34 Control Prevention and Intervention

From OHS BOK
Jump to: navigation, search

Control

Abstract

Hazard and risk control to prevent work-related fatality, injury, disease and ill health is the core objective of the OHS professional. While there is a legislative requirement to control risks in the workplace, the approach should go beyond mere compliance. Control of hazards and risk is not necessarily an easy or straightforward task. While the methods of controlling individual hazards such as chemicals and noise are well understood, there are many workplace injuries and disorders that have multiple causes, and there are different approaches to control. This chapter addresses key principles of control, including hierarchies of control, time-sequence approaches, requisite variety, barriers and defences, the precautionary principle and the sociotechnical systems approach. A brief discussion of two control strategies – safe design and behavioural-based safety – is followed by consideration of the implications for OHS practice. The chapter emphasises the role of the OHS professional as an organisational change agent, rather than just a risk-management technician.


Keywords control, barriers, defences, hierarchy of control, safe design, systems

�Contents

Background 6 Development 6 Conceptual structure 6 Audience 7 Application 7 Accessing and using the OHS Body of Knowledge for generalist OHS professionals 7 1 Introduction 1 1.1 Definitions 2 2 Historical context 2 3 Understanding the principles of control 4 3.1 Hierarchies of control 5 3.2 Time sequence 7 3.3 Requisite variety 11 3.4 Barriers and defences 12 3.5 A sociotechnical systems approach 15 3.6 Precautionary principle 17 3.7 Discussion of two control strategies 17 4 Regulatory requirements 21 5 Implications for OHS practice 23 6 Summary 24 Key authors 25 References 25 ��1 Introduction The role of the generalist OHS professional is to “provide enterprises with advice on the organisational arrangements that will lead to the systemic and systematic management of OHS to prevent work-related fatality, injury, disease and ill-health (FIDI).” This advice includes recommending appropriate and effective controls to manage hazards and risks. Developing effective controls requires an understanding of the causation of fatality, injury, disease and ill health, and of the role of the organisational environment; this understanding is informed by knowledge of the biology and psychology of workers as individuals and in groups.

This chapter builds on the knowledge of causation outlined in the OHS Body of Knowledge ‘Models of Causation: Safety’ and ‘Models of Causation: Health Determinants.’ It is not the intention of this chapter to exhaustively cover all relevant models and approaches to control, but rather to review some key principles such as:

the hierarchy of control the time sequence for employing various control strategies requisite variety in the range of controls to address complexity barriers and defences the precautionary principle the introduction of a sociotechnical systems approach.

Safe design and behavioural-based safety are discussed as two approaches to control. The chapter concludes with an examination of the implications for OHS practice. The principles of control addressed in this chapter are extended to the mitigation phase in the OHS Body of Knowledge ‘Control: Mitigation – Emergency Preparedness’ and ‘Control: Mitigation – Health Impacts’.

1.1 Definitions The terms ‘hazard management/control’ and ‘risk management/control’ are often used interchangeably; this gives the false impression that ‘hazard’ and ‘risk’ are synonymous. There are various definitions of ‘hazard’ in both community and OHS contexts; however, the fundamental test of whether something is a hazard is whether its elimination would result in the elimination of risk. ‘Risk,’ a more complex concept, is often perceived as a product of likelihood and consequence; also, it may be considered as a description of the effect of uncertainty on objectives with there being a plethora of factors impacting on the uncertainty and the potential outcomes. The descriptive view of risk recognises that the purpose of risk management is not to reduce loss at all costs, but to achieve objectives as effectively as possible with the ‘control’ phase usually referred to as ‘risk treatment.’

Management of specific hazards to prevent work-related fatality, injury, disease and ill health is addressed in the hazard-specific chapters of the OHS Body of Knowledge. As it is not possible to eliminate all hazards, there will always be residual risk, which must be managed. This chapter’s use of the term ‘control’ refers to controlling the complexity of risk sources and interactions that is necessary for management of residual risk as opposed to treatment of specific risks.

2 Historical context The study of causation and control of work-related disease and ill health has a long history with written references dating to ancient Rome. The first book on the control of industrial hazards was Georgius Agricola’s 1556 De Re Metallica (On the Nature of Metals), which discussed the need for ventilation machines in mines to replenish the air and prevent suffocation. Published in 1700, Bernardino Ramazzini’s De Morbis Artificum Diatriba (Diseases of Workers) – the first major medical text that linked conditions of work with diseases – stressed the importance of personal cleanliness and protective clothing (see Hunter, 1957). Since then, control of occupational disease and ill health has been dominated by a medical model that focuses on treatment of individuals after their expression of symptoms of ill health. More recently, this individual medical approach has been complemented by a systems and organisational approach to occupational health.

In contrast to occupational health, accident research and our understanding of causation of traumatic workplace injury began relatively recently. The 1931 publication of Herbert Heinrich’s Industrial Accident Prevention: A Scientific Approach was the first major work focussed on understanding accident causation. Based on analysis of some 75,000 accident reports, Heinrich concluded that the majority of accidents were due to unsafe acts, which in turn were the result of faulty attitudes of careless or reckless individuals. This led to the concept of the ‘unsafe worker,’ which resulted in control measures focusing on the behaviour of the individual worker (Heinrich, 1931).

However, blaming the worker (generally the victim within the incident) has been decried by a range of OHS professionals, regulators and unions because it does nothing to reduce the inherent risks within the workplace. While “blaming individuals is emotionally more satisfying than targeting institutions…continued adherence to this approach is likely to thwart the development of safer [organisations]” (Reason, 2000, p. 768). The idea that it makes more sense to analyse the incident process, and control relevant steps in that process, led to advocation of a switch in emphasis from ‘safe person’ to ‘safe place’ (see, for example, Gallagher, 2001).

