inspections and investigations and audits what you really didnt know
TRANSCRIPT
Inspections and Investigations
&
SAFETY AUDITS &
MANAGEMENT AUDITS
On the one hand, they have to
learn to understand the
organizational aspects and
take them into account in
constructing safety programs.
On the other hand, it is important that they be aware of the fact that the view of
organizations is moving further and further away from the machine concept and
placing a clear emphasis on less tangible and measurable factors such as
organizational culture, behaviour modification, responsibility-raising or commitment.
Today, safety policy is more and more distinctly being viewed as a way of achieving
the two aims of reducing losses and optimizing corporate policy. Safety policy is
therefore increasingly evolving into a reliable barometer of the soundness of the
corporation’s success with respect to these aims. In order to measure progress,
increased attention is being devoted to management and safety audits.
It is not only economic circumstances that have given company heads new insights.
New visions relating to management, organizational theory, total quality care and, in
the same vein, safety care, are resulting in significant changes.
The values, mission and organizational culture of a corporation according to
McKinsey’s 7-S Framework
The fundamental shifts can best be demonstrated on the basis of the model
presented by Scott (1978), which was also used by Peters and Waterman (1982). This
model uses two approaches:
1. The closed-system approaches deny the influence of developments from outside
the organization. With the mechanistic closed approaches, the objectives of an
organization are clearly defined and can be logically and rationally determined.
2. Open-system approaches take outside influences fully into account, and the
objectives are more the result of diverse processes, in which clearly irrational
factors contribute to decision making.
Organizational theories
There has been enormous development in management theory, moving from the
traditional rational and authoritarian machine model (Taylorism) to the human-
oriented organic model of human resources management (HRM).
Organizational effectiveness and efficiency are being more clearly linked to optimal
strategic management, a flat organizational structure and sound quality systems.
Furthermore, attention is now given to superordinate goals and significant values
that have a bonding effect within the organization, such as skills (on the basis of
which the organization stands out from its competitors) and a staff that is motivated
to maximum creativity and flexibility by placing the emphasis on commitment and
empowerment. With these open approaches, a management audit cannot limit itself
to a number of formal or structural characteristics of the organization. The audit
must also include a search for methods to map out less tangible and measurable
cultural aspects.
This fundamental change in the quality care system has taken place cumulatively in
the sense that each foregoing stage was integrated into the next. It is also clear that
while product control and safety inspection are facets more closely related to a
Tayloristic organizational concept, quality assurance is more associated with a
socio-technical system approach where the aim is not to betray the trust of the
(external) customer.
It is clear that there is also a very important difference in emphasis between quality
assurance as described in the ISO standards and the TQL approach of the ISO quality
assurance is an extended and improved form of quality inspection, focusing not only
on the products and internal customers, but also on the efficiency of the technical
processes. The objective of the inspection is to investigate the conformity with the
procedures set out in ISO. TQM, on the other hand, endeavours to meet the
expectations of all internal and external customers as well as all processes within
the organization, including the more soft and human-oriented ones. The involvement,
the commitment and the creativity of the employees are clearly important aspects of
TQM.
From Human Error to Integrated Safety
Safety policy has evolved in a similar manner to quality care. Attention has shifted
from post-factum incident analysis, with emphasis on the prevention of injuries, to a
more global approach. Safety is seen more in the context of “total loss control” - a
policy aimed at the avoidance of losses through management of safety involving the
interaction of people, processes, materials, equipment, installations and the
environment. Safety therefore focuses on the management of the processes that
could lead to losses. In the initial development period of safety policy the emphasis
was placed on a human error approach. Consequently, employees were given a
heavy responsibility for the prevention of industrial incidents.
Only recently, the emphasis in safety policy systems shifted into a social-system
approach, which is a logical step in the improvement of the prevention system. In
order to optimize the human/machine/environment system it is not sufficient to
ensure safe machines and tools by means of a well-developed prevention policy, but
there is also the need for a preventive maintenance system and the assurance of
security among all technical processes. Moreover, it is of crucial importance that
employees be sufficiently trained, skilled and motivated with regard to health and
safety objectives. Modern management entails an open, motivating corporate
culture, in which there is a common commitment to achieving key corporate
objectives in a participatory, team-based approach. In the safety-culture approach,
safety is an integral part of the objectives of the organizations and therefore an
essential part of everyone’s task, starting with top management and passing along
the entire hierarchical line down to employees on the shop floor.
Integrated safety
The concept of integrated safety immediately presents a number of central factors in
an integrated safety system, the most important of which can be summarized as
follows:
A clearly visible commitment from the top management. This commitment is not only
given on paper, but is translated right down to the shop floor in practical
achievements.
Active involvement of the hierarchical line and the central support departments.
Care for safety, health and welfare is not only an integral part of everyone’s task in
the production process, but is also integrated into the personnel policy, into
preventive maintenance, into the design stage and into working with third parties.
Full participation of the employees. Employees are full discussion partners with
whom open and constructive communication is possible, with their contribution
being given full weight. Indeed, participation is of crucial importance for carrying
through corporate and safety policy in an efficient and motivating way.
A suitable profile for a safety expert. The safety expert is no longer the technician or
jack of all trades, but is a qualified adviser to the top management, with particular
attention being devoted to optimizing the policy processes and the safety system. He
or she is therefore not someone who is only technically trained, but also a person
who, as a good organizer, can deal with people in an inspiring manner and
collaborate in a synergetic way with other prevention experts.
A pro-active safety culture. The key aspect of an integrated safety policy is a pro-
active safety culture, which includes, among other things, the following:
� Safety, health and welfare are the key ingredients of an organization’s value system
and of the objectives it seeks to attain.
� An atmosphere of openness prevails, based on mutual trust and respect.
� There is a high level of cooperation with a smooth flow of information and an
appropriate level of coordination.
� A pro-active policy is implemented with a dynamic system of constant improvement
perfectly matching the prevention concept.
� The promotion of safety, health and welfare is a key component of all decision-
making, consultations and teamwork.
� When industrial incidents occur, suitable preventive measures are sought, not a
scapegoat.
� Members of staff are encouraged to act on their own initiative so that they possess
the greatest possible authority, knowledge and experience, enabling them to
intervene in an appropriate manner in unexpected situations.
� Processes are set in motion with a view to promoting individual and collective
training to the maximum extent possible.
� Discussions concerning challenging and attainable health, safety and welfare
objectives are held on a regular basis.
Safety and Management Audits
General description
Safety audits are a form of risk analysis and evaluation in which a systematic
investigation is carried out in order to determine the extent to which the conditions
are present that provide for the development and implementation of an effective and
efficient safety policy. Each audit therefore simultaneously envisions the objectives
that must be realized and the best organizational circumstances to put these into
practice.
Each audit system should, in principle, determine the following:
� What is management seeking to achieve, by what means and by what strategy?
� What are the necessary provisions in terms of resources, structures, processes,
standards and procedures that are required to achieve the proposed objectives, and
what has been provided? What minimum program can be put forward?
� What are the operational and measurable criteria that must be met by the chosen
items to allow the system to function optimally?
The information is then thoroughly analysed to examine to what extent the current
situation and the degree of achievement meet the desired criteria, followed by a
report with positive feedback that emphasizes the strong points, and corrective
feedback that refers to aspects requiring further improvement.
