders game when blamestorming after a disaster.

    One of the things that – in theory – was a huge positive about the US Sarbanes Oxley dog turd was that if made clear that CxOs had to sign off on having both. Sadly the combination of lobbyists, lawyers and long-winded bureaucrats writing interminably detailed regulations means that even that theoretical good was lost in the process.

  11. This is so widespread I think it may in fact be deliberate. It’s a way for the high fliers to play the slopey shoulders game when blamestorming after a disaster.

    I think it’s even simpler that: people like authority because it gives them a title, power, prestige, and money. Whereas nobody wants responsibility, so it’s better to lump that on some minion – but deny him/her the authority to actually do anything.

    I’ve lost count of the number of times I’ve heard somebody with a manager’s title confidently tell me “they’re in charge” only to find they must seek approval from on high for even the most thing. What pass for bank managers these days are a particularly good example of this: when I went into a Barclays some years back, the “branch manager” didn’t even have a direct line to the rest of the organisation, he had to phone the helpline and wait in the queue like a customer would.

  12. Interesting thread (and post, natch).

    I’d observe the following: the alignment between authority and responsibility has been eroded, agreed. I think this is largely the response to the way that management and technical skills have become separated. This is a cost of that approach, and we either need to accept it, or accept the costs of other approaches.

    Secondly- the technical staff, if they are going to manage, need to understand that their definition of ‘good’ needs to cover management and commercial aspects. I’ve managed techies for as long as I care to remember, and (whilst I love working with them) I do get tired of them proposing ‘technically’ brilliant solutions that fall over budget, or don’t fulfil ongoing opex requirements (etc). I can doodle out an ‘ideal’ solution to a problem on me own, ta. I need something that fulfils all requirements, which includes maintenance and management costs. Drawing me an ivory tower full of albino elephants is no help.

    Finally, all sides need to understand the position of the ‘idiots’ on the other- whilst I love technical folk, and get on well with customers: safety is a common need, and any solution needs to deliver it. Demonising the ‘other’ team isn’t helpful.

  13. It’ll be interesting to see what emerges from the investigation of the recent collision of a US destroyer with a container ship. Seven dead aboard the destroyer; a vessel intended to defend aircraft carriers from all sort of rapid foes somehow failed to dodge a plodding cargo ship.

    https://warontherocks.com/2017/06/how-could-this-happen-the-fitzgerald-the-u-s-navy-and-collisions-at-sea/

    There’s interesting audio in this account of an American destroyer getting itself hit by a tanker a few years ago.

    https://pilotonline.com/news/military/audio-confusion-reigned-before-destroyer-s-collision/article_c7472be8-efcb-5763-93bb-aab66d820175.html

  14. Good article Tim.

    Polly’s demand for more regulation will simply get more people killed. When the final report is in the cause of this fire will be an unholy mess of overlapping regulation, incompetence, ignorance and blind following of badly applied rules. The cladding, at most, will be simply a contributing factor.

    A very simple fire saftey review with the insurers and fire service at the time of this renovation would likely have been enough to prevent this, but I’m guessing this was one of those, ‘materials comply, so proceed’ moments….

    Clerk of works, or architect’s are not solutions, they just sound like another party to defuse responsibility some more. As you rightly point out, layers of regulation are simply a way to absolve people of ownership.

  15. A case of do you want to look at safety through a microscope or a telescope? My sometime profession Organic Chemistry has long gone down the microscope route so all the problems have been pushed out of view… usually to foreign places that have erm, different safety rules.

  16. The simplest question:
    Would you be happy to live or work in this building / installation?
    If yes sign it off. If no…

  17. Thanks dearieme
    Is it just the US Navy or do these events get publicised because it’s the US Navy?
    Straits of Hormuz is busy, but nowhere near as busy as the English Channel. I imagine they have some kind of “air” (=sea) traffic control.

  18. There’s a Canadian joke that you can recognise USN ships because “they are the ones with the dents”. My guess is that the dominant effect might be that the USN is huge and must cruise huge, sorry yuuuuge, mileages. There was the odd business of the USN stopping training its navigators in celestial navigation, but apparently they’ve reversed that decision, and anyway it surely can’t be relevant here.

    But read a few American blogs and you’ll learn that it must have been Moslems aboard the cargo ship wot dun it, presumably on the assumption that no American could ever be at fault – even in a case like this where necessarily the American officers/crew were at fault whether or not anyone else was too. Who knows? Maybe it was like that second case I linked to: the destroyer tried to nip round the bow of the cargo ship and it proved to be a bad idea.

    Thank God nobody has yet tried to use it as a pretext for war. Remember the Maine!