An example of this ‘safe person’ versus ‘safe place’ argument, and its potential to harbour complexity, is provided by the relative efficacy of airbags and seatbelts in protecting people in car crashes in the US (Baker & Haddon, 1974; Culvenor, 1996). In a crash the airbag, which is always present in the car, inflates automatically. Conversely, the seatbelt only works if the occupant has buckled up. In the 1970s, attempts to increase voluntary use of seatbelts in the US were generally unsuccessful (Baker & Haddon, 1974). The ‘safe place’ seemed to trump the ‘safe person’ argument. However, the situation is not that simple. As observed by Hollnagel (2008, pp. 221–222), “perfect prevention is impossible [because] there is always something that can go wrong.” As a result of the force involved in deploying the US-type airbags, “169 child deaths have been attributed to injuries from an airbag since 1992” in the US (Lennon, Siskind & Haworth, 2008). Conversely:

…there have been no reports of a child injured or killed by a passenger airbag in Australia [where airbags]…are designed as supplementary restraint systems, intended to operate in conjunction with restrained passengers. As such they fire at lower speeds and later delays than the more aggressive ‘first generation’ style of bag fitted to US vehicles prior to 1998…which makes them less likely to cause injury (Lennon, Siskind & Haworth, 2008).

The approach works because seat belt usage in Australia is high among drivers (>97%) and children (>90%) (Lennon, Siskind & Haworth, 2008). These usage rates were achieved by behavioural-based programs (advertising, education) backed by strong police enforcement. The lesson is that a combination of ‘safe place’ and ‘safe person’ provides a better outcome than either ‘safe place’ or ‘safe person’ alone.

Contemporary theory and research suggest that the failures that lead to incidents can be attributed to a combination of factors such as human error, inadequate design, poor maintenance, degradation of working practices, inadequate training, poor supervision and excessive working hours, which in turn are influenced by organisational and management culture (see, for example, Trbojevic, 2008). Factors that may impact on causation of work-related ill health include the physical and psychosocial work environments, personal vulnerabilities, and many occupational diseases and disorders.

3 Understanding the principles of control It may seem obvious that if a risk is identified, it should be eliminated. However, a risk-free environment is neither possible nor desirable. The law does not require a risk-free work environment where “accidents never happen,” but instead requires employers “to take such steps as are practicable to provide and maintain a safe working environment” (Harper in Holmes v R. E. Spence & Co Pty Ltd as cited by Malcolm, 1999, p. 6).

When faced with risk, options range from doing nothing (i.e. accepting the risk) to eliminating the risk. Between these extremes are risk-reduction options aimed at decreasing the probability or likelihood that the hazard becomes uncontrolled, or mitigating the effects of the consequences of the risk. The OHS professional needs to understand this variability and be able to develop the most appropriate options in any set of circumstances. This section discusses some of the major principles that can be utilised in controlling risk.

3.1 Hierarchies of control The concept of a hierarchy of control strategies underpins OHS legislation and most workplace control actions. Originally developed for occupational hygiene applications, the hierarchy of control establishes the priority order in which hazard and risk controls should be considered. When applied in the broader OHS context, the hierarchy of control is a problem-solving tool to promote creative thinking when developing options for risk control rather than a fixed set of rules. Figure 1 is one representation of a hierarchy of control that highlights the relative protection and reliability of controls. American variations of the hierarchy of control insert ‘warnings’ (covering alarms, gas detection, signs, etc) after engineering controls.











Figure 1: Hierarchy of control (Safe Work Australia, 2010a, p. 13)


The role of training and supervision as explicit administrative control measures needs to be emphasised. These are critical and necessary barriers that generally apply in conjunction with all other forms of control. When regulators prosecute organisations for breaches of safety legislation, they almost always prosecute for absent or inappropriate training and/or supervision of workers. Creighton and Rozen (2007) found that almost all prosecutions under the Occupational Health and Safety Act 1985 (Vic) were for employer breaches of s21(1) the general duty of care, s21(2)(a) safe plant and/or safe systems of work, and s21(2)(e) provision of information, instruction, training or supervision. This has not changed in more recent times.

While the requirement for training and supervision applies across a range of hazards and risks, other administrative controls such as safe-work procedures and risk assessments apply to specific hazards.

The traditional hierarchy of control (eg Figure 1) works reasonably well for separate physical risks such as plant or hazardous chemicals; however, it is not suited to all risks, particularly psychosocial risks (Maxwell, 2004). In addition, the hierarchy has been abused by oversimplification. In any situation where a control is imposed, particularly where elimination or substitution is involved, the potential for unintended consequences must be considered. For example, Hollnagel (2008) noted that elimination of human involvement as a result of automation may change the basis for risk assessment in a fundamental way, and it is not appropriate to claim that such ‘elimination’ reduces risk unless the short-term and long-term consequences are fully taken into account. Indeed, automation introduces a different range of risks that were not considered in the original risk assessment and therefore necessitates a new assessment.

3.2 Time sequence Models of causation (and consequently the theory underpinning development of control strategies) may be considered in three categories: simple sequential linear models, complex linear models, and complex non-linear models. While different models suit different circumstances and levels of complexity, most models feature a ‘time-sequence’ factor, which provides a framework for development of control strategies that goes some way to addressing the over-simplification of many hierarchies of control.

In developing controls it is useful to envisage a time sequence that commences before the incident and extends beyond it to include damage or injury outcomes. This allows controls to be considered in a variety of prevention and mitigation modes. Viner’s (1991) generalised time-sequence accident model included:

A pre-conditions time zone, during which conditions supporting possible event mechanisms develop An occurrence time zone that includes the initiation of the event mechanism and the specific outcome A consequence time zone, during which damage commences, is detected and proceeds to completion, followed by recovery or stabilisation.

