ABSTRACT for the OECD Workshop of Sharing Experience in the Training of Engineers in Risk Management: SAFETY LEADERSHIP: WHAT IT SHOULD MEAN TO ENGINEERS: Author: Family/surname: First/given names: Country Affiliation Address E.mail Phone Dalzell Graham Alexander United Kingdom Hazards Forum (representing the UK engineering institutions) (TBS)3 Limited, Major Hazard Consultants Hill of Minnes, Udny, Ellon Aberdeenshire AB41 6RE Scotland. GDalzell@tbscubed.plus.com (44)1651843600 Summary Leadership and accountability are acknowledged as the first and most important elements of any safety, health and environmental management system. In a well-run company such as Dupont, it is demonstrated to an exemplary standard in the workplace, for example, through joint factory HSE tours by both managers and the workforce. They examine not only established routines and their adherence, but question novel situations and seek ways to further improve the status quo. They focus upon those activities and behaviours that could lead directly to harm. The reduction of occupational risk through the introduction of this personal safety culture has been dramatic and is envied by every other responsible employer. Should such a culture also exist in the engineering community, where individual or group actions, through design, maintenance or integrity management have a less immediate result, with deficiencies possibly lying unrevealed for 20 years? If so, what form should this engineering leadership take, and is there a need for a radical change in individual engineering attitudes? Has engineering safety become a retrospective assurance activity and divorced from the daily engineering process? The paper argues that every engineer should have the following questioning attitude imprinted from day one which asks; “What is dangerous, why is it dangerous, is there a safer way, what do I have to do to make it safe and what knowledge do I have to pass on to the user for safe operation?” Does the engineering profession possibly need an Hippocratic oath? Acknowledgement This paper draws upon an earlier paper, Safer Design – An Attitude, presented at Hazards XV; an I. Chem E conference held in Manchester in 2000 (1). The author gratefully acknowledges the permission of the I. Chem E to reproduce extracts from that paper and the contribution of his co-author Peter Willing in its preparation. INTRODUCTION A few years ago, a poster appeared in oil company offices and offshore installations. It said: Safety is an Attitude Safety is not something you can take or leave. Safety is not an activity in which a person participates only when being watched or supervised. Safety is not posters, slogans or rules; nor is it movies, meetings, investigations or inspections. Safety is an attitude, a frame of mind. It is the awareness of one’s actions and how they relate to different surroundings and situations, all day, every day. Safety is knowing what is going on; knowing what can cause injury or cause damage. It is knowing how to prevent such injury and then acting accordingly. To do this does not require genius or rank. All it requires is intelligence and understanding, coupled with the ability to use one’s natural senses. To ignore safety does not indicate bravery; only foolishness. To do things safely and correctly is the mark of a wise man, not a timid one. It was aimed at the people who can make an immediate difference; the plant operators, supervisors and managers. The message is clear; safety is not just compliance with rules but an underlying desire in everyone to identify hazards and to make them safe. Is the creation of a similar attitude amongst engineers the key to realising the full potential of inherent safety in design and ensuring that residual hazards in operation are effectively managed? LEADERSHIP AND EXPECTATIONS Most major organisations have an HSE management system with between 10 and 16 elements each with specific expectations. In almost all cases, the first element is leadership and accountability. We get what we ask for; from our staff, design contractors and our suppliers. If senior managers take a direct interest in safety and it is obviously considered in every one of their activities and decisions, then everyone who works with them will follow by example. As DuPont has so clearly demonstrated(2), it works, and it is good business. But what about engineering? Leadership by project managers can be as effective in delivering safer designs as it is in ensuring safe operations. A clear statement of expectations relating to design safety, a continuous interest in the hazards, and a demonstrable commitment to reducing risks, by allocating time and resources, will set an example which will spread through the entire design and supply process. But how often is there real leadership in engineering safety and, if it is addressed, is it related to preventing accidents in the office rather than the safety of the product? On a well-run offshore installation, new starts routinely meet the platform manager when they arrive in order to hear the expectations for safe operation from the top. How often does that occur in design offices? If the project manager asks about the hazards and seeks to find safer solutions, then everyone else will too. It should not just be the