Auditing and strategies for change
Each audit system explicitly or implicitly contains a vision both of an ideal
organization’s design and conceptualization, and of the best way of implementing
improvements.
Bennis, Benne and Chin distinguish three strategies for planned changes, each based
on a different vision of people and of the means of influencing behaviour:
� Power-force strategies are based on the idea that the behaviour of employees can
be changed by exercising sanctions.
� Rational-empirical strategies are based on the axiom that people make rational
choices depending on maximizing their own benefits.
� Normative-re-educative strategies are based on the premise that people are
irrational, emotional beings and in order to realize a real change, attention must also
be devoted to their perception of values, culture, attitudes and social skills.
The famous model devised by Danish risk specialist Rasmussen distinguishes among
the following three sorts of behaviour:
� Routine actions (skill-based behaviour) automatically follow the associated signal.
Such actions are carried out without one’s consciously devoting attention to them -
for example, touch-typing or manually changing gears when driving.
� Actions in accordance with instructions (rule-based) require more conscious
attention because no automatic response to the signal is present and a choice must
be made between different possible instructions and rules. These are often actions
which can be placed in an “if¼then” sequence, as in “If the meter rises to 50 then
this valve must be closed”.
� Actions based on knowledge and insight (knowledge-based) are carried out after a
conscious interpretation and evaluation of the different problem signals and the
possible alternative solutions. These actions therefore presuppose a fairly high
degree of knowledge of and insight into the process concerned, and the ability to
interpret unusual signals.
Strata in behavioural and cultural change
Based on the above, most audit systems (including those based on the ISO series of
standards) implicitly depart from power-force strategies or rational-empirical
strategies, with their emphasis on routine or procedural behaviour. This means that
insufficient attention is paid in these audit systems to “knowledge-based behaviour”
that can be influenced mainly via normative–re-educative strategies. Many audit
systems limit themselves to the question of whether a particular provision or
procedure is present. It is therefore implicitly assumed that the sheer existence of
this provision or procedure is a sufficient guarantee for the good functioning of the
system. Besides the existence of certain measures, there are always different other
“strata” (or levels of probable response) that must be addressed in an audit system
to provide sufficient information and guarantees for the optimum functioning of the
system.
In more concrete terms, the following example concerns response to a fire
emergency:
� A given provision, instruction or procedure is present (“sound the alarm and use the
extinguisher”).
� A given instruction or procedure is also familiarly known to the parties concerned
(workers know where alarms and extinguishers are located and how to activate and
use them).
� The parties concerned also know as much as possible as to the “why and
wherefore” of a particular measure (employees have been trained or educated in
extinguisher use and typical types of fires).
� The employee is also motivated to apply needful measures (self preservation, save
the job, etc.).
� There is sufficient motivation, competence and ability to act in unforeseen
circumstances (employees know what to do in the event fire gets out of hand,
requiring professional fire-fighting response).
� There are good human relations and an atmosphere of open communication
(supervisors, managers and employees have discussed and agreed upon fire
emergency response procedures).
� Spontaneous creative processes originate in a learning organiz-ation (changes in
procedures are implemented following “lessons learned” in actual fire situations).
PAS safety audit elements
PAS safety audit elements Correspondence with ISO
9001
1. Management responsibility
1.1. Safety policy 4.1.1.
1.2. Organization
1.2.1. Responsibility and authority 4.1.2.1.
1.2.2. Verification resources and
personnel
4.1.2.2.
1.2.3. Health and safety service 4.1.2.3.
1.3. Safety management system
review
4.1.3.
2. Safety management system 4.2.
3. Obligations 4.3.
4. Design control
4.1. General 4.4.1.
4.2. Design and development
planning
4.4.2.
4.3. Design input 4.4.3.
4.4. Design output 4.4.4.
4.5. Design verification 4.4.5.
4.6. Design changes 4.4.6.
5. Document control
5.1. Document approval and issue 4.5.1.
5.2. Document
changes/modifications
4.5.2.
6. Purchasing and contracting
6.1. General 4.6.1.
6.2. Assessment of suppliers and
contractors
4.6.2.
6.3. Purchasing data 4.6.3.
6.4. Third party’s products 4.7.
7. Identification 4.8.
8. Process control
8.1. General 4.9.1.
8.2. Process safety control 4.11.
9. Inspection
9.1. Receiving and pre-start-up
inspection
4.10.1.
4.10.3.
9.2. Periodic inspections 4.10.2.
9.3. Inspection records 4.10.4.
9.4. Inspection equipment 4.11.
9.5. Inspection status 4.12.
10. Incidents and incidents 4.13.
11. Corrective and preventive
action
4.13.
4.14.
12. Safety records 4.16.
13. Internal safety audits 4.17.
14. Training 4.18.
15. Maintenance 4.19.
16. Statistical techniques 4.20.
Several other systems are integrated in the PAS system:
� At a strategic level, the insights and requirements of ISO are of particular
importance.
� At a tactical level, the systematics of the “Management’s Oversight and Risk Tree”
encourages people to seek out what are the necessary and sufficient conditions in
order to achieve the desired safety result.
� At an operational level a multitude of sources could be drawn upon, including
existing legislation, regulations and other criteria such as the International Safety
Rating System (ISRS), in which the emphasis is placed on certain concrete
conditions that should guarantee the safety result.
The PAS constantly refers to the broader corporate policy within which the safety
policy is embedded. After all, an optimum safety policy is at the same time a product
and a producer of a pro-active company policy. Assuming that a safe company is at
the same time an effective and efficient organization and vice versa, special
attention is therefore devoted to the integration of safety policy in the overall policy.
Essential ingredients of a future-oriented corporate policy include a strong corporate
culture, a far-reaching commitment, the participation of the employees, a special
emphasis on the quality of the work, and a dynamic system of continual
improvement.
Formal procedures and directly identifiable results are indisputably important in
safety policy. However, it is not enough to base the safety system on this approach
alone. The future results of a safety policy are dependent on the present policy, on
the systematic efforts, on the constant search for improvements, and particularly on
the fundamental optimizing of processes that ensure durable results.
HAZARD ANALYSIS: THE INCIDENT CAUSATION MODEL
Human error is an important contributing cause in at least 90% of all industrial
incidents. While purely technical errors and uncontrollable physical circumstances
may also contribute to incident causation, human error is the paramount source of
failure. The increased sophistication and reliability of machinery means that the
proportion of causes of incidents attributed to human error increases as the absolute
number of incidents decreases. Human error is also the cause of many of those
incidents that, although not resulting in injury or death, nevertheless result in
considerable economic damage to a company. As such, it represents a major target
for prevention, and it will become increasingly important. For effective safety
management systems and risk identification programs it is important to be able to
identify the human component effectively through the use of general failure type
analysis.
The Nature of Human Error
Human error can be viewed as the failure to reach a goal in the way that was
planned, either from a local or wider perspective, due to unintentional or intentional
behaviour. Those planned actions may fail to achieve the desired outcomes for the
following four reasons:
1. Unintentional behaviour:
� The actions did not go as planned (slips).
� The action was not executed (lapses).
2. Intentional behaviour:
� The plan itself was inadequate (mistakes).
� There were deviations from the original plan (violations).
Deviations can be divided in three classes: skill-, rule- and knowledge-based errors.