Also taking a time-sequence approach, Sklet (2006) related generic safety functions to accident phases in a process model in which the pre-event phase is referred to as the ‘normal condition’ (Figure 2).

The generic safety functions prevent, control, and mitigate are related to the transitions between the different phases in [this process] model. To prevent means to prevent transition from normal condition to a state of lack of control. To control means to prevent transition from lack of control to loss of control, while to mitigate means to prevent the targets starting to absorb energy. (Sklet, 2006)

�Figure 2: Generic safety functions on a time sequence (Sklet, 2006, p. 498)


Haddon (1970) developed ten strategies that follow a time sequence to control energy flows. Strategies 1–8 are pre-event and 9–10 are post-event, although there is capacity for overlap:

Prevent the build-up of relevant energy inventory in the first instance (e.g. after the introduction of Dangerous Goods legislation in the 1980s, many organisations eliminated fuel bowsers in their vehicle depots to eliminate risk and legal compliance issues) Reduce the energy inventory (e.g. reduce flammable liquids onsite to a minimum) Prevent the release of energy from the inventory (e.g. barriers around open excavations) Modify the rate of release or distribution of energy from the source (e.g. use of mufflers) Separate in time or space the energy from the susceptible structure (e.g. put power lines out of reach) Separate by use of material barriers (e.g. electrical and thermal insulation) Modify the contact surface, subsurface or basic structure (e.g. eliminate sharp surfaces that could result in cuts) Reduce losses in people and property by strengthening structures that might be damaged (e.g. use of building codes in earthquake-prone regions) Limit loss by rapidly detecting and mitigating damage, or countering the spread (e.g. fire detectors and sprinklers) Stabilisation of the damage and system recovery, covering all recovery aspects from first aid and medical interventions, rebuilding after a fire, and repairing damaged plant or vehicles.


A time-sequence approach to occupational disease and ill health control strategies may be considered in similar pre-conditions, occurrence and consequence phases. For example:

Control in the pre-conditions phase: Control of specific hazards, such as chemical or biological hazards that cause specific diseases or initiate responses such as asthma System-wide occupational health management strategies integrated into the OHS management system Health promotion activities focusing on individual vulnerabilities and causal factors Control in the occurrence phase: Active management of the individual by medical and other health professionals once a medical condition presents System-wide occupational health interventions Control in the consequence phase: Support for injured workers and others who may be affected ‘Return to work’ strategies.

This time sequence can be visualised by a ‘bow tie’ diagram, which can be used to identify all the ways that an incident may occur, the barriers or other controls are in place, and the mitigation strategies that may be utilised to reduce the consequences of the event if the controls fail. The incident is called the top or critical event with the hazards and prevention requirements on the left of the critical event, and the mitigating strategies and consequences on the right, as shown in Figure 3. Mitigation strategies may include: actions for system recovery; emergency management; medical treatment; and rehabilitation and return to work. . �Figure 3: Bow tie model of risk (modified from Hudson & Guchelaar, 2003)


3.3 Requisite variety Contrary to the implication of legislation that control actions might be identified simply through the application of a hierarchy of control (section 3.1), most hazard-control strategies require a more-or-less-complex set of solutions, and generally a number of controls. This applies Ashby’s (1956, p. 207) law of requisite variety that states “only variety can destroy variety.”

Risks in organisations can be understood to arise from the interaction of people, equipment and systems, and can be dealt with only by using a sufficient variety of control actions to cover all of the possible ways that the system can go wrong (Nævestad, 2008). For example, the situation can be made less complex (such as by delegation of authority), or more comprehensive controls can be implemented (such as better qualified staff). In interactively complex technologies, individual element failures may interact in ways that are impossible to see, anticipate or comprehend. If a hazard is controlled by an engineering device, for example, there is still potential for failure of the device, its misuse, lack of understanding of its operation, lack of maintenance and so on. Even in a ‘simple’ situation, a large variety of factors may need to be controlled. Typically this would involve developing procedures for the control action, training workers and supervisors in the use of these procedures, applying supervision to ensure compliance with procedures, applying maintenance schedules to mechanical devices, and routinely reviewing the overall situation to ensure that the control action achieves its intended effect over time. Clearly this is more complex than is indicated by ‘apply engineering control.’

3.4 Barriers and defences Models of causation that consider barriers and defences build on this concept of requisite variety. Identification of defences and barriers, and how these may break down or be defeated, is important in understanding causation. Knowledge of the role of barriers and their development is equally important in the development of control strategies.

Haddon (1970) introduced the notion of safety barriers, with specific reference to physical constraints. More recently, it has been suggested that safety barriers are not limited to the physical. As described by Trbojevic (2008, p. 4), a barrier is a design feature, which “may be physical or non-physical or a combination, and the intent is to prevent, control, mitigate or protect from accidents or undesired events.” In explaining his “Swiss cheese model of system accidents,” Reason (2000, p. 769) referred to barriers, or defensive layers, within technology systems in the following manner:

…some are engineered (alarms, physical barriers, automatic shutdowns, etc.), some rely on people (surgeons, anaesthetists, pilots, control room operators, etc.), and yet others depend on procedures and administrative controls…In an ideal world each defensive layer would be intact. In reality, however, they are more like slices of Swiss cheese, having many holes – though…these holes are continually opening, shutting and shifting their location. The presence of holes in any one “slice” does not normally cause a bad outcome. Usually, this can happen only when the holes in many layers momentarily line up to permit a trajectory of accident opportunity – bringing hazards into damaging contact with victims.


