How to better understand the deadliest risks at your operations and pressure test controls with the people who need to manage them.

Abstract:

This article focusses on single fatality risks in heavy industry. It is aimed at operational leaders / safety professionals to provide practical insights, based on recent experience, on how to get more predictive and zoom in on the most likely single fatality risk events that could occur at your operations. These are the deadliest risks, more likely than multi-fatality events. The article describes how to dig deeper with analysis to define your deadliest risks and determine how these are most likely to result in fatality. It also describes how to design and analyse more "real-life" risk scenarios, and "pressure test" your controls. Finally, it provides a process to ties it altogether, using bowties to engage people and pressure test controls when / where the risks occur, with the people who need to manage them.

Unlike almost all linked-in articles that are full of platitudes, plugs, and programs for sale, with no explanation, this article is deliberately the opposite. There is nothing for sale, there is no partly made-up consulting success story, and it goes into technical detail and explains how you can improve, making use of your own internal expertise. I will be happy to discuss / clarify any of the information, with anyone who wants to get real about fatality elimination. I'm hoping this will complement / enhance your existing processes and help you cut through the forest of weeds that can obscure your view, no matter how much you are out in the field verifying critical controls, or in the office analysing data.

We know what goes wrong, why are we still surprised by it?

If your organisation, is like most in heavy industry, you are not finding any new fatal risks. If you are "looking hard enough", you will find that the same few major hazards are involved in most of your High Potential Incidents (a near miss that is non-fatal by chance). If you are "learning hard enough" from these, you will also find the same recurring control or systemic failures, contributing to most of them. In fact, it's likely your Top 5 single fatality risk events, are the same as peer organisations across your industry sector.

High-quality operational leaders / safety practitioners in heavy industry, should be able to tell you, with reasonable accuracy, the most represented major hazards in single fatality events for their industry sector. Perhaps, they can even break that down a level to the specific interactions / mechanisms involved. Currently, in the global mining sector, the Top 5 are:

1. Mobile plant / vehicle interactions (vehicle vs environment, vehicle vs vehicle, and vehicle vs pedestrian).
2. Falling objects (struck by, including underground and surface rockfall).
3. Machine energy (struck by machine component or caught in machine part, not struck by mobile or traveling plant or vehicle).
4. Fall of a person from height (height being >1m, including fall into a hole or void).
5. Object energy (struck by object, imparted by an uncontrolled release of energy).

It's not new to suggest that just a few hazards, are involved in most fatalities in a given industry, that's just the Pareto Principle or 80/20 rule, which has been used to prioritise good practice safety management for more than 30 years. Safety incidents, including near misses, tend to self-organise in terms of criticality, giving us a natural priority for our risk management efforts, provided we notice the patterns, then dig deeper to find the sub-patterns.

In the Australian mining industry, indeed globally (ICMM members), the "Pareto Major Hazards" involved in most work-related fatalities are well known, so are the critical controls. In fact, over the last 20 years, the data shows that the basic circumstances of single fatality events are rarely unprecedented and are not changing.

Why then, do the specific interactions, actions, conditions etc. in the immediate circumstances of fatal events, still take us by surprise?

Are we lacking specificity on how and why it goes wrong?

My hypothesis, and a growing concern amongst more and more safety / risk professionals in heavy industry, is that:

1. Our incident and risk analysis are often, too broad brush to give us a full understanding of the specific circumstances of fatal risk events, most likely to occur in real operations. At the other end of the scale, Bowtie Risk Analysis diagrams that are five A1 size pages of generic threats and controls, are of little use in the field and often, don't reflect the reality at operations. There is also a lot of descriptive analysis, but very little inferential, diagnostic or prescriptive analysis, which requires more effort and expertise (another story). Descriptive statistics do not provide the full picture. For example, saying you have a problem with work at height, because you have a lot of near miss falls from height, is not insightful. We are not understanding the how. You may be surprised to know that falls from fixed platforms are overrepresented in actual fatalities, where the person did not have any intention of working from height. You may also be surprised to know that more fatalities occur from a heavy vehicle over an edge than all of the vehicle-on-vehicle collisions combined, but we perceive the opposite, simply because we only broadly describe a statistic of vehicle collision or roll-over, and we see a lot of visuals of heavy vehicles squashing light vehicles. Note: high potential incidents are largely risk perception, whereas actual fatalities are risk reality, more comparative analysis is needed.
2. We keep adding things to safety risk management, more processes, tools, systems, software and paperwork, forgetting that "more can be less". Some programs have become too big to manage, too high-level and too slaved to a software system or generic checklists and quotas, giving incentive to quantity, without quality. This results in a lot of activity in control monitoring / verification (the back end of risk management). People in operations become less interested and have less time, so become less effective at the front end of risk management, i.e., contextualising risk, assessing risk and assessing controls. Sometimes, they are lost at both ends, which is when things become even more broad brush and less effective. Without the upfront work, critical risks and critical controls are not well defined or understood, so the real gaps are not identified, despite all the activity. It's like everybody is out there looking, but not seeing anything, or they are just spotting hazards and not understanding the specific risk scenarios, that can result in fatality. Note: the most important part of risk assessment, is to completely understand the risk, without that, what chance have you got of controlling it.
3. Much of our routine monitoring, is not focussed enough on specific risk scenarios and the control environment (how all the controls work together), to be effective. In addition, when critical control management (CCM) becomes checklist or quota driven (quantity without quality), and people may only ever check for the presence of a generic critical control in the context of a particular task, immediately prior to the task being undertaken. In doing so, you may not be verifying the control when it is operating, nor in all of the circumstances in which it needs to operate, by someone who may not have all the information, and likely doing so, under the assumption or misconception that nothing will change. The big push and mad rush, incentivised by quotas for CCM implementation, has meant that many have lost sight, or never actually learned its key principles, in some cases, CCM is being seen as a pseudo system of work, even as the control in itself, which is madness. Note: critical controls are only critical on the basis of how much YOU rely on them, they are not necessarily the most effective control.

To be more predictive and to avoid being taken by surprise, the key questions we need to answer are:

1. Are we "diving deep enough", often enough, into our major hazards to understand the specific single-fatal risk events or interactions that are most likely to result in a fatal incident at our operating sites?
2. Are we designing "real-life risk scenarios" and verifying their design, with the people who do the work and manage the risk, to ensure they are valid and actually how things are in reality. Real life risk scenarios are based on the deep dive, and must represent what is actually happening, how it is happening, and the actual controls in place when it happens. This is best represented by a specific (therefore simple) bowtie analysis diagram, which includes threats / causal pathways identified by the deep dive and escalation / degradation factors, that can lead to control failure, degradation or controls being bypassed / overlooked. These must be investigated and verified, on site, with the people who manage the risk.
3. Do we "pressure test" the control environment applied to our most critical risks. In contrast to routine monitoring, this is done when and where the controls are operating, either normally or under the pressure of an atypical / abnormal situation. It is also done with the people who directly manage the risk, to gain a common understanding of how the controls work (or not), how they fail, how they can be overlooked or bypassed, or otherwise not implemented to design?

Many safety professionals would be thinking right now that they have a good handle on 1-3 above, if they can point to a process in their system, that sounds like 1-3 above, such as: Routine monitoring, measurement and reporting; Performance standards for major hazards; Incident investigation, analysis, review and learnings; and critical control management, verification / auditing. Unfortunately, too many safety professionals in heavy industry, reluctant to challenge the process / system.

Diving deeper into fatal risk scenarios

A deep dive should be much more than descriptive analysis or counting major hazard events e.g. vehicle collision / roll over and doing basic cross-tabulations. A deep dive involves data structuring, taxonomy, diagnostic and prescriptive analysis of available internal / external incident data, including research into industry good practice controls. A comparative analysis of actual industry fatalities against your high potential incidents is also extremely useful, as it determines if your organisation's perception matches reality and whether your organisation is sensitized or desensitized to certain risk events.

To find the truth, amongst, what could be a lot of garbage in / garbage out (GIGO) from your database, you may need export the info and go line by line through each high potential incidents. You will need to define your own independent variables that best describe the specific agencies, mechanisms and interactions occurring in the immediate circumstances of your incidents. You will also need to define clear problem statements to describe the risk control failures and systemic issues that are recurring or most represented in your incident data.

All this is necessary, to get a full and clear picture, which you will never get, by applying broad categories / made-up labels given to lumps of cheese or dominos in the linear models (another story). Some examples of important variables to determine, define and structure are:

• Actual plant, work environment, task group, role group (what, where, who);
• Damaging energy, mechanism, real-life interactions (how);
• Situation, or specific circumstances and conditions at the time (when);
• Specific control failure / absence, system failure / deficiency (why).