1. At the skill-based level, behaviour is guided by pre-programd action schemes. The
tasks are routine and continuous, and feedback is usually lacking.
2. At the rule-based level, behaviour is guided by general rules. They are simple and
can be applied many times in specific situations. The tasks consist of relatively
frequent action sequences that start after a choice is made among rules or
procedures. The user has a choice: the rules are not automatically activated, but are
actively chosen.
3. Knowledge-based behaviour is shown in completely new situations where no rules
are available and where creative and analytical thinking is required.
In some situations, the term human limitation would be more appropriate than
human error.
When the situation is completely unknown, knowledge-based rules are applied. The
symptoms are examined in the light of knowledge about the system and its
components. This analysis can lead to a possible solution the implementation of
which constitutes a case of knowledge-based behaviour. (It is also possible that the
problem cannot be solved in a given way and that further knowledge-based rules
have to be applied.) All errors on this level are mistakes. Violations are committed
when a certain rule is applied that is known to be inappropriate: the thinking of the
worker may be that application of an alternative rule will be less time-consuming or
is possibly more suitable for the present, probably exceptional, situation. The more
malevolent class of violations involves sabotage, a subject that is not within the
scope of this article.
A comment often made with regard to a particular incident is, “Maybe the person did
not realize it at the time, but if he or she had not acted in a certain way, the incident
would not have happened.” Much of incident prevention is aimed at influencing the
crucial bit of human behaviour alluded to in this remark. In many safety management
systems, the solutions and policies suggested are aimed at directly influencing
human behaviour.
Six ways to induce safe behaviour and assessment of their cost-effectiveness
No. Way of influencing Cost Long-term
effect
Assessment
1 Don’t induce safe behaviour,
but make the system
“foolproof”.
High Low Poor
2 Tell those involved what to do. Low Low Medium
3 Reward and punish. Medium Medium Medium
4 Increase motivation and
awareness.
Medium Low Poor
5 Select trained personnel. High Medium Medium
6 Change the environment. High High Good
Do not attempt to induce safe behaviour, but make the system “foolproof”
Tell those involved what to do
Another option is to instruct all workers about every single activity in order to bring
their behaviour fully under the control of management. This will require an extensive
and not very practical task inventory and instruction
Reward and punish
Although reward and punishment schedules are powerful and very popular means for
controlling human behaviour, they are not without problems.
Increase motivation and awareness
Sometimes it is believed that people cause incidents because they lack motivation
or are unaware of danger. The effects of motivation enhancement programs are
positive only when coupled with behaviour modification techniques such as
employee involvement.
Select trained personnel
The first reaction to an incident is often that those involved must have been
incompetent.
Change the environment
Most behaviour occurs as a reaction to factors in the working environment: work
schedules, plans, and management expectations and demands.
The Incident Causation Model
In order to get more insight into the controllable parts of the incident causation
process, an understanding of the possible feedback loops in a safety information
system is necessary.
A safety information system
Incident investigation
When incidents are investigated, substantial reports are produced and decision-
makers receive information about the human error component of the incident.
Fortunately, this is becoming more and more obsolete in many companies. It is more
effective to analyse the “operational disturbances” that precede the incidents and
incidents. If an incident is described as an operational disturbance followed by its
consequences, then sliding from the road is an operational disturbance and getting
killed because the driver did not wear a safety belt is an incident. Barriers may have
been placed between the operational disturbance and the incident, but they failed or
were breached or circumvented.
Incident
An incident is a work related event during which:
injury, ill health, or fatality actually occurs, or
injury, ill health, or fatality could have occurred.
An accident is a type of incident. It is a work-related event
during which injury, ill health, or fatality actually occurs.
It is a type of incident.
A close call, near miss, near hit, or dangerous occurrence
is also a type of incident. It is a work-related event during
which injury, ill health, or fatality could have occurred,
but didn’t actually occur
Nonconformity
Nonconformity is the non fulfillment of a requirement or a deviation
from a standard. When an organization fails to meet requirements or
deviates from a standard, a nonconformity exists.
Preventive Action
Preventive actions are steps that are taken to remove the causes of
potential nonconformities or other undesirable situations that have
not yet occurred. Preventive actions address potential problems.
In general, the preventive action process can be thought of as a
risk analysis process.
Risk combines three elements: it starts with a potential event,
and then combines its probability with its potential severity.
In the context of OH&S, the concept of risk asks two future
oriented questions:
What is the probability that a particular hazardous
event or exposure will actually occur in the future?
How severe would the impact on health and safety be
if the hazardous event or exposure actually occurred?
A high risk hazardous event or exposure would have both a
high probability of occurring and a severe impact on OH&S if
it actually occurred. A high risk event or exposure is one that
is likely to cause severe injury or ill health.
Unsafe act auditing
A wrong act committed by an employee is called a “substandard act” and not an
“unsafe act” in this article: the notion of “unsafe” seems to limit the applicability of
the term to safety, whereas it can also be applied, for example, to environmental
problems. Substandard acts are sometimes recorded, but detailed information as to
which slips, mistakes and violations were performed and why they were performed is
hardly ever fed back to higher management levels.
Investigating the employee’s state of mind
Before a substandard act is committed, the person involved was in a certain state of
mind. If these psychological precursors, like being in a state of haste or feeling sad,
could be adequately controlled, people would not find themselves in a state of mind
in which they would commit a substandard act.
General failure types and their definitions
General failures Definitions
1. Design (DE) Failures due to poor design of a whole plant as well as
individual items of equipment
2. Hardware (HW) Failures due to poor state or unavailability of
equipment and tools
3. Procedures (PR) Failures due to poor quality of the operating
procedures with respect to utility, availability and
comprehensiveness
4. Error enforcing
conditions (EC)
Failures due to poor quality of the working
environment, with respect to circumstances that
increase the probability of mistakes
5. Housekeeping (HK) Failures due to poor housekeeping
6. Training (TR) Failures due to inadequate training or insufficient
experience
7. Incompatible
goals(IG)
Failures due to the poor way safety and internal
welfare are defended against a variety of other goals
like time pressure and a limited budget
8. Communication
(CO)
Failures due to poor quality or absence of lines of
communication between the various divisions,
departments or employees
9. Organization (OR) Failures due to the way the project is managed and
the company is operated
10. Maintenance
management (MM)
Failures due to poor quality of the maintenance
procedures regarding quality, utility, availability and
comprehensiveness
11. Defences (DF) Failures due to the poor quality of the protection
against hazardous situations
There are two GFTs that require some further explanation: maintenance
management and defences.
Maintenance management (MM)
Since maintenance management is a combination of factors that can be found in
other GFTs, it is not, strictly speaking, a separate GFT: this type of management is
not fundamentally different from other management functions. It may be treated as a
separate issue because maintenance plays an important role in so many incident
scenarios and because most organizations have a separate maintenance function.
Defences (DF)
The category of defences is also not a true GFT, as it is not related to the incident
causation process itself. This GFT is related to what happens after an operational
disturbance. It does not generate either psychological states of mind or substandard
acts by itself. It is a reaction that follows a failure due to the action of one or more
GFTs. While it is indeed true that a safety management system should focus on the
controllable parts of the incident causation chain before and not after the unwanted
incident, nevertheless the notion of defences can be used to describe the perceived
effectiveness of safety barriers after a disturbance has occurred and to show how
they failed to prevent the actual incident.