Hollnagel (2008) provided the examples of social barriers, organisational barriers, hardware barriers, cultural barriers, behavioural barriers and human barriers. Based on the work of Hollnagel (2008) and Sklet (2006), Trbojevic (2008) proposed a barrier classification scheme (Figure 4).

� Figure 4: Barrier classification scheme (modified from Trbojovic, 2008, p. 18)


Trbojevic (2008) classified technical, human/organisational and fundamental barriers according to their effectiveness in controlling risk:

Technical barriers (high effectiveness) – can prevent risk escalation, attenuate the risk, mitigate its consequence or reduce its likelihood. Subcategories: Technical active barriers, which perform on demand (e.g. a fire sprinkler system) Technical passive barriers, which perform all the time (e.g. a fire wall) Technical control barriers, which activate other prevention or mitigation system (e.g. a gas or fire detection system). Human/organisational barriers (medium effectiveness) – contribute to the control of the process or activity, and reduce the likelihood of initiating events by reinforcing barriers or preventing their decay. Subcategories: Organisational (procedural) barriers, which include procedural controls, permit-to-work systems, job safety analyses, inspection and monitoring, and controlling instrumentation Human (operator) barriers, which include the competence of the operator within their job Human (supervision) barriers, which include the supervision of the activity by management. Fundamental barriers (low effectiveness) – barriers separated in time from threat initiation and risk realisation. Fundamental barriers contribute to system safety by checking for system weaknesses and any underlying or latent failures (see, for example, Reason, 1997). Subcategories: Fundamental procedural barriers, which include design reviews, procedural reviews, operational reviews, system audits, etc.; examples of such applications are the Tripod analysis (see Reason, 1997), which determines ‘general failure types’ within the operation that are most likely to contribute to unsafe acts, and the Incident Cause Analysis Method (ICAM) investigation process (Gibb, Reason, De Landre & Placanica, 2004) Fundamental human barrier covering the good health / wellness of the workforce (Trbojevic, 2008).

Trbojevic’s primary barriers (Figure 3), which function “to eliminate, prevent, reduce, mitigate or control threat transmission and [risk] escalation,” are fortified by the secondary barriers, which “prevent barrier decay, erosion or failure,” as well as underlying or latent failure/decay, thereby improving reliability and energising the sociotechnical system (Trbojevic, 2008, p. 19). Barrier theory provides a richer and more comprehensive model than energy-control models or hierarchies of control.

The relevance of the concept of barrier decay for OHS professionals is highlighted by the potential for organisations to ‘drift into failure:’ “Workplace accidents rarely happen out of the blue. Generally, there is an incubation period, a time during which practices and assumptions about risk change slowly and gradually.” All systems degrade unless specific resources are committed to halt or reverse the decay; machines wear out, shortcuts are taken with procedures, workers leave the organisation and reasons for doing things in a particular way are forgotten. This has been emphasised in Turner’s disaster incubation theory, which postulates that as time passes, organisations start ignoring and misconstruing danger signals, and those with good safety records become complacent (Turner & Pidgeon, 1997, in Shrivatava et al, 2009). Thus controlling barrier decay should be a key component of the OHS management system.

3.5 A sociotechnical systems approach Technical performance and the incidence of human error are influenced by organisational factors, including management decisions and safety culture, as well as external sociopolitical pressures (Reason, 1997). Such influences within the system are determined by their proximity to the actual occurrence of error in the front line task or failure in a safety barrier, from the close to the most remote level. Failure at different system levels is the key concept underpinning Reason’s (1997) ‘Swiss cheese’ model and Trbojevic’s (2008) sociotechnical systems pyramid (Figure 5).


Figure 5: Sociotechnical systems pyramid (Modified from Trbojevic, 2008, p. 11)


Trbojevic (2008, pp. 10–11) nominated five levels of influence on OHS performance:

Level 5: System climate – in which the organisation operates, including economic and regulatory requirements. External pressures affect the organisation and management needs to keep informed of relevant impacts and legislative changes. An organisation’s safety culture is an important mechanism linking external forces to its approach to safety. Level 4: Organisation and management – includes structures, objectives, targets, strategies, etc., operating within the organisation. It defines safety policy and systems. Level 3: Control, communication and feedback processes – ensures that the system operates according to its intended goals, and identifies deviations from those goals, so that appropriate corrections can be made. Level 2: Operator reliability – covers the required competence (skills, knowledge and motivation) of staff to meet task demands imposed by technology, procedures and other external constraints. Competence and work demands need balancing. Level 1: Engineering reliability – refers to the design and maintenance of the plant or system.

Consistent with the work of Reason (1997, 2000), failures or human error in the above system elements can be active or latent. Active failures/errors are felt immediately (e.g. a person inadvertently cutting into a live power line). Latent failures/errors (e.g. poor design, insufficient maintenance, inadequate training and supervision, or inappropriate procedures) are separated from their effects in time. Latent failures can lie dormant until a set of circumstances (that may include an active failure or error) causes an accident. An extreme example of latent failure with a long dormant period was the 1992 fatal derailment that resulted from a flawed 1916 decision to lay rail tracks over a beaver dam in Nakina, Ontario (Reason, 1997).

Tripod and similar proactive methodologies seek to identify such latent failures before any initiating event, and make such conditions visible to the workforce and managers through, among other things, the use of barriers. The extent of such latent failures can be interpreted as a measure of ‘health’ of the system (Trbojevic, 2008).

3.6 Precautionary principle There will be situations where full or sufficient health information on a hazard is unavailable. In such cases, the precautionary principle should be adopted. This principle states that:

Where there are threats of serious or irreversible health or environmental damage, lack of full scientific certainty shall not be used as a reason for postponing cost effective measures to prevent environmental damage (ILGRA, 2002, p. 5).