Designing real-life risk scenarios

This is more than a well described risk event, causes, controls and consequences. In my experience, describing risk scenarios is often done poorly and too broad brush. I've seen risk registers and bowties with risk scenarios like "work at height", risk scenarios that are actually not risks, but causes e.g., not wearing a harness and existing controls that far too broad or generic e.g., work at height procedures. We need to clearly define all aspects of the risk i.e., Event (what can happen), Situation (when / where it can happen), Consequences (the results), Causes / Risk Factors (how it happens), Existing Controls (objects, actions systems to prevent or mitigate the event). That is just getting the basics right.

We must also go beyond the usual equipment, human performance and work environment risk factors (causes), to find those underlying, obscure and more complex "what-if" threat pathways. These are the curve ball situations / circumstances that throw a spanner in the works of even the best designed controls, when a fatality occurs. This means asking the right people the right focussing questions, to identify and understand, what I call the Blind-Spots and Black-Ops at a workplace or operation.

Blind spots are places, areas or activities that are out of plain sight, hidden or hard to get to, including activities done at night. Blind spots are rarely attended by leadership and can be skipped over by the normal monitoring program.

Black-Ops are situations, circumstances / conditions, including work activities or processes that are atypical, abnormal, ad-hoc, itinerant, changed, changing, or temporary. Black-Ops are most often the work activities where the task, area or controls are not designed at all or are designed and implemented at the discretion of the work team. What you will often see is a risk and control environment that is not as per the generic design, but unique or modified, or it may have drifted away from the documented system of work. Black-Ops are hard to find, and monitor, as they can be intermittent, even transient glitches somewhere in the lifecycle of an operation, or a process. Blind-Spots and Black-Ops put your controls under pressure, which is perhaps the best time to test the controls.

Pressure testing controls.

By "pressure test controls", I mean verifying control effectiveness, in situ, when the control is operating, with the people who manage the risk. This goes beyond routine monitoring / critical control verifications to seek out those Blind-Spots / Black-Ops where the designed controls, are most likely under pressure, and test the controls in place, then and there. It also means having the people who directly manage the risk / control owners present when testing the controls, means better engagement, ownership and agreement or common understanding of the risk scenario and any control gaps.

Tying it all together - A "hands on" approach, using bowties

What I have described above is a lot of hard work and requires a high level of expertise to bring all the bits together, as part of an ongoing process. If you are having recuring high potential incidents, involving the same major hazards, including non-fatal by chance events (oh s**t moments), I would suggest what you are currently doing is not working and you need to act fast. You need a call to action and to focus efforts on your deadliest risks and recurring issues when and where they occur at your highest risk operations.

Having said this, you don't need more of the same and I'm going to break the mould on linked-in and say that the last thing you need is a new program, process, system or consultants. Just do the basics better, get more focussed and be more specific.

The diagram below, broadly outlines a process I use to get that call to action and engage operations in focussing effort on understanding their deadliest risks, pressure testing the controls, finding the gaps and fixing them. I have used this, and it really works well.

It is essentially a diagnostic on tangible risks, leaving out all the fluffy stuff, leading into a focussed risk control assurance process, that uses the deep dive and bowties to engage with operations and assist them with control testing in the field, to find gaps fast and co-design solutions to address them. Simple right.

The key features that make this more effective are:

The deep dive is a burning platform or call to action if it is insightful, rings true with people and is presented well to the right people. Defining the deadliest risk scenarios at your operations, based on comparative analysis with actual industry data, and developing very specific bowties for these, is very powerful at getting people's more urgent attention.

When the risk scenarios and threat or causal pathways you are communicating are specific and real, it rings true to people at the operating site, so it strengthens a feeling of ownership of the risk, because they know it happens or has happened.

Bowties are a great visual, to bring about a common understanding of the risks, controls and the systemic problems in the context of the operation / site. You can communicate critical risks and the expected control environment to on-site personnel, including workers, which makes for a positive engagement / coaching opportunity.

Consulting to refine the bowtie, makes it a “co-designed” process, (risk owners and workers help drive what you go out and test in the field), making it tangible and sensible to them.