Managers need a structure that will enable them to relate identified problems to
preventive actions. Measures taken at the levels of safety barriers or substandard
acts are still necessary, although these measures can never be completely
successful. To trust “last line” barriers is to trust factors that are to a large extent
out of management control. Management should not attempt to manage such
uncontrollable external devices, but instead must try to make their organizations
inherently safer at every level.
Measuring the Level of Control over Human Error
Ascertaining the presence of the GFTs in an organization will enable incident
investigators to identify the weak and strong points in the organization. Given such
knowledge, one can analyse incidents and eliminate or mitigate their causes and
identify the structural weaknesses within a company and fix them before they in fact
contribute to an incident.
Incident investigation
The task of an incident analyst is to identify contributing factors and to categorize
them. The number of times a contributing factor is identified and categorized in
terms of a GFT indicates the extent to which this GFT is present. This is often done
by means of a checklist or computer analysis program.
Profile of an incident type
Some of the GFTs - design, procedures and incompatible goals - score consistently
high in all four particular incidents. This means that in each incident, factors have
been identified that were related to these GFTs. With respect to the profile of
incident 1, design is a problem. Housekeeping, although a major problem area in
incident 1, is only a minor problem if more than the first incident is analysed. It is
suggested that about ten similar types of incidents be investigated and combined in
a profile before far-reaching and possibly expensive corrective measures are taken.
HARDWARE HAZARDS
“Machine” hazards, those which are specific to the appurtenances and hardware
used in the industrial processes associated with pressure vessels, processing
equipment, powerful machines and other intrinsically risky operations. This article
does not address worker hazards, which implicate the actions and behaviour of
individuals, such as slipping on working surfaces, falling from elevations and hazards
from using ordinary tools. Since these hazards threaten anyone present and may
even be a threat to neighbours and the external environment, the analysis methods
and the means for prevention and control are similar to the methods used to deal
with risks to the environment from industrial activities.
Machine Hazards
Good quality hardware is very reliable, and most failures are caused by secondary
effects like fire, corrosion, misuse and so on. Nevertheless, hardware may be
highlighted in certain incidents, because a failing hardware component is often the
most conspicuous or visibly prominent link of the chain of events. Although the term
hardware is used in a broad sense, illustrative examples of hardware failures and
their immediate “surroundings” in incident causation have been taken from industrial
workplaces. Typical candidates for investigation of “machine” hazards include but
are not limited to the following:
� pressure vessels and pipes
� motors, engines, turbines and other rotating machines
� chemical and nuclear reactors
� scaffolding, bridges, etc.
� lasers and other energy radiators
� cutting and drilling machinery, etc.
� welding equipment.
Effects of Energy
Hardware hazards can include wrong use, construction errors or frequent overload,
and accordingly their analysis and mitigation or prevention can follow rather
different directions. However, physical and chemical energy forms that elude human
control often exist at the heart of hardware hazards. Therefore, one very general
method to identify hardware hazards is to look for the energies that are normally
controlled with the actual piece of equipment or machinery, such as a pressure
vessel containing ammonia or chlorine. Other methods use the purpose or intended
function of the actual hardware as a starting point and then look for the probable
effects of malfunctions and failures. For example, a bridge failing to fulfil its primary
function will expose subjects on the bridge to the risk of falling down; other effects
of the collapse of a bridge will be the secondary ones of falling items, either
structural parts of the bridge or objects situated on the bridge. Further down the
chain of consequences, there may be derived effects related to functions in other
parts of the system that were dependent on the bridge performing its function
properly, such as the interruption of emergency response vehicular traffic to another
incident.
Industrial Work Environment
Machine hazards also involve load or stress factors that may be dangerous in the
long run, such as the following:
� extreme working temperatures
� high intensities of light, noise or other stimuli
� inferior air quality
� extreme job demands or workloads.
These hazards can be recognized and precautions taken because the dangerous
conditions are already there. They do not depend on some structural change in the
hardware to come about and work a harmful result, or on some special event to
effect damage or injury. Long-term hazards also have specific sources in the working
environment, but they must be identified and evaluated through observing workers
and the jobs, instead of just analysing hardware construction and functions.
Dangerous hardware or machine hazards are usually exceptional and rather seldom
found in a sound working environment, but cannot be avoided completely. Several
types of uncontrolled energy, such as the following risk agents, can be the
immediate consequence of hardware malfunction:
� harmful releases of dangerous gas, liquids, dusts or other substances
� fire and explosion
� high voltages
� falling objects, missiles, etc.
� electric and magnetic fields
� cutting, trapping, etc.
� displacement of oxygen
� nuclear radiation, x rays and laser light
� flooding or drowning
� jets of hot liquid or steam.
Risk Agents
Moving objects. Falling and flying objects, liquid flows and jets of liquid or steam,
such as listed, are often the first external consequences of hardware or equipment
failure, and they account for a large proportion of incidents.
Chemical substances. Chemical hazards also contribute to worker incidents as well
as affecting the environment and the public. Traffic incidents involving gasoline or
chemical delivery trucks or other dangerous goods transports, unite two risk agents -
moving objects and chemical substances.
Electromagnetic energy. Electric and magnetic fields, x rays and gamma rays are all
manifestations of electromagnetism, but are often treated separately as they are
encountered under rather different circumstances. However, the dangers of
electromagnetism have some general traits: fields and radiation penetrate human
bodies instead of just making contact on the application area, and they cannot be
sensed directly, although very large intensities cause heating of the affected body
parts.
Triggering the Hardware Hazards
Both sudden and gradual shifts from the controlled - or “safe” - condition to one with
increased danger can come about through the following circumstances, which can
be controlled through appropriate organizational means such as user experience,
education, skills, surveillance and equipment testing:
� wear and overloads
� external impact (fire or impact)
� ageing and failure
� wrong supply (energy, raw materials)
� insufficient maintenance and repair
� control or process error
� misuse or misapplication
� hardware breakdown
� barrier malfunction.
Since proper operations cannot reliably compensate for improper design and
installation, it is important to consider the entire process, from selection and design
through installation, use, maintenance and testing, in order to evaluate the actual
state and conditions of the hardware item.
Hazard Case: The Pressurized Gas Tank
Gas can be contained in suitable vessels for storage or transport, like the gas and
oxygen cylinders used by welders. Often, gas is handled at high pressure, affording a
great increase in the storing capacity, but with higher incident risk. The key
incidental phenomenon in pressurized gas storage is the sudden creation of a hole in
the tank, with these results:
� the confinement function of the tank ceases
� the confined gas gets immediate access to the surrounding atmosphere.
The development of such an incident depends on these factors:
� the type and amount of gas in the tank
� the situation of the hole in relation to the tank’s contents
� the initial size and subsequent growth rate of the hole
� the temperature and pressure of the gas and the equipment
� the conditions in the immediate environment (sources of ignition, people, etc.).
The tank contents can be released almost immediately or over a period of time, and
result in different scenarios, from the burst of free gas from a ruptured tank, to
moderate and rather slow releases from small punctures.
The behaviour of various gases in the case of leakage
When developing release calculation models, it is most important to determine the
following conditions affecting the system’s potential behaviour:
� the gas phase behind the hole (gaseous or liquid?)