An example of the application of the precautionary principle is the use of the control banding concept for nanoparticles. Originally proposed as an exposure-rating system to assist small and medium enterprises with control of hazardous chemicals exposure (Tijssen & Links, 2002), control banding has been identified as a viable tool for the assessment and management of nanoparticle exposures, for which the potential risks are not yet well characterised (Paik, Zalk & Swuste, 2008). This tool takes into account the estimated amount of the nanoparticles used, their ‘dustiness/mistiness,’ the number of employees with similar exposure, and the frequency and duration of the operation, to assess the risk of the operation and provide recommendations for control measures (Paik, Zalk & Swuste, 2008).

3.7 Discussion of two control strategies 3.7.1 Safe design The National Occupational Health and Safety Commission (NOHSC, 2000) determined that from 1989 to 1992 in Australia there were 233 plant-related work fatalities in 225 incidents; of these incidents, 117 (52%) had at least one design flaw contributing to the fatal outcome, including poor or absent guarding, poor controls, blind spots and inappropriate safety mechanisms. A subsequent study revealed that, of 210 workplace fatalities from 1997 to 2002, 77 (37%) “definitely or probably had design-related issues involved” (NOHSC, 2004). The National OHS Strategy 2002–2012 has a national priority to “eliminate hazards at the design stage” (NOHSC, 2002); this requirement has informed the Model Work Health and Safety Act (Safe Work Australia, 2011a), which requires plant, substances or structures to be designed so far as reasonably practicable, without risks to the health or safety of all who use or come into contact with the product (WHSA s 22).

In 2006, the Australian Safety and Compensation Council (ASCC) defined the concept of safe design as:

…the integration of hazard identification and risk assessment methods early in the design process to eliminate or minimise the risks of injury throughout the life of the product being designed. It encompasses all design including facilities, hardware, systems, equipment, products, tooling, materials, energy controls, layout, and configuration. (ASCC, 2006, p. 5)

As documented by the ASCC (2006), safe design is underpinned by five key principles:

Persons with control – persons who make decisions affecting the design of products, facilities or processes are able to promote health and safety at the source. [Safe design can be achieved more effectively when all parties involved in the design process collaborate on incorporating safety measures into the design.]

Product lifecycle – safe design applies to every stage in the lifecycle from conception through to disposal. It involves eliminating hazards or minimising risks as early in the lifecycle as possible…[It] provides a framework for eliminating the hazards at the design stage and/or controlling the risk as the product is: Constructed or manufactured Imported, supplied or installed Commissioned, used or operated De-commissioned, demolished and/or dismantled, and Disposed of or recycled.

Systematic risk management – the application of hazard identification, risk assessment and risk control processes [at each lifecycle stage] to achieve safe design.

Safe design knowledge and capability – should be either demonstrated or acquired by persons with control over design.

Information transfer – effective communication and documentation of design and risk control information between all persons involved in the phases of the lifecycle is essential for safe design. (ASCC, 2006, pp. 5–6, 9)

The principle of safe design addresses control priorities at the peak of the hierarchy of control, the earliest stages in the time sequence, and the highest level of the sociotechnical systems approach, and it requires the fewest barriers and defences.

Safe Work Australia (2010b) pointed out that considerable costs can be associated with unsafe design, including retrofitting, workers’ compensation costs, environmental clean-up costs and public liability. If safety is incorporated at the design stage, such costs can be avoided. It is easier and cheaper to make safety improvement early in the product lifecycle (Figure 6).


Figure 6: Cost benefit in moving safety upstream in the design process (Safe Work Australia, 2010b)


Also, the ASCC (2006, p. 6) advocated taking into account “human factors, abilities and limitations affecting end users…User safety, efficiency, productivity and comfort are indicators of how effective the design is in filling its purpose.” A model of a safe design process is provided in Figure 7.
















Figure 7: A model for safe design (ASCC, 2006, p. 19)


3.7.2 Behavioural-based safety The administrative control of behavioural-based safety (BBS) is used in many workplaces as a risk-control program. BBS is largely based on the ‘safe-person’ concept and is popular in US organisations. Of relevance is Manuele’s (2006, p. 185) observation that many BBS consultants “have largely ignored the necessity of making hazards analyses and risk assessments and the application of a hierarchy of controls in the preventive measures they propose;” rather, they have promoted a form of occupational psychology focused on the worker as the solution to injury problems.

After reviewing BBS literature, Fleming and Lardner (2002, p. i) commented:

Whilst a focus on changing unsafe behaviour into safe behaviour is appropriate, this should not deflect attention from also analysing why people behave unsafely. To focus solely on changing individual behaviour without considering necessary changes to how people are organised, managed, motivated, rewarded and to their physical work environment, tools and equipment, can result in treating the symptom only, without addressing the root causes of unsafe behaviour.

Fleming and Lardner (2002, p. 22) identified two management behaviours that are critical for effective safety leadership: “meeting with employees frequently to discuss safety issues [and] responding quickly to safety suggestions and concerns raised by employees.” Hopkins (2002) suggested that a variant of behaviour modification – “the promotion of risk awareness within the workforce” (e.g. use of ‘Take 5’ or similar programs) – may have value in developing individual mindfulness, but only if such action is part of a broader strategy to develop organisational mindfulness.

In summary, BBS may be a useful control program provided that all higher-order preventative measures (e.g. substitution and engineering controls) have been implemented, and that organisational and system causes of accidents have been identified. Based on the work of Reason and others, the ‘Hearts and Minds’ approach developed for the UK petrochemical industry is an example of a program that incorporates BBS as the end step after management accountability, engineering controls, legislative compliance, OHS systems and operator training have been implemented (see Energy Institute, n.d.).