A coaching / assisting approach gains currency, you involve them, then actually roll up your sleeves and assist with solving problems. This is always appreciated by site personnel, especially those used to the seagull approach or audits that only result in a long list of intangible or nebulous findings.

What I like most, is:

1. The bowties are like a map (if they are real enough) that helps you show operational leaders they way to hidden killers they may not be seeing.
2. Getting corporate expertise, out of the office, actually using their expertise to help operations make a difference, instead of dreaming up more programs to inflict on operations or doing seagull type visits.

Deep Dive - A burning platform from which to launch.

You must first define the problem, before you can solve it. The deep dive is designed to shed light on each of your Major Hazards and help define, through different types of analysis, your deadliest risks, recurring control failures / systemic issues associated with each major hazard.

The deep dive should include very clear problem statements and be presented to the executive level for their endorsement. It should also be presented to senior operational management, hazard owners and control owners across the organisation. I suggest starting small, focusing in on just the top 3-5 major hazards, based on your incidents. Remember, if you can get hold of industry data on actual fatalities (for mining, look at ICMM or MCA reports), do a comparative analysis to validate the risk perception (potential incidents), vs risk reality (fatalities), it will help you cut it down to the top 10-15 deadliest risks. Similarities, between your potential incidents and actual fatalities should be highlighted to demonstrate the urgency of the call to action.

Developing more lifelike bowties and using them on-site

As stated, in many organisations, bowties are just too big / unwieldy for operational use and are only used for control review end of the risk management process, in a desktop exercise to determine if there is a need for enhanced or new controls for the most material risks.

Personally, my most productive experiences with bowties, have been drawing them on paper in the field (on the bonnet of a car), to ask focussing questions and identify the real risk / incident factors associated with a work environment / activity. Bowties are most useful when overall control effectiveness and risk management capability is believed to be low, which will have been demonstrated by your Deep Dive.

The following diagram shows where bowties can be a good fit in your risk management process, beyond where they have typically been used.

Some practical tips to make the most of your bowties:

When developing the bowties, leave the massive bowties on the shelf and start from scratch, to bring focus to the risk events and causal pathways (including systemic problems), you are seeing in your incidents, from your deep dive. This is the bowtie that you should take out of the box and play with. Some software programs make it easy to highlight the blind spots, black-ops and systemic problems identified by your deep dive that you wish to focus on

You can use threat / causal pathways to focus in on these and you can categorise each threat or cause to scope your control testing or assurance activities, i.e., an assurance focus area, area of concern, or out of scope. You can also categorise controls, to reference if the control is from a standard, if it is a critical control, or if your deep dive research has identified a good practice control. Controls can be layered or ordered i.e., system or design controls first, then objects and actions, closer to the risk event. The diagram below, attempts to show a focussed threat or causal pathway and control categories.

Generic equipment, human performance, equipment failure and work environment threat or causal pathways, subject to routine monitoring, may be excluded from the scope of your assurance activities, and so there is no need to clutter the bowtie with repetitive controls as shown in the diagram below:

When consulting with operations to validate and refine the bowtie, you can ask focussing questions and add local intel on tasks, areas, plant, systems, etc. into the threat / cause description of the bowtie. Control design specifications can be added into the control description to help explain the control to site personnel. Specific local controls, legislation or improved practices can be added to controls where identified. All of this information will help guide your control testing / assurance activities and to find those blind spots and black ops, where the controls may be "under pressure".

When testing controls, or observing work in the field, you can test the control design, implementation and application when / where the risk occurs and instantly communicate the result.

Print off bowties that are simple and specific enough, showing or hiding what is relevant to the risk scenario / control environment you are physically looking at. You can then use it like a map, explaining the risk scenario, whilst pointing out threats, controls present or absent etc.

When defining the gaps with operations, you can help them better understand and target control improvements using the bowtie again as a visual and updating it as you go. Taking an assistance approach, you can help them make a plan to start fixing control gaps and systemic issues, including interim fixes. Some bowtie software makes it easier to incorporate all this in the bowtie file, but the software requires expensive licences, so many people will have to settle with PDFs / presentations.

Thank you for reading (if you got this far).

I realise this was long and somewhat technical, but I do hope you found it insightful. To me there is no copyright on safety, and we need to share much more than the same platitudes and broad statements, if we are to eliminate fatalities from the workplace.

I would be very happy to receive feedback and to clarify any of the information I have provided in this article.