responsibility of design managers to engender this active culture of risk reduction. As professional engineers, this should be part of our work ethic and it should be instilled into us on the first day of our studies and continuously reinforced throughout university and the remainder of our working lives. It should be an absolute expectation for Institution Membership. Arguably this is in place with the lecture series such as Safety in Design (3) produced by the Hazards Forum in the UK and in the Guidelines on Risk Issues provided by the Engineering Council (4). Unfortunately neither of these documents appears to be widely read or taught. There is a danger that safety will still be a discrete activity; the risk module. We may learn the processes such as Failure Modes and Effects Analysis (FMEA), Hazard and Operability Studies (HAZOP) and Quantified Risk Assessment (QRA) but they do not create the attitude. Again this comes down to leadership; in this case from the professors, lecturers, tutors and particularly from industry. It’s all very well asking for leadership but we also need to give a framework for those discussions. What should these professors, lecturers and managers discuss? Here are a few core topics. They are not intended to be “a lecture”, rather the basis for discussions throughout the whole or our working lives from the day we enter college to the day we retire. These will need to be augmented and refined but it’s a first offering. WHY DO ACCIDENTS HAPPEN? Engineers are one step removed from the consequences of accidents. They are often not directly implicated and the accident may occur 20 years after the plant was designed. They may not be to blame but their actions might have prevented it; if only they had designed it differently…. Students and young engineers should be confronted with the possible consequences of their actions. If there is a major accident, life at the university or the office should pause, initially to remember the dead, and then, as more information becomes available, to ask why. Students should be taken to the memorials, such as that for the 167 lost on Piper Alpha. Survivors should be invited to talk to the university. This can be deeply moving and can shape every engineer’s thinking for the rest of their lives. At the very least, inquiry reports should be held in the libraries. Every lecturer should have a good understanding of at least one accident relevant to their subject and be able to talk about it without reference to any text. All courses should include the detailed study of at least one major accident. This will put students in the mood to ask why? Classical accident investigation asks why, up to seven times. When it is first posed, the answer comes back – because someone made a mistake. As we probe more deeply, we get to the root causes of the accident. Hopkins, in his examination of the Longford explosion in Australia (5), progressively goes higher up within an organisation and further into society itself. At progressively higher levels the answers to the question “why” become more complex, relating to resourcing, commitment, regulatory expectations and finally to societal pressures. However, at every level there is an underlying theme – ignorance of dangers, hazards and risks. Some of the most common expressions in post accident interviews are; I didn’t know that was important, I didn’t think that was dangerous or I didn’t think it would be like that. If the majority of the engineers who were designing Piper Alpha (6) in 1975 were to have been asked about the explosion effects of the condensate release in the compression module, the severity of the smoke and external flaming from the separator fire or the possibility of oil cascading down three levels to the gas pipelines, there would have been blank stares or at best, a guess. This is not a particular condemnation of that design team, rather that this lack of understanding was endemic in the industry at that time. It was not perceived as a necessary input to the design process. In the light of this and other disasters, the world is moving towards a hazard and risk based culture. Surely it is now intolerable for any engineer to proceed with a design or to supervise the operation of a plant in ignorance of the hazards. If they cannot answer the questions what is dangerous and why is it dangerous, then they are behaving irresponsibly and straying outside a reasonable code of conduct. So are the managers who allow this culture of ignorance to flourish. The words “I didn’t think, I didn’t know or I didn’t understand” uttered by any chartered engineer following a major accident should now be sufficient to have them struck off for malpractice or even prosecuted. Once the understanding of the hazards is established, then the engineer’s responsibilities become much more explicit. In design, it is fourfold; to develop that understanding of the hazards to a level sufficient to allow them to be managed effectively to search for a safer solution to put measures in place to deal with the causes and possibly the effects to pass on to the future users that hazard understanding and their obligations for safe operation In operation, it is fivefold: to communicate and maintain awareness of the hazards to all who may operate, maintain or be