4 Regulatory requirements The way an organisation goes about controlling risks is influenced by its safety culture and the regulatory environment in which it works. While legislation mandates minimum requirements for compliance, organisations with a strong safety culture generally aspire to more than minimum compliance (Parker, Lawrie & Hudson, 2006).

The national Model Work Health and Safety Act (Safe Work Australia, 2011a) requires that:

(1) A person conducting a business or undertaking must ensure, so far as is reasonably practicable, the health and safety of: (a) workers engaged, or caused to be engaged by the person; and (b) workers whose activities in carrying out work are influenced or directed by the person, while the workers are at work in the business or undertaking. (2) A person conducting a business or undertaking must ensure, so far as is reasonably practicable, that the health and safety of other persons is not put at risk from work carried out as part of the conduct of the business or undertaking. (WHSA s 19).

Determining what constitutes “reasonably practicable” is considered to be an objective test taking account of:

…that which is, or was at a particular time, reasonably able to be done to ensure health and safety, taking into account and weighing up all relevant matters including: (a) the likelihood of the hazard or the risk concerned occurring (b) the degree of harm that might result from the hazard or the risk (c) what the person concerned knows, or ought reasonably to know, about the hazard or risk, and ways of eliminating or minimising the risk (d) the availability and suitability of ways to eliminate or minimise the risk, and (e) after assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk. (WHSA s 18)

The concept of barrier decay (section 3.3) also should be considered in determining what is reasonably practicable. While a control may be effective when implemented, both hardware (e.g. mechanical barriers) and software (e.g. procedures) can degrade over time unless periodically reviewed and updated. According to Manuele (2006, p. 189), “No matter how effective the risk reduction measures taken, if an activity continues there will always be residual risk. Residual risk is defined as the risk remaining after preventative measures have been taken.” A residual risk register should be maintained, and all risk controls regularly reviewed to counter barrier decay, and to account for system changes and/or new information. This monitoring is a key stage in all risk-management models and is specifically included in the How to Manage Work Health and Safety Risks: Code of Practice (Safe Work Australia, 2010a).

The WHSA (s 17) defines how risk is to be treated:

A duty imposed on a person to ensure health and safety requires the person: (a) to eliminate risks to health and safety, so far as is reasonably practicable; and (b) if it is not reasonably practicable to eliminate risks to health and safety, to minimise those risks so far as is reasonably practicable (Safe Work Australia, 2011a).

The draft Model Work Health and Safety Regulations (Safe Work Australia, 2010c) specify requirements for control of particular hazards; for example, noise (s 4.1.2), manual handling (s 4.2.4), falls (s 4.4.3), electrical work (s 4.7.7), plant (s 5.1) and chemicals (s 7.1.32). As a condition of their operating license, Major Hazards Facilities are required to develop and maintain a ‘Safety Case,’ which identifies all the significant risks within the facilities, and then show how those risks will be controlled to a degree of risk acceptability defined within the Safety Case (WHSR ss 8.3, 8.4)

Other legislation addressing the requirement to control risk includes:

Mining regulations require the use of safety management systems to comprehensively control all underground mining risks, and to put in place systems to control the adverse effects of drugs and alcohol Road regulations require ‘chain-of-responsibility’ systems to manage fatigue in long-haul drivers (NTC, 2006) Radiation safety legislation requires licensed users of radiation to consider a ‘radiation safety principle’ where any use of radiation is questioned (ie with emphasis on elimination); however, if the use is justified, then exposure is kept as low as reasonably achievable (ALARA).

5 Implications for OHS practice Much current OHS theory evolved from research in high-risk industries, including nuclear and petrochemicals (e.g. Reason, 1997; Parker, Lawrie & Hudson, 2006), which may be perceived as overly complex for many ‘normal’ situations. The OHS professional is cautioned against assuming that development of a safe workplace is inherently simple or that a risk-free workplace can be achieved simply through application of the hierarchy of control. A risk-free workplace is not possible (Hollnagel, 2008), although may remain an aspirational goal. Indeed, Hudson (2010) described health and safety practice as “more complex than rocket science.” It is not simply a case of ‘fixing’ the hazard (e.g. noise, manual handling, etc.), but of understanding how and why the risk exists as a result of interaction between the hazard, the organisation, the people and the particular job.

Tepe and Barton (2009) argued that OHS professionals need to be able to use a range of system views to suit the complexity of any situation. The sociotechnical model is promoted as a useful tool as it is consistent with the work of Reason (1997) and with ergonomic principles that address risks in the context of the user, job/task demands, work environment, equipment design and work organisation. The OHS professional should search for process weaknesses by utilising latent failure analysis (e.g. Tripod or similar) and be prepared to apply multiple barriers or controls (requisite variety). Also, they should be cognisant of the potential for barriers to decay, and consider counterbalancing primary barriers with secondary barriers, including reviews and audits, as necessary components of their OHS management system.

Successful control of risk requires an in-depth understanding of hazards and the physical, organisation and psychosocial environments, and an understanding of the psychological principles that explain behaviour of workers as individuals and in groups. This requires the OHS professional to seek a “richness” of information to identify and understand the risks (Weick, 2007). Weick (2007, p. 18) argued “for detail, for thoroughness, for prototypical narratives, and…against formulations that strip out most of what matters.” Risk assessment is more than filling in a checklist. After gathering the necessary information to maximise their understanding of risk, OHS professionals need to be able to take a pluralist approach to application of appropriate principles and theoretical model(s) to structure rigorous control systems for the prevention of injury (Tepe & Barton, 2009).