� temperature and wind conditions
� the possible entry of other substances into the system or their possible presence in
its surroundings
� barriers and other obstacles.
The exact calculations pertaining to a release process where liquefied gas escapes
from a hole as a jet and then evaporates (or alternatively, first becomes a mist of
droplets) are difficult. The specification of the later dispersion of the resultant
clouds is also a difficult problem. Consideration must be given to the movements and
dispersion of gas releases, whether the gas forms visible or invisible clouds and
whether the gas rises or stays at ground level.
Tank strength is affected by the history of tank use - first of all by the normal
wearing processes and the scratches and corrosion attacks typical of the particular
industry and of the application. Other historical parameters of particular interest
include:
� casual overpressure
� extreme heating or cooling (internal or external)
� mechanical impacts
� vibrations and stress
� substances that have been stored in or have passed through the tank
� substances used during cleansing, maintenance and repair.
The construction material - steel plate, aluminium plate, concrete for non-
pressurized applications, and so on - can undergo deterioration from these influences
in ways that are not always possible to check without overloading or destroying the
equipment during testing.
Hazard Analysis
The methods that have been developed to find the risks that may be relevant to a
piece of equipment, to a chemical process or to a certain operation are referred to
as “hazard analysis”. These methods ask questions such as: “What may possibly go
wrong?” “Could it be serious?” and “What can be done about it?” Different methods
of conducting the analyses are often combined to achieve a reasonable coverage,
but no such set can do more than guide or assist a clever team of analysts in their
determinations. The main difficulties with hazard analysis are as follows:
� availability of relevant data
� limitations of models and calculations
� new and unfamiliar materials, constructions and processes
� system complexity
� limitations on human imagination
� limitations on practical tests.
To produce usable risk evaluations under these circumstances it is important to
stringently define the scope and the level of “ambitiousness” appropriate to the
analysis at hand; for example, it is clear that one does not need the same sort of
information for insurance purposes as for design purposes, or for the planning of
protection schemes and the construction of emergency arrangements. Generally
speaking, the risk picture must be filled in by mixing empirical techniques (i.e.,
statistics) with deductive reasoning and a creative imagination.
Different risk evaluation tools - even computer programs for risk analysis—can be
very helpful. The hazard and operability study (HAZOP) and the failure mode and
effect analysis (FMEA ) are commonly used methods for investigating hazards,
especially in the chemical industry. The point of departure for the HAZOP method is
the tracing of possible risk scenarios based on a set of guide words; for each
scenario one has to identify probable causes and consequences. In the second
stage, one tries to find means for reducing the probabilities or mitigating the
consequences of those scenarios judged to be unacceptable. Fault trees and event
trees and the modes of logical analysis proper to incident causation structures and
probability reasoning are in no way specific to the analysis of hardware hazards, as
they are general tools for system risk evaluations.
Tracing hardware hazards in an industrial plant
To identify possible hazards, information on construction and function can be sought
from:
� actual equipment and plant
� substitutes and models
� drawings, electrical diagrams, piping and instrumentation (P/I) diagrams, etc.
� process descriptions
� control schemes
� operation modes and phases
� work orders, change orders, maintenance reports, etc.
By selecting and digesting such information, analysts form a picture of the risk
object itself, its functions and its actual use. Where things are not yet constructed -
or unavailable for inspection - important observations cannot be made and the
evaluation must be based entirely on descriptions, intentions and plans. Such
evaluation might seem rather poor, but in fact, most practical risk evaluations are
made this way, either in order to seek authoritative approval for applications to
undertake new construction, or to compare the relative safety of alternative design
solutions. Real life processes will be consulted for the information not shown on the
formal diagrams or described verbally by interview, and to verify that the information
gathered from these sources is factual and represents actual conditions. These
include the following:
� actual practice and culture
� additional failure mechanisms/construction details
� “sneak paths”
� common error causes
� risks from external sources/missiles
� particular exposures or consequences
� past incidents, incidents and near incidents.
Most of this additional information, especially sneak paths, is detectable only by
creative, skilled observers with considerable experience, and some of the
information would be almost impossible to trace with maps and diagrams. Sneak
paths denote unintended and unforeseen interactions between systems, where the
operation of one system affects the condition or operation of another system through
other ways than the functional ones. This typically happens where functionally
different parts are situated near each other, or (for example) a leaking substance
drips on equipment beneath and causes a failure.
For a pipeline, failure modes would consider items such as:
� a reduced flow
� a leak
� a flow stopped due to blockage
� a break in the line.
The effects of leaks seem obvious, but sometimes the most important effects may
not be the first effects: what happens for example, if a valve is stuck in a half-open
position?
The hardware components are very seldom the guilty parts in incident development;
rather, there are root causes to be found in other links of the chain: wrong concepts,
bad designs, maintenance errors, operator errors, management errors and so on.
Several examples of the specific conditions and acts that may lead to failure
development have already been given; a broad collection of such agents would take
account of the following:
� collision
� corrosion, etching
� excessive loads
� failing support and aged or worn-out parts
� low-quality welding jobs
� missiles
� missing parts
� overheating or chilling
� vibration
� wrong construction material used.
Controlling the hardware hazards in a working environment requires the review of all
possible causes and respect for the conditions that are found to be critical with the
actual systems.
ORGANIZATIONAL FACTORS - MORT
Through industrialization, workers became organized in factories as the utilization of
energy sources such as the steam engine became possible. As compared to
traditional handicraft, mechanized production, with sources of higher energy at its
disposal, presented new risks of incidents. As the amount of energy increased,
workers were removed from the direct control of these energies. Decisions that
affected safety were often made at the management level rather than by those
directly exposed to these risks. At this stage of industrialization, the need for safety
management became evident.
The MORT Diagram and Underlying Principles
The intent of MORT was to formulate an ideal safety management system based on a
synthesis of the best safety program elements and safety management techniques
then available. As the principles underlying the MORT initiative were applied to the
contemporary state of the art in safety management, the largely unstructured safety
literature and expertise took on the form of an analytical tree.
A version of the MORT analytical tree
The MORT Diagram
MORT is used as a practical tool in incident investigations and in evaluations of
existing safety programs.
When the branches of the MORT diagram are elaborated in detail, there are elements
from such different fields as risk analysis, human factors analysis, safety information
systems and organizational analysis. In total, about 1,500 basic events are covered
by the MORT diagram.
Application of the MORT Diagram
The MORT diagram functions as a screening tool in planning the analyses and
evaluations. It is also used as a checklist for comparison of actual conditions with
the idealized system. In this application, MORT facilitates checking the
completeness of the analysis and avoiding personal biases.
At bottom, MORT is made up of a collection of questions. Criteria that guide
judgements as to whether specific events and conditions are satisfactory or less
than adequate are derived from these questions.
The ideal is a well-structured organization with clear and realistic goals and well-
defined lines of responsibility and authority. MORT is thus best suited for large and
bureaucratic organizations.
WORKPLACE INSPECTION AND REGULATORY ENFORCEMENT
Inspection Systems
Auditing has been defined as “the structured process of collecting independent
information on the efficiency, effectiveness and reliability of the total safety
management system and drawing up plans for corrective action”.