affected by the plant for its working life to operate the plant to its design intent and within its design limits to maintain the plant, structural integrity, and the performance of the critical systems to prevent and control the hazards to supervise and approve any activity which may endanger the plant or the people working on it to re-examine the hazards if the plant is modified and to update any integrity management requirements, operating procedures and safety system provisions Once this culture of hazard understanding is established, then engineers can progress from unthinking compliance with rules (prescriptive codes and standards), to hazard management, and eventually to creating a fundamentally safer world. This evolution can be expressed: I do, therefore I comply I understand, therefore we are safe I think, therefore we are all safer TALKING SAFETY We talk about safety ad infinitum. We try to measure it to the nth degree. Industry takes immense pride in the drops in lost time (LTI) figures to the extent that their performance and that of other measurable safety indicators is paramount. It has almost reached the stage where bad news cannot be tolerated. Society demands the answer Yes to the increasingly asked question Is it safe? Again Hopkins in his study of Longford (5), describes a “good news” culture in which problems were progressively diluted as the messages rose up though the company until at the highest level, the impression was given that everything was rosy. As a parallel, there seems to be a fear of talking explicitly about hazards and dangers. Risk assessments such as Process Hazard Analyses (PHAs) or HAZOPs deliver a set of recommendations. Once addressed, there is “closure”. It is as though the hazards and their associated risks have gone away – the plant is safe because the recommendations in the risk assessment have been addressed. Nothing in life is totally safe. If everything was, we would make and do nothing. We must inspire a culture in which we openly acknowledge that plants are still hazardous despite our best efforts to reduce risk. Thereafter, we are in a much better position to openly discuss the risks and decide how to manage those risks and to put a complete and appropriate set of measures in place to prevent or control the hazards. The open acknowledgement of hazards leads to a widespread awareness of the dangers and this is, in itself, one of the greatest risk reducers at our disposal. I know why it is dangerous so now we make it safe This does raise a serious problem; the vast majority of society has an irrational view of risk and hazards, exacerbated by sensationalism of the media almost to the point of paranoia. A company that rigorously documents and highlights its hazards and makes them publicly available (as is often required by legislation) exposes itself to undue public and regulatory pressure. In today’s litigious society there is also the fear that it is the perfect prosecution evidence. However, the lack of this information greatly increases the chance of an accident and litigation. Perhaps society still needs a “demonstration of safety” as the public document and operators need a book of hazards as an internal one. Engineers certainly need to help society to understand and take a more balanced view of risk. Perhaps there is an opportunity, together with the medical profession to open the debate amongst the wider academic and student community within the universities? After all, this community should provide our future intelligentsia. PROACTIVITY Implicit in this culture of demonstrating safety or “proving it’s safe” is reactivity. Safety studies are often performed on a completed design when the opportunity to design out the hazards has been lost. The words “review” and “assessment” infer the need for retrospective approval rather than being a core input into design. The underlying components of risk; cause, severity, consequence and the potential for escalation need to be identified while the design is still fluid. They must become essential design inputs. They should be used to help get the design right, rather than highlight the flaws. Likelihood is a function of how well causes are understood and managed. Consequences depend on the matching of control and mitigation measures to the hazard effects. The numeric quantification of risk, if required, may only be calculable on a completed design but there needs to be an early picture of the general spread of risk and of the uncertainties so that sufficient effort can be focussed on the key drivers during design. More details of a structured approach to proactively reducing risk is given in a second paper for the OECD workshop (7). SAFETY IS EVERY ENGINEER’S BUSINESS It is too easy to pigeonhole safety into a discipline, a set of specific processes, project deliverables or a series of lectures. One head of engineering in a large company reacted angrily to the suggestion that they should have a safety engineering department; quote: “Why? Every engineer should be a safety engineer.” There is a place for specialist safety engineering skills; in helping to understand major hazards, developing the picture of risks and assisting in the major decisions such as the selection of the processing method. However, it is often the detail that