  19. In my professional life I have a peripheral responsibility for plant H&S. As a management team we have debated for hours the concept of zero risk, which is the company’s stated aim. Some favour this approach, despite the obvious financial implications of regulating every activity to within an inch of its life. An example: following a slip in the yard that resulted in a sprained ankle, every employee now has to inspect the tread of his boots weekly and sign a log to say it is adequate. We are also having the yard resurfaced at immense cost. In fact, the fool was running, against regulations and in the rain, and slipped. But that is going to cost a 6 figure sum to mitigate. My argument is that a company that zeroes every risk takes all the responsibility out of the hands of the employee. They develop an attitude that they can do what they like within the rules and it must be safe, because all danger has been managed out of the site. I recall reading a Jeremy Clarkson article some years ago that suggested road safety would be much improved if car airbags were replaced by sharp spikes in the middle of the steering wheel, thus concentrating the drivers mind on the consequences of any foolishness. I think he had a point. (Ha ha)

  20. @Gus, under the “risk based’ legislation jurisdiction of where I am sitting today, if this incident occurred in our workshop, all things being equal, the finding would be as follows.

    Did the employee have adequate training and supervision, yes.
    Were the workplace facilities maintained to the required standard, yes.
    Was the employee wearing the right safety footwear, yes.

    Finding: Employee was the author of their own misfortune.

    Corrective action: Employee receives a written warning that his behavior is unacceptable and if this were to happen again he would be terminated, assurance to be sought from the employee that they understand that they breached company standards, which is a serious infringement and that they understood the consequences if this were to happen again.

    Employee would be entitled to sick leave and any workers compensation coverage for any medical expenses.

    Incident Classification: Either First Aid or Unclassified, long story here*

    Preventive Action: All points bulletin never run (especially when its wet).

    There are far more serious cases than this (falling from heights etc) where the judiciary are finding against the employee if their was adequate supervision, training and facilities.

    *I fully understand that in certain market sectors the expectation is far higher than this but legislatively this is now the case.

  21. Just sent a link to my engineering university student twins; hopefully this will be of interest to them.

    Thanks!

  22. Oh and if you are going to even contemplate appearing in an African court to defend your company on a safety incident then you haven’t done your safety induction.

    I was more thinking of defending myself. I would imagine most companies would deny all knowledge of me and leave me to fend for myself. This belief is largely based on precisely that happening to me already.

  23. I can’t see why the Clerk of Works wouldn’t end up being some Blairite fixer who practices saying in front of a mirror “I take full responsibility” and “Our thoughts and prayers are with the families at this difficult time” but otherwise will have no competency whatsoever, or in fact responsibility.

    True. My only experience with a Clerk of Works was an old-school one, and he did his job well. He was about to retire then, and that was about 20 years ago. I imagine he’s been replaced by a greasy spiv with the characteristics you describe.

  24. There are far more serious cases than this (falling from heights etc) where the judiciary are finding against the employee if their was adequate supervision, training and facilities.

    Indeed, but the punishment will be much less severe if you’ve done all you could reasonably be expected to do to prevent it.

    Shortly before I arrived in Sakhalin my company had a fatality. A very experienced Malaysian insulation supervisor was descending a vertical ladder – last thing on a Saturday evening, wet conditions – and neglected to hook onto the inertia reel. He slipped and fell, and landed some 15m below, and died immediately. The company got raked over the coals, but were helped a lot by the fact that all their safety training and procedures were in order. One thing that helped in particular was that the company held daily tool-box talks and one of the permanent subjects was the 100% tie-off rule. Each employee signed the tool-box talk form each day, and the deceased had done so that very morning. In other words, that same day he’d been told to tie himself off, he’d acknowledged he’d been told, but he chose not to.

  25. Maybe it was like that second case I linked to: the destroyer tried to nip round the bow of the cargo ship and it proved to be a bad idea.

    That would be my guess. Idiots.

  26. “but the punishment will be much less severe if you’ve done all you could reasonably be expected to do to prevent it.”

    Yes exactly. I meant to say that under the relatively new risk based legislation the judiciary have been finding against the employer, not the employee, we are seeing these judgments coming through the system now.

    As for your example, see the below Daily Pre-Start Inspection form from one of our sites today. It is the exact same situation as the one you describe, see comment on hooking on, the sheet is signed off by all staff as well. Also see comment on wet surface for Gus. Our inspections are done on iPads, including sign offs, I can pick them up anywhere and on my phone. I have taken out some info including names and signatures. The document is not only digitally time stamped but it now also records the actual global position of where it was completed. SWMS means Safe Work Method Statement which is basically the same as the risk assessment that you described.

    So I would like to think that the system being realistic, will mean that our staff must use them, they cannot be fudged after and the employees are making the statement that they are aware of all the hazards described and on the SWMS ( a more comprehensive document), what the agreed controls are, that they are competent to do the task and each of their electronic signatures is indisputable.

    https://www.scribd.com/document/351881730/Daily-Prestart-Inspection

  27. “Maybe it was like that second case I linked to: the destroyer tried to nip round the bow of the cargo ship and it proved to be a bad idea.

    That would be my guess. Idiots.”

    That’s happened to us before if you recall…. bet the US Sailors were real though…

Comments are closed.