functions thus cannot be separated when proactive quality and risk management is required in a dynamic society.
This interaction necessarily implies that risk management must be a line management function. From this perspective, production management in addition to productquality control also depends on capability to measure properties of the pro-ductive processin comparable, quantitative terms that will ena-ble the proper cost-safety trade-off. Measuring costand quality does not open special problems, but how to measure safety?
The requirements to organization of proactive risk man-agement turn out to be very compatible with the requirements to a ‘total quality management’ system as required to meet the ISO 9000 standard. Comparison with quality management strategies and reference to this standard will be discussed in a chapter 8.
6.1.2 Measuring Safety
It is very often argued that it is difficult to define safety in other terms than by the absence of accidents and that the level of safety attained can only be measured by the number of accidents and incidents. That may be so in general terms.
Recent major industrial accidents, however, have not been caused by stochastic coincidence of exotic error types or by mechanisms outside the range of the designed defenses. Most major accidents, including Chernobyl, Bhopal, Zeebrügge, Scandinavian Star, etc., have been caused by organizations operating their systems outside the design envelopeunder sev-ere pressure toward cost-effectiveness.
The first step toward proactive safety management then is to ensure that organizations operate hazardous installations within the approved design envelope and continue to do so also under financial crises, that is, to ensure that operation is satisfying the precondition for safe operation as defined by the design basis analysis. Safety control should then be based on a facility enabling managers to compare operational con-ditions to the assumed preconcon-ditions of safe operation. This implies that, in the first approximation, measuring safety involves measuring the margin between the safety design envelope and the actual state of system operation, a problem that is realistic as long as the particular system design has been based on an adequate definition of the boundaries of safe operation.
Evaluation
PROCESS
Evaluation
Evaluation Product Design &
Market Policy
Market and Customer Responses
Product up-date
Optimizing Process up-date
Boundary Conditions
Cost
Safety
Process Features:
Preconditions for safe operation as defined by risk analysis Market Conditions
Raw Materials Disturbances
Out put Product
Figure 6.1. The adaptive control systems connecting control of production, cost, and safety.
6.2 Support of Operation within the Design Envelope
In conclusion, a first step toward proactive risk management would be to ensure operation of hazardous industrial installa-tions within their design envelopes. This would have pre-vented several of the recent major accidents and appears to be realistic. The information required as a basis for safe opera-tion is available within the industry, but it is not always in an explicit formulation, it is not available to the relevant deci-sion-makers, and therefore it is not operational for the active line management.
In order to introduce proactive risk management that will be effective in a dynamic society, several conditions should be considered for further analysis. These conditions are reviewed in the following paragraphs.
6.2.1 Explicit Formulation of the Boundaries of Safe Operation
An analysis of the formulation of the preconditions for safe operation as found within different relevant industrial sectors is necessary. An explicit formulation is found within indust-ries designed according to the defense-in-depth philosophy based on probabilistic risk analysis (Seveso directive, etc.).
Less structured installations are often based on standards, industry practices, etc., and preconditions for safe operation is found implicit in such documents. Extraction and explicit for-mulation of the preconditions are necessary for proactive risk management when faced with changing environmental con-ditions.
6.2.2 Communication of Design Envelope to Operating Organization
During a period of technological change, the documentation of the boundaries of the operational design envelope and the communication to the operating staff at all levels should be carefully analyzed and redesigned.
6.2.3 Risk Management should be Part of Operational Line Management
This condition implies an integration of the information required for the safety and quality management into the infor-mation environment of the operational line management and the organizations preparing the legislation and business con-ditions of productive companies. For this purpose, an analysis
of the information and communication systems applied by the managers is required to judge the feasibility of such an integration. It will be necessary to indicate the boundaries of acceptable operation within the context of the information environment serving the normal resource management. It is unlikely that a manager ‘on the run’ during normal work will consult a separate risk management tool.
6.2.4 Design of Managers’ Information System Interface Information environments systems for operation of technical systems (process plants, aircraft, air traffic control, etc.) for which the boundaries of safe operation can be defined by functional engineering analyses are presently being intro-duced in terms of ‘ecological information systems’, see the dis-cussion in section 7.8. For the resource management level, design of ecological information system is a research issue.
Analyses of accidents have clearly shown that major accidents are created by the interaction of potential side effects of the performance of several decision-makers during their normal work. The control function of the risk management system of figure 2.1 then must serve to manage the potential interaction of such side effects by identification of the boundaries of safe operation for each decision-maker. For this it is necessary to ensure that information about the boundaries will be active as local constraint, visible to the particular decision-maker.
The safety control task must be based on a predictive iden-tification of the boundaries of safe operation to be specified as a connected set of constraint for the performance of all deci-sion makers during their normal feedback control of their local work domain. The constraints and their mutual rela-tionship must be defined by some kind of predictive risk ana-lysis. It is a major problem that these constraints and their relationship are dynamically depending upon the degree to which decision-makers explore the safety margin to cope with critical business situations. Ideally, therefore, this predictive identification of boundaries should be a dynamic function, based on knowledge about the control requirements of the basic productive, but hazardous, processes at the bottom level of figure 2.1. These control requirements should then be reflected in constraints on the performance of all higher-level decision-makers. This dynamic and predictive function re-quires an on-line, – ‘live’ – predictive risk analysis that pre-sents to the decision-makers an up-dated representation of the current margin to the boundaries of safe operation.
The predictive risk analysis is only reliable as long as the model of accident scenarios used for prediction is reliable. It is therefore necessary to evaluate and up-date the model by careful analysis of the accidents that nevertheless may hap-pen.Post hoc accident analyses therefore have the important function to close the over-all feedback control loop involved in
the long-term risk management at society level by supplying the information that can serve to update the models used for predic-tive analysis.
The following paragraphs discuss the taxonomic frame-work to consider for design and audit of the frame-work conditions of decision-makers that may be involved in accident causa-tion.An analysis for design involves the following issues:
– Identification ofthe decision-makersand actors involved in the control of the productive processes at the relevant levels of the socio-technical system.
– Identification of the part ofthe work-space under their control, that is, the criteria guiding the allocation of roles to the individual controllers.
– The structure of the distributed control system, that is, the structure of the communication network connecting collaborating decision-makers.
– The content of information flowamong decision-makers.
That is, do the decision-makers have information about targets and the actual state of affairs in compatible terms.
– The risk awarenessof decision-makers. Is this information given in a form that makes it active during normal, routine operations, that is, is the form of communication operational with respect to risk awareness?
–Capability of decision-makers.Are decision-makers competent with respect to hazard control? Do they understand the nature of the hazard sources and are they familiar with the factors sensitive to control actions?
– Finally, the commitment of decision-makersto safety must be ensured.
These requirements turn out to be very similar to the require-ments to a Total Quality Management organization as it is specified in the ISO 9000 standards. This is a natural consequ-ence of the TQM efforts also to introduce a proactive quality