causes the accident, as was so clearly demonstrated in the study of the collapse of the walkway onto the Ramsgate ferry (8). Every engineer has a part to play in reducing risks, from the design of the detail around a stress concentration to the choice of technology for a nuclear reactor. Often it is only a very small proportion of a design team that actively participates in the “safety process” or worse still, it is a specialised activity subcontracted to a discrete team working behind closed doors. If this is the case, there is no hazard ownership and only a fraction of the potential for risk reduction is realised. Imagine the thousands of subtle improvements that could be realised if the entire project team, from draughtsmen up to the project manager ask the questions outlined above; What is dangerous and is there a safer way? This will result in better routing of piping, the optimum placement of instruments to avoid damage, straighter escape routes, better access for maintenance, fewer hazardous interventions - the list will be endless. Neither academia nor industry should fall into the specialist trap. The regulator has a part to play here too. If they call for highly complex submissions and enter into ethereal debates about risk statistics, they will necessitate specialised departments and inadvertently cause the divorcing of safety from day to day engineering. TEAMWORK Increasingly, engineers specialise at an early age. They seem to know more about their particular subject and but less about broader engineering principles and other disciplines than the old greybeards. They have become less aware of the impact of their work on others and visa versa. Any process plant needs structural engineers to hold it up, mechanical engineers to keep the fluids contained in piping and vessels, chemical engineers to design the process and instrument engineers to control it. An error from any one of them can result in a disaster, but effective hazard management can only be assured if they work together as a team. They must be made to share their knowledge of hazards, and the critical nature of aspects or their work, with their colleagues. Hazard identification, analysis and management should be a team activity in which every engineer participates. This should start at university. It may be appropriate to educate all of the engineering disciplines in the basic principles of safety as a common topic and to reinforce the awareness of their interdependence through common hazard identification and analysis exercises. A VISION OF SAFETY AND A QUESTION OF BALANCE Once engineers have been inspired to behave responsibly and are committed to reduce risk, their enthusiasm must be given focus and direction; or rather they need to be taught how to concentrate on what is really important. In another slightly tongue-incheek paper (9), this author suggested that many of the efforts to reduce risk were misplaced, even to the point where the addition of some systems to control and mitigate risk could actually increase it. Enthusiasm for safety is often reflected in the provision of bigger and better systems to protect against the effects of the latest disaster. Regulators can perpetuate this protection culture by requiring operators to prove that they don’t need the latest technology from well meaning vendors. A safe plant is one that is easier to operate, is fail safe and doesn’t collapse or leak, not one that is so poorly designed and run that it needs a plethora of protection and evacuation systems. Similarly, risk analysis can over concentrate on particular aspects of selected hazards simply because they are in the forefront of peoples minds following a disaster or because research has made sophisticated analysis tools available. The current focus on explosions in the North Sea is a case in point. Engineers need to be taught to balance their efforts, between hazards of differing risk, between the analysis of causes, and the consequences, between prevention and cure, and between the dependence upon people or plant. They must learn to stand back and look at the whole picture rather than immediately pursuing what they perceive to be the predominant hazards and the most critical safety systems. Regulators should also encourage a balanced approach by requiring holistic hazard management with clearly defined preferences for prevention. BP has attempted to put together an integrated process in its Inherently Safer Design Guidelines (10). At the time of writing, this document was not in the public domain but it to be hoped that it will be openly published as it will be of value to the whole engineering profession. WHAT IS GOOD ENOUGH? What makes an engineer ask the question: “Is it good enough?” For major decisions, such as the choice of a concept or overall risk levels, the question may be asked formally as part of a regulatory process or internal company requirements. However, engineers make critical decisions most days in their working lives. It may be the choice of material, type of pump or thickness of a vessel. This question is the final step in the process of hazard management and must become an integral part of their approach to safety. For the strategic decisions, there are formal risk based decision making tools such as the use of quantitative