A great number work health and safety (WHS) professionals and practitioners would be first to agree that WHS risk assessment has for a long time been no better than a wet finger in the air, but may never have asked, “why should OHS risk assessment be treated with any less rigour than the approach to controlling major hazards?”. Some would argue that the cost, time and trouble in doing so would be disproportionate to the benefit. But this would be (at best) absurd or (at worst) an immoral, albeit unwitting, attestation that preventing one fatality is not as important as preventing many at once.
If people can die or be seriously hurt in their role, we have an obligation to reduce the risk so far as is reasonably practicable, irrespective of the nature of the hazard.
Have you ever (truly) wondered why administrative controls are not considered effective and reliable, beyond their classification in the lower rungs of the Hierarchy of Controls (HoC)? Or why PPE is not as good as engineered controls (which is especially frustrating when there aren’t any available to us!)
No great revelations (just yet), but It’s because not all ‘controls’ are equal, and we’d like to explain why and, in doing so, give some advice to safety and risk professionals who’ve yet to stumble upon or otherwise gain insight into this poorly understood area of risk analysis.
Administrative controls generally include organisational artefacts like procedures, instructions, rules and similar blunt instruments. Whilst these artefacts are important in describing (to the best of our imagination!) how things should work and the capabilities that workers will need to achieve their intent, they will not (on their own) prevent threats, to our control over hazards, escalate to untenable consequences. Whilst the likelihood of a threat would be much higher without- than with- a procedure (recall your first attempt at assembling Ikea furniture but without the instructions), we need more than words on a page to prevent harm and damage after a threat has occurred.
Personal protective equipment is considered ineffective in preventing the effects of explosions, toxic releases and rock falls, but in the electrical utility sector, insulation mats and gloves are de rigour in preventing fatalities when working live. You might be saying that context is important here, and you’d be correct.
To truly understand whether a control will be a dependable risk reduction measure, we must go beyond the HoC and instead determine if the control is:
- fit-for-purpose in such a way that it will detect that there is an imminent threat to our control over a hazard, then process this information to decide on the required response and finally act to prevent the threat from causing the unwanted consequence
- independent in such a way that its function will be affected by neither the action or inaction of other controls nor the mere presence/realisation of the threat
- auditable in so far as we can assure, by prodding (inspecting or testing) and fixing (repairing or replacing) it, the control will remain as fit-for-purpose, independent, available and reliable as it was on the first day of its implementation
There are many types of controls that fit this definition, for example:
- active hardware like instrumented safety (trip) systems, relief valves and fall arrest systems
- passive hardware like hard barriers and vehicle rollover protection systems
- combinations of hardware and human including operators responding to safety critical alarms and safety spotters/lookouts/observers monitoring work and initiating action to prevent harm
- personal equipment like glove-and-barrier techniques in live electrical work and arc-flash-rated suits
The definition above, which is taken from the Layers of Protection Analysis approach used extensively in the major hazard sectors (e.g. aviation, rail, chemicals and energy), provides an objective, simple and repeatable means to interrogate controls to isolate those that will actually prevent incident escalation. The definition also allows us to confidently walk away from heuristics, assumptions and biases that are too easily misinterpreted to yield false senses of the value of controls.
By now you’re asking, “so what?”. Well, here it is…the assumption that is ubiquitous in the semi-quantification of aviation, rail and process safety risk is this:
A control that is fit-for-purpose, independent, and auditable will fail no more than once in ten demands, i.e. it is reasonable to assume that the control will work more than 90% of the time!
A single control that meets the definition of a dependable risk reduction measure will attenuate 90% of the risk and thus reduce the likelihood that a threat (aka cause, initiating event) will escalate to a consequence by 10 times. Two controls: 100 times, three controls: 1000 times… and so on.
There is of course sound logic in this assumption: if we implement a control that we know can, on its own without interference, detect, decide and act, and we check that it can continue to do so into the future, then it wouldn’t be unreasonable to assume it will work every time we need it to, not just 90%. We allow the control (i.e. the slice of Swiss cheese) to have 10% unreliability (i.e. the holes) to account for unknown unknowns, because there is never ‘zero risk’, and instead provide more layers of controls (i.e. slices of cheese) to prevent the holes from lining up.
Even if the residual risk of an unwanted event is never assessed, one can feel assured that having at least two dependable risk reduction measures is better than having a shopping list of supporting and contextual factors like diligence, situational awareness, training, procedures and rules (which are all, by the way, potentially complicit in a threat).
Going one step further, we need neither fancy risk assessment techniques nor complex mathematics to do risk assessment or cost-benefit analysis to determine if it is reasonable to provide any further risk reduction! But to do this we will need a:
- well-designed risk matrix: does yours have decade ranges?
- value of statistical life: what is the financial loss equivalent to fatality in your current company risk matrix?
- threshold of disproportion: how much more than the current potential loss will you be willing to spend to reduce the risk by a further order of magnitude (this will require the buy-in of your senior leaders…but it’s not rocket science).
In the next article in this series, we will demystify risk estimation a bit further with matrix box hopping (done well of course, because regulators abhor this approach in the absence of scientific substance) and get closer to improving the rigour of WHS risk assessment.
If you want to make risk assessment in your organisation less subjective and repeatable, but simply can’t wait ‘til our next article, we welcome you to reach out to us at Forge Works and join the list of organisations we’ve helped simplify risk assessment and streamline approaches to critical, WHS and major hazard risk assessment.