Finally, the effectiveness of control will be limited by an organisation’s safety culture, which impacts on the decisions relating to the types and quantities of controls that are implemented. The OHS professional needs to identify what constitutes industry ‘best practice’ and what can be applied within the organisation. Parker, Lawrie and Hudson (2006) identify criteria for organisations at different stages of safety maturity. At the very minimum, organisations need to comply with relevant legislation. However, such a limited perspective generally means that OHS remains an ‘add-on’ to operations. Typically, organisations with excellent OHS records have moved beyond mere compliance and integrated OHS into their ordinary operations. OHS professionals need to develop strategies to achieve effective control of risks at work. They have to become organisational change agents.

6 Summary The causation of work-related fatality, injury, disease and ill health is complex. Control strategies need to be comprehensive to address this complexity. Approaches to control need to move beyond a simplistic application of the hierarchy of control to consider strategies required in the pre-conditions, occurrence and consequence phases. The development of such strategies should be informed by knowledge of barriers and defences, and how they may break down or be breached. Sociotechnical system models (e.g. Reason’s ‘Swiss cheese’ model and Trbojevic’s systems pyramid) provide a broad-based approach that addresses the requisite variety of strategies to address the complexity of causation. OHS professionals should remain vigilant in ensuring that their advice is informed by current OHS knowledge, but not allow a lack of full scientific certainty to excuse lack of action when there is threat of serious injury or health outcome. Providing advice on appropriate control of risk is the fundamental reason for an OHS professional to be in a workplace.

Key authors Andrew Hopkins, Patrick Hudson, James Reason, Karl Weick, Eric Hollnagel