risk assessment (QRA) to determine reasonable practicability (ALARP), or even more sophisticated methods such as the Risk Based Decision Making Framework published by the United Kingdom Offshore Operators Association (11). These are far too onerous for the multitude of everyday design decisions. If engineers understand the constituents of risk; cause and consequence, and can apply logic to the decision, then they should come up with the right answer using their own judgement combined with a clear set of values. However, engineering judgement in ignorance of these constituents of risk is called guesswork. Back to “I didn’t know, I didn’t think and I didn’t understand.” As part of their basic training all engineers need to formally stop and ask “Have I done enough to understand the hazards and have I done sufficient to reduce their risks.” This should go through their minds every time they make critical decisions, even if they might not appear to be safety related. Everything is. HOW DO WE ALL MAKE IT HAPPEN? This is not about teaching engineers how to carry out a safety study. It is inspiring them to care for everyone who may be at risk from their work, about giving them the questioning mind which seeks to identify and understand the hazards. It is about making them care enough to challenge designs or shut down process plants. This does not need a lecture course, it needs leadership from every single person who teaches them at university and supervises them at work. In turn, they must provide that leadership to their successors and everyone who works for them directly or indirectly through service or supply. Specifically, it needs the following: Real leadership needs to be shown by every senior engineer, whether in academia, industry or government by openly discussing an engineer’s responsibility for safety and by being able to demonstrate knowledge and commitment through a personal understanding of risk and hazard. There must be openness in discussing hazards and risks. The whole engineering profession must lead a change in social attitudes away from insisting on absolute safety towards recognising that risks are an integral part of life. It is the acknowledgement and understanding of hazards that keeps everyone safe. The regulators have a key role in this process through guiding and implementing the wishes of society There should be a moral imperative upon engineers to take all reasonable steps to identify and understand the hazards associated with their work, and to use that knowledge to minimise risks and manage hazards effectively The engineering profession should consider the need for the equivalent of an Hippocratic Oath or a common international code of ethics for engineers which commits them to the principles described above. This should be much more explicit than some of the vague words and non mandatory guidelines currently in use. The profession should be prepared to act against any engineer who contravenes these principles where this results in an accident which could harm people or the environment. Returning to that poster; here is an equivalent offering for engineers. Engineering Safety is an Attitude Engineering Safety is not something you can take or leave. It is not a separate specialised task, nor is it restricted to the checking or reviewing of activities or designs. Engineering Safety is not only codes and standards, compliance, studies or formal risk assessment. Engineering Safety is not someone else’s responsibility. Engineering Safety is an attitude, a frame of mind. It is the awareness of one’s decisions and how they relate to different surroundings and situations on the plant for every day of its life. Engineering Safety is knowing what could go on; knowing what could cause injury or damage. It is knowing why accidents happen and changing the designs or operating plants accordingly. To do this does not require genius or rank. All it requires is intelligence and understanding, coupled with the ability to use ones common sense. To ignore safety in engineering is to pass by on the other side. Finding a safer way is a mark of a creative and caring person, not a selfish one. REFERENCES (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) Safer Design – An Attitude; Dalzell G.A., Willing P.R., Hazards XV, I. Chem E ; April 2000; Manchester Du Pont Safety Management System and STOP programmes Safety in Design, an Engineers Responsibility for Safety published by the Hazards Forum Guidelines on Risk Issues; The Engineering Council, February 1993. Lessons from Longford; Andrew Hopkins; Australian National University, published by CCH Australia Limited The Public Inquiry into the Piper Alpha Disaster; Cullen W.D.; Ford G.M.; Lees F.; Appleton B.; HMSO Publications; November 1990. Risk Assessment or Hazard Management; Dalzell G.A.; OECD Workshop on the Training of Engineers in Risk; October 2003 Port Ramsgate Walkway Collapse Disaster; Crossland B.; Joel S.; Norton, G; Underwood J.; 71st Thomas Lowe Gray Memorial Lecture, Institution of Mechanical Engineers; January 1999 Nothing is Safety Critical; Dalzell G.A.; Chesterman A.; Hazards XIII; I. Chem. E; Manchester; April 1997. Inherently Safer Design Guidelines; BP internal document Risk Based Decision Making Framework published by UKOOA, 3 Hans Crescent London