The workplace inspection therefore is not only the final stage in setting up a safety
management program but is also a continuing process in its maintenance. It can be
conducted only where a properly devised management system for safety has been
established. Such a system first envisages a formal policy statement from
management setting out its principles for creating a healthy and safe working
environment and then establishing the mechanisms and the structures within the
organization whereby these principles will be effectively implemented. Management
must furthermore be committed to providing adequate resources, both human and
financial, to support the system’s mechanisms and structures. Thereafter, there
must be detailed planning for safety and health, and the defining of measurable
goals. Systems must be devised to ensure that safety and health performance in
practice can be measured against established norms and against previous
achievements. Only when this structure is in place and is operating can an effective
management audit system be applied.
Complete safety and health management systems can be devised, produced and
implemented from within the resources of larger enterprises. Additionally, there are
a number of safety management control systems which are available from
consultants, insurance companies, government agencies, associations and
specialist companies. It is a matter for the enterprise to decide whether it should
produce its own system or obtain outside services.
Management Inspections
The inspection procedure must be as painstaking and objective as the company’s
financial inspection. The inspection must first determine whether the company’s
statement of policy on safety and health is properly reflected in the structures and
mechanisms created to implement it; if not, then the inspection may recommend
that the fundamental policy be reappraised or suggest adjustments or alterations to
the existing structures and mechanisms. A similar process must be applied to safety
and health planning, to the validity of the goal-setting norms, and to the
measurement of performance. The results of any inspection must be considered by
the top management of the enterprise, and any correctives must be endorsed and
implemented through that authority.
In practice it is undesirable, and often impractical, to undertake a complete
inspection of all of a system’s features and their application throughout every
department of the enterprise at one time. More usually, the inspection procedure
concentrates on one feature of the total safety management system throughout the
plant, or alternatively on the application of all the features in one department or even
subdepartment. But the objective is to cover all the features in all departments over
an agreed period in order to validate the results.
To this extent management inspection should be regarded as a continuous process
of vigilance. The need for objectivity is clearly of considerable importance. If
inspections are conducted in-house then there must be a standardized inspection
procedure; inspections should be undertaken by staff who have been properly trained
for this purpose; and those selected as inspectors must not assess the departments
in which they normally work, nor should they assess any other work in which they
have a personal involvement. Where reliance is placed on consultants this problem is
minimized.
Inspections by Inspectorates
The legal framework which is designed to afford protection to people at work must
be properly administered and effectively applied if the purpose of the regulatory
legislation is to be achieved. Most countries have therefore adopted the broad model
of an inspection service which has the duty of ensuring that safety and health
legislation is enforced.
Additional powers are often provided to enable inspectors to rectify conditions which
might be an immediate source of danger or ill health to the workforce. Again there is
a wide variety of practices. Where standards are so poor that there is an imminent
risk of danger to the workforce, then an inspector may be authorized to serve a legal
document on the spot prohibiting the use of the machinery or plant, or stopping the
process until the risk has been effectively controlled. For a lower order of risk,
inspectors can issue a legal notice formally requiring that measures be taken within
a given time to improve standards. These are effective ways of rapidly improving
working conditions, and are often a form of enforcement preferable to formal court
proceedings, which may be cumbersome and slow in securing remediation.
Legal proceedings have an important place in the hierarchy of enforcement. There is
an argument that because court proceedings are simply punitive and do not
necessarily result in changing attitudes to safety and health at work, they should
therefore be invoked only as a last resort when all other attempts at securing
improvements have failed.
Every inspection service has to determine the proper balance between providing
advice and enforcing the law in the course of inspection work. The technique must
be to encourage and stimulate, rather than to immediately enforce the law by
punitive action. But even here the balance is a difficult one. People at work are
entitled to safety and health standards irrespective of the size of the enterprise, and
it would therefore be wholly misguided for an inspection service to ignore or
minimize risks and to curtail or even forgo enforcement simply to nurture the
existence of the economically fragile small enterprise.
Consistency of Inspections
In the view of the complex nature of their work - with its combined needs for legal,
prudential, technical and scientific skills, inspectors do not - indeed should not -
adopt a mechanistic approach to inspection. This constraint, combined with a
difficult balance between the advisory and enforcement functions, creates yet
another concern, that of the consistency of inspection services. Industrialists and
trade unions have a right to expect a consistent application of standards, whether
technical or legal, by inspectors across the country. In practice this is not always
easy to achieve, but it is something for which the enforcing authorities must always
strive.
Frequency of Inspections
How frequently should the inspectorates undertake inspections of the workplace?
Again there is considerable variation in the way this question may be answered. The
International Labour Organization (ILO) holds the view that the minimum requirement
should be that every workplace should receive an inspection from the enforcing
authorities at least once each year. There are different approaches to determine how
frequently inspections should be made. One approach has been purely cyclical.
Resources are deployed to provide inspection of all premises on a 2-yearly, or more
likely a 4-yearly, basis. But this approach, though possibly having the appearance of
equity, treats all premises as the same regardless of size or risk. Yet enterprises are
manifestly diverse as regards safety and health conditions, and to the extent that
they differ, this system may be regarded as mechanistic and flawed.
A different approach, adopted by some inspectorates, has been to attempt to draw
up a program of work based on hazard; the greater the hazard either to safety or
health, the more frequent the inspection. Hence resources are applied by the
inspectorate to those places where the potential for harm to the workforce is the
greatest.
Inspection Goals
Inspection techniques in the workplace vary according to the size and complexity of
the enterprise. In smaller companies, the inspection will be comprehensive and will
assess all hazards and the extent to which the risks arising from the hazards have
been minimized. The inspection will therefore ensure that the employer is fully aware
of safety and health problems and is given practical guidance on how they may be
addressed. But even in the smallest enterprise the inspectorate should not give the
impression that fault-finding and the application of suitable remedies are the
function of the inspectorate and not of the employer. Employers must be encouraged
by inspection to control and effectively manage safety and health problems, and they
must not abdicate their responsibilities by awaiting an inspection from the
enforcement authorities before taking needed action.
Inspection Findings
The final element in an inspection is to review the inspection findings with the most
senior member of management on the site. Management has the prime responsibility
to comply with legal requirements on safety and health, and therefore no inspection
should be complete without management’s being fully aware of the extent to which
it has met those duties, and what needs to be done to secure and maintain proper
standards. Certainly if any legal notices are issued as a result of an inspection, or if
legal proceedings are likely, then senior management must be aware of this state of
affairs at the earliest possible stage.
Company Inspections
Company inspections are an important ingredient in maintaining sound standards of
safety and health at work. They are appropriate to all enterprises and, in larger
companies, may be an element in the management inspection procedure. For smaller
companies, it is essential to adopt some form of regular company inspection.
Reliance should not be placed on the inspection services provided by the
inspectorates of the enforcing authorities. These are usually far too infrequent, and
should serve largely as a stimulus to improve or maintain standards, rather than be
the primary source for evaluating standards. Company inspections can be
undertaken by consultants or by companies who specialize in this work, but the
current discussion will concentrate on inspection by the enterprise’s own personnel.
How frequently should company inspections be made? To some degree the answer is
dependent on the hazards associated with the work and the complexity of the plant.