References Agricola, G. (1556). De re metallica [Translated by H. C. Hoover & L. H. Hoover]. Retrieved from http://www.gutenberg.org/files/38015/38015-h/38015-h.htm ASCC (Australian Safety and Compensation Council). (2006). Guidance on the Principles of Safe Design at Work. Canberra, ACT: Australian Government. Retrieved from http://safeworkaustralia.gov.au/AboutSafeWorkAustralia/WhatWeDo/Publications/Documents/154/GuidanceOnThePrinciplesOfSafeDesign_2006_PDF.pdf Ashby, W. R. (1956). An introduction to cybernetics. London: Chapman & Hall. Baker, S. P., & Haddon, W. (1974). Reducing injuries and their results: The scientific approach. The Millbank Memorial Fund Quarterly: Health & Safety, 52(4), 377–389. Creighton, B., & Rozen, P. (2007). Occupational Health & Safety Law in Victoria (3rd ed.). Sydney, NSW: Federation Press. Culvenor, J. (1996, October 15). Safe Places versus Safe People (Stamp Out Risky Business Seminar), Ballarat. Energy Institute. (n.d.). Hearts and minds. Retrieved from http://www.eimicrosites.org/heartsandminds/ Fleming, M., & Lardner, R. (2002). Strategies to Promote Safe Behaviour as Part of a Health and Safety Management System (Contract Research Report 430/2002). Edinburgh, UK: Health & Safety Executive. Gallagher, C. (2001). New directions: Innovative management plus safe place. In W. Pearse, C. Gallagher & L. Bluff (Eds.), Occupational Health & Safety Management Systems: Proceedings of the First National Conference (pp. 65–82). Melbourne, VIC: Crown Content. Retrieved from http://mtpinnacle.com/pdfs/gen_ohsms_4231.pdf#page=73 Gibb, G., Reason, J., De Landre, J., & Placanica, J. (2004). The incident cause analysis method (ICAM). Safety in Australia, 26(2), 13–19. Haddon, W. (1970). On the escape of tigers: An ecologic note. American Journal of Public Health, 60(12), 2229–2234. Heinrich, H. W. (1931). Industrial accident prevention: A scientific approach. New York, NY: McGraw-Hill. Hollnagel, E. (2008). Risk + barriers = safety? Safety Science, 46(2), 221–229. Hopkins, A. (2002), Safety Culture, Mindfulness and Safe Behaviour: Converging Ideas? (Working Paper 7). Canberra, ACT: National Research Centre for OHS Regulation, Australian National University. Hudson, P.T.W.,Guchelaar, H.J. (2003). Risk assessment in clinical pharmacy, Pharm World Sci, Kluwer Academic Publishers; 25(3):98–103. Hudson, P. (2010, April). Rethinking Safety: It’s not Rocket Science, it’s Much Harder (Dr Eric Wigglesworth Memorial Lecture), Melbourne. Hunter, D. (1957). The diseases of occupations (2nd ed.). London: English Universities Press. ILGRA (UK Inter-Departmental Liaison Group on Risk Assessment). (2002). The Precautionary Principle: Policy and Application. Retrieved November 25, 2010, from http://www.hse.gov.uk/aboutus/meetings/committees/ilgra/pppa.htm LaMontagne, A. D., Keegel, T., & Vallance, D. (2007). Protecting and promoting mental health in the workplace: Developing a systems approach to job stress. Health Promotion Journal of Australia, 18(3), 221–228. Lennon, A., Siskind, V., & Haworth, N. (2008). Rear seat safer: Seating position, restraint use and injuries in children in traffic crashes in Victoria, Australia. Accident Analysis & Prevention, 40(2), 829–834. Malcolm, D. K. (1999). Liability for Health and Safety at Workplaces. WorkSafe Western Australia, Commission of Western Australia. Retrieved from http://www.safetyline.wa.gov.au/PDF/The_Law/Keynote%20address%20Hon%20David%20Malcolm.pdf Manuele, F. A. (2006). Achieving risk reduction, effectively. Trans IChemE, Part B, Process Safety & Environmental Protection, 84(B3), 184–190. Maxwell, C. (2004, March). Occupational Health and Safety Act Review. State of Victoria. Retrieved from http://www.dtf.vic.gov.au/CA25713E0002EF43/WebObj/MaxwellReport_06Apr04/$File/MaxwellReport_06Apr04.pdf Nævestad, T.-O. (2008). Safety cultural preconditions for organizational learning in high-risk organizations. Journal of Contingencies & Crisis Management, 16(3), 154–163. NOHSC (National Occupational Health and Safety Commission). (2000). Work-related Fatalities Associated with Design Issues Involving Machinery and Fixed Plant in Australia, 1989 to 1992. Sydney, NSW: NOHSC. Retrieved from http://www.safeworkaustralia.gov.au/AboutSafeWorkAustralia/WhatWeDo/Publications/Documents/293/WorkRelatedFatalitiesAssociatedWithDesignIssues_Machinery_FixedPlant_Australia1989-1992_%20NOHSC_%202000_PDF.pdf NOHSC (National Occupational Health and Safety Commission). (2002). National OHS Strategy 2002–2012, Canberra, ACT: NOHSC. Retrieved from http://safeworkaustralia.gov.au/AboutSafeWorkAustralia/WhatWeDo/Publications/Documents/230/NationalOHSStrategy_2002-2012.pdf NOHSC (National Occupational Health and Safety Commission). (2004). The Role of Design Issues in Work-related Injuries in Australia 1997–2002, Canberra, ACT: NOHSC. Retrieved from http://www.safeworkaustralia.gov.au/AboutSafeWorkAustralia/WhatWeDo/Publications/Documents/27/RoleOfDesignIssuesInWork-relatedInjuries1997-2002_2004_PDF.pdf NTC (National Transport Commission). (2006). Guidelines for Managing Heavy Vehicle Driver Fatigue. Melbourne, VIC: National Transport Commission. Retrieved from http://www.ntc.gov.au/filemedia/Reports/3HVDFGLinesManagHVDFFeb2007.pdf Olishifski, J., (1976) “General Methods of Control”, in Olishifski, J., and McElroy, F., (1976) Fundamentals of Industrial Hygiene, National Safety Council, Chicago. Paik, S. Y., Zalk, D. M., & Swuste, P. (2008). Application of a pilot control banding tool for risk level assessment and control of nanoparticle exposures. Annals of Occupational Hygiene, 52(6), 419–428. Parker, D., Lawrie, M., & Hudson, P. (2006). A framework for understanding the development of organisational safety culture. Safety Science, 44(6), 551–562. Reason, J. (1997). Managing the risks of organizational accidents. Aldershot: Ashgate. Reason, J. (2000). Human error: Models and management. British Medical Journal, 320, 768–770. Safe Work Australia. (2010a). How to Manage Work Health and Safety Risks: Code of Practice. Retrieved from http://safeworkaustralia.gov.au/AboutSafeWorkAustralia/WhatWeDo/Publications/Documents/633/How_to_Manage_Work_Health_and_Safety_Risks.pdf Safe Work Australia. (2010b). Benefits of safe design – What’s in it for me. Retrieved November 26, 2010, from http://safeworkaustralia.gov.au/SafetyInYourWorkplace/SafeDesign/Understanding/Pages/Benefits.aspx Safe Work Australia. (2010c). Model Work Health and Safety Regulations (Draft). Canberra, ACT: Safe Work Australia. Safe Work Australia. (2011a). Model Work Health and Safety Bill (Revised draft 23/6/11). Canberra, ACT: Safe Work Australia. Retrieved from http://safeworkaustralia.gov.au/AboutSafeWorkAustralia/WhatWeDo/Publications/Pages/model-work-health-safety-act-23-June-2011.aspx Safe Work Australia. (2011b). Interpretative guideline – Model Work Health and Safety Act: The meaning of ‘reasonably practicable.’ Retrieved from http://safeworkaustralia.gov.au/AboutSafeWorkAustralia/WhatWeDo/Publications/Pages/interpretive-Guideline-reasonably-practicable.aspx Safe Work Australia. (2011c). Model Work Health and Safety Regulations: Chapter 9 – Mines. Retrieved from http://safeworkaustralia.gov.au/Legislation/PublicComment/Documents/Mining%20Public%20Comment%202011/Draft%20Model%20WHS%20Regulations%20public%20comment/ModelWHSRegsMines15July2011.pdf Shrivastava, S., Sonpar, K., and Pazzaglia, F. (2009), Normal Accident Theory versus High Reliability Theory: A resolution and call for an open systems view of accidents, Human Relations, 62(9), pp1357-1390 Sklet, S. (2006). Safety barriers: Definition, classification, and performance. Journal of Loss Prevention in the Process Industries, 19(5), 494–506. Tepe, S., & Barton, J. (2009, October). OHS world views: Implications for practice of OHS in construction. In H. Lingard, T. Cooke & M. Turner (Eds.), Working Together: Planning, Designing and Building a Healthy and Safe Construction Industry. Proceedings of the CIB W099 Conference. Melbourne, VIC. Tijssen, S. C., & Links, I. H. (2002). Ways for SMEs to Assess and Control Risks from Hazardous Substances: Report of an International Workshop Held on 26 & 27 November 2001 (Research Report 014). Health and Safety Executive. Retrieved from http://www.hse.gov.uk/research/rrpdf/rr014.pdf Trbojevic, V. M. (2008). Optimising Hazard Management by Workforce Engagement and Supervision (Research Report 637). Health and Safety Executive. Retrieved from http://www.hse.gov.uk/research/rrpdf/rr637.pdf Turner, B. A., & Pigdeon N. F. (1997). Man-made disasters (2nd ed.). Oxford: Butterworth-Heinemann. Viner, D. (1991). Accident analysis and risk control. Melbourne, VIC: Derek Viner Pty Ltd. Weick, K. E. (2007). The generative properties of richness, Academy of Management Journal, 50(1), 14–19.