But even in low-risk premises there should be some form of inspection on a regular
(monthly, quarterly, etc.) basis. If the company employs a safety professional, then
clearly the organization and the conduct of the inspection must be an important part
of this function. The inspection should usually be a team effort involving the safety
professional, the departmental manager or foreman, and either a trade union
representative or a qualified worker, such as a safety committee member. The
inspection should be comprehensive; that is to say, a close examination should be
made both of the safety software (for example, systems, procedures and work
permits) and the hardware (for example, machinery guarding, fire-fighting equipment,
exhaust ventilation and personal protective equipment). Particular attention should
be paid to “near misses” - those incidents which do not result in damages or
personal injury but which have the imminent potential for serious incidental injuries.
There is an expectation that after an incident resulting in absence from work, the
inspection team would immediately convene to investigate the circumstances, as a
matter outside the normal cycle of inspection. But even during routine workshop
inspection the team should also consider the extent of minor incidental injuries
which have occurred in the department since the previous inspection.
It is important that company inspections should not seem to be consistently
negative. Where faults exist it is important that they be identified and rectified, but it
is equally important to commend the maintenance of good standards, to comment
positively on tidiness and good housekeeping, and to reinforce by encouragement
those who use personal protective equipment provided for their safety
ANALYSIS AND REPORTING: INCIDENT INVESTIGATION
It is a paradox that the prevention of work-related incidents did not emerge very
early as an absolute necessity, since health and safety is fundamental to work itself.
In fact it was not until the beginning of the twentieth century that incidents at work
ceased to be considered inevitable and their causation became a subject to be
investigated and used as a basis for prevention. However, incident investigation long
remained cursory and empirical. Historically, incidents were first conceived of as
simple phenomena—that is, as resulting from a single (or principal) cause and a
small number of subsidiary causes. It is now recognized that incident investigation,
which is aimed at identifying the causes of the phenomenon so as to avert its
reoccurrence, depends both on the concept underlying the process of investigation
and on the complexity of the situation to which it is applied.
Causes of Incidents
It is indeed true that in the most precarious situations, incidents are often the result
of a fairly simple sequence of a few causes that can be rapidly traced to basic
technical problems that even a summary analysis can reveal (equipment badly
designed, working methods undefined, etc.). On the other hand, the more closely that
the material elements of work (machines, installations, the arrangement of the
workplace, etc.) conform with the requirements of safe work procedures, standards
and regulations, the safer the work situation becomes. The result is that an incident
can then occur only when a group of exceptional conditions are present
simultaneously—conditions that are becoming ever more numerous. In such cases,
the injury or damage appears as the final result of a frequently complex network of
causes.
Principal concepts of the incident phenomenon, their characteristics and the
implications for prevention
Concept or
“incident
phenomenon”
Significant elements
(objectives, procedures,
limits, etc.)
Main consequences for prevention
Basic concept
(incident as
phenomenon
with few causes
The objective is to identify
“the” single or main cause
No particular method
Little time devoted to the
Simple prevention measures
concerning the immediate
antecedent of the injury (individual
protection, instructions about
or even one
cause)
investigation
Role of chance and fate often
referred to
taking care, protection of
dangerous machines)
Concept focused
on regulatory
measures
Focus on looking for who is
responsible; the “enquiry”
essentially identifies
infringements and faults
Rarely concerned about the
conditions generating the
situations examined
Prevention usually limited to
reminders about existing
regulatory requirements or formal
instructions
Linear (or quasi-
linear) concept
(“domino” model)
Identification of a
chronological succession of
“dangerous conditions” and
“dangerous acts”
Frequent use of checklists
The investigation depends
very much on the
investigator’s experience
Weak preventive component
(dangerous nature of acts
determined a posteriori)
Conclusions generally concerned
with the dangerous acts
Multifactorial
concept
Exhaustive research to
gather the facts
(circumstances, causes,
factors, etc.)
Focus placed on the
contingent character of each
incident situation
No criteria of relevance in
the facts gathered Need for
complex statistical
treatment
Concept not conducive to the
search for solutions case by case
(clinical analysis) and better
adapted to the identification of
statistical aspects (trends, tables,
graphs, etc.)
Systematic
concept (tree of
causes, STEP)
Identification of the network
of factors of each incident
Use of logical relationships
Need for training of
investigators
Methods centred on clinical
analysis (carried out in
participatory manner)
Possibility of use for all undesired
events (incidents, breakdowns)
Nowadays, a work incident is generally viewed as an index (or symptom) of
dysfunction in a system consisting of a single production unit, such as a factory,
workshop, team or work position. It is the nature of a system that its analysis
requires the investigator to examine not only the elements that make up the system
but also their relationships with one another and with the work environment. Within
the framework of a system, the incident investigation seeks to trace to its origins
the sequence of basic dysfunctions that have resulted in the incident and, more
generally, the network of antecedents of the undesired event (incident, near incident
or incident).
The application of methods of this kind, such as the STEP method (sequentially
timed events plotting procedures) and the “tree of causes” method (similar to fault or
event trees analyses), allows the incident process to be visualized in the form of an
adjusted graph that illustrates the multicausality of the phenomenon.
These are the antecedents of the incident, of which there are two types:
1. those of an unusual nature (changes or variations) in relation to the “normal” or
expected course of the work
2. those of a permanent nature that have played an active part in the occurrence of
the incident through the medium of or in combination with the unusual antecedents.
The information gathering is carried out at the location of the incident itself as soon
as possible after its occurrence. It is preferably carried out by persons who know the
operation or process and who try to obtain a precise description of the work without
limiting themselves to the immediate circumstances of the damage or injury. The
investigation is initially effected mainly by means of interviews, if possible with the
worker or operator, victims and eyewitnesses, other members of the work team, and
the hierarchical supervisors. If appropriate it is completed by means of a technical
investigation and the use of outside expertise.
The investigation seeks to identify, in order of priority, the unusual antecedents, and
to determine their logical connections. An effort is made at the same time to reveal
the permanent antecedents that have allowed the incident to occur. In this way the
investigation is able to go back to a stage more remote than the immediate
antecedents of the incident.
Logical links used in the "tree of causes" method
The logical coherence of the tree is checked by asking the following questions for
each antecedent:
� If X had not taken place, would Y nevertheless have occurred?
� In order for Y to occur, was X, and only X, necessary?
Moreover, the construction of the tree of causes in itself induces the investigators to
pursue the information-gathering, and therefore the investigation, to a point well
before the incident occurred. When completed, the tree represents the network of
antecedents that have given rise to the injury—they are in fact the incident factors.
STEP method
Analysis by the Tree of Causes Method
Making use of the tree of causes for the purposes of incident analysis has two
objectives:
� making the reoccurrence of the same incident impossible
� averting the occurrence of more or less similar incidents - that is, incidents whose
investigation would reveal common factors with the incidents that have already
occurred.
Effectiveness of Preventive Measures
The effectiveness of a preventive measure can be judged with the help of the
following criteria:
The stability of the measure. The effects of a preventive measure must not disappear
with time: informing the operators (in particular, reminding them of instructions) is
not a very stable measure because its effects are often transient. The same is
moreover true of some protective devices when they are easily removable.
The possibility of integrating safety. When a safety measure is added on - that is,
when it does not contribute directly to production - it is said that safety is not
integrated. Whenever this is so, it is observed that the measure tends to disappear.
Generally speaking, any preventive measure entailing an additional cost for the
operator should be avoided, whether it is a physiological cost (increasing the
physical or nervous load), a psychological cost, a financial cost (in the case of salary
or output) or even a simple loss of time.
The non-displacement of the risk. Some preventive measures may have indirect
effects that are detrimental to safety. It is therefore always necessary to foresee the
possible repercussions of a preventive measure on the system (job, team or
workshop) in which it is inserted.
The possibility of general application (the notion of potential incident factor). This
criterion reflects the concern that the same preventive action may be applicable to
other jobs than the one affected by the incident under investigation. Whenever
possible, an effort should be made to go beyond the particular case that has given
rise to the investigation, an effort that often requires a reformulation of the problems
discovered. The information obtained from an incident may thus lead to preventive
action relating to factors that are unknown but present in other work situations
where they have not yet given rise to incidents.
Effectiveness. In order to be effective, incident investigation requires that four
conditions are satisfied concurrently:
1. an evident commitment on the part of the top management of the establishment,
who must be able to ensure the systematic implementation of such procedures
2. training of the investigators
3. management, supervisors and workers fully informed concerning the aims of the
investigation, its principles, the requirements of the method and the results
expected
4. real improvements in safety conditions that will encourage those involved in
future investigations.
Limitations. Even when carried out very well, incident investigation suffers from a
double limitation:
� It remains a procedure for investigating risks a posteriori (in the manner of systems
analysis), with the aim of correcting existing situations. It does not therefore
dispense with the need for a priori (prospective) investigations, such as the
ergonomic investigation of jobs or, for complex systems, safety investigations.
� The usefulness of incident investigations also varies with the safety level of the
establishment where they are applied. In particular, when the safety level is high
(the incident rate is low or very low), it is evident that serious incidents result from
the conjunction of numerous independent random factors that are relatively
harmless from the safety viewpoint when considered outside the context under
investigation.
The Need for Reporting and Compiling Incident Data
The primary purpose of assembling and analysing occupational incident data is to
provide knowledge for use in the prevention of occupational injuries, fatalities and
other forms of harm such as toxic exposures with long-term effects. These data are
also useful in assessing needs for compensating victims for injuries previously
incurred. Additional, more specific purposes for the compilation of incident statistics
include the following:
� to estimate the causes and magnitude of incident problems
� to identify and prioritize the need for preventive measures
� to evaluate the effectiveness of preventive measures
� to monitor risks, issue warnings and conduct awareness campaigns
� to provide feedback for those involved in prevention.
Often, an overview of the number of incidents occurring on an annual basis is
desired. A frequency is often used for this purpose, comparing the number of
incidents to a measure relating to the risk group and expressed, for example, in
terms of incidents per 100,000 workers or per 100,000 working hours.
The need for incident information pertains to the following three levels of function
that make use of it:
� At the workplace level within the individual enterprise, incident data are used in
local safety activities. The best opportunities for tackling specific risk factors are to
be found immediately at the workplace itself.
� At the level of authority responsible for legislation, incident data are used to
regulate the working environment and to promote safety at the workplace. It is
possible not only to exert control over the workplace at this level but also to carry
out general statistical analyses for use in overall preventive work.
� At the level of authority responsible for payments of compensation to incident
victims, incident data are used to help determine rates.
Reporting Incident Information to Safety Authorities
Legislation requiring the reporting of occupational incidents varies widely from
country to country, with the differences chiefly relating to the classes of employers
and others to whom the laws apply. Countries that place significant emphasis on
safety at the workplace usually mandate that incident data be reported to the
authority responsible for supervising compliance with safety legislation. (In some
cases, legislation requires reporting of occupational incidents that result in absence
from work, the duration of such absence varying from 1 to 3 days in addition to the
day of the incident.) Common to most legislation is the fact that reporting is linked
with some sort of penalty or compensation for the consequences of incidents.
What Information is to be Compiled?
There are three basic classes of information obtainable by means of incident
recording:
� Information identifying where the incidents occur - that is, sectors, trades, work
processes and so on. This knowledge can be used to determine where preventive
action is needed.
� Information showing how the incidents occur, the situations in which they occur
and the ways in which the injuries come about. This knowledge can be used to
determine the type of preventive action needed.
� Information relating to the nature and seriousness of the injuries, describing, for
example, the parts of the body affected and the health consequences of the injuries.
Such knowledge is to be used for prioritizing preventive action in order to ensure
that action is taken where the risk is highest.
Incident identification number. All occupational incidents must be assigned a unique
identifying number. It is especially advantageous to use a numerical identifier for the
purpose of computerized filing and subsequent processing.
Personal identification number and date. Registration of the victim is an essential
part of incident identification. The number can be the worker’s birthday, employment
number, social security number or some other unique identifier. Recording both a
personal identification number and the date of the incident will prevent duplicated
registration of the same incident event, and also enables a check to be made as to
whether the incident has been reported. The link between information contained in
the incident report with the personal identification number can be protected for the
The work process. A vital component of information relating to occupational
incidents is a description of the work process carried out at the time the incident
occurred. Identification of the work process is a prerequisite for accurately targeted
prevention. It should be noted that the work process is the actual work function
which the victim was performing at the time of the incident and may not necessarily
be identical to the work process that caused the injury, fatality or exposure.
The incident event. An incident event normally comprises a chain of events. There is
often a tendency on the part of investigators to focus on the part of the event cycle
in which the injury actually occurred. From the point of view of prevention, however,
a description of that part of the event cycle in which something went wrong, and of
what the victim was doing when the event occurred, is just as important.
The consequences of the incident. After the injured part of the body is specified and
the type of injury described (this is done partly by coding from a checklist and partly
from the description in the event cycle), information is recorded describing the
seriousness of the injury, whether it resulted in absence from work (and for how
long), or whether it was fatal or involved invalidity. Detailed information in terms of
longer-duration absence from work, hospitalization, or disablement is normally
available from compensation offices and the social security system.
For recording purposes, the examination of incident events is therefore divided into
the following three information components:
� The activity associated with an incident is that which was being carried out by the
victim at the time of the incident. It is recorded by means of an action code and a
technology code.
� The injury event is the deviant event which led to the incident. This is recorded by
means of a code for the deviation and by one or two codes for the technology which
formed part of the deviation.
� The mode of injury is recorded by using a code for the manner in which the victim
came into contact with the injury-causing factor and another code for the technology
which caused the injury.
Establishment of priorities
Establishment of priorities is the selection of the most important risk areas or work-
environment problems for preventive action. Through the results of mapping surveys
and monitoring and warning activities, a register of occupational incidents can be
built which can contribute to this establishment of priorities, the elements of which
might include the following:
� risks involving serious consequences
� risks which carry a high probability of injury to a large proportion of the exposure
group
� risks to which large groups of people are exposed.
Data drawn from a register of occupational incidents can be used in the
establishment of priorities on several levels, perhaps at the overall national level or
at the more particular enterprise level. Whatever the level, the analyses and
assessments can be made on the basis of the same principles.
Prevention
Analyses and documentation which are used for preventive purposes are generally
highly specific and concentrated in limited areas which are, however, treated in
great depth. Leadership and culture are the two most important considerations
among the conditions necessary to achieve excellence in safety. Safety policy may
or may not be regarded as being important, depending upon the worker’s perception
as to whether management commitment to and support of the policy is in fact
carried out every day. Management often writes the safety policy and then fails to
ensure that it is enforced by managers and supervisors on the job, every day.