Preventing Corporate Accidents: An Ethical Approach

Preventing Corporate Accidents

Dedication The author dedicates this book to 28 colleagues who died as a result of the explosion at the Nypro Chemical Plant at Flixborough, Lincolnshire, UK on 1st June 1974 and to all those injured, bereaved or in any way affected by the tragedy at the time and since. The book is written in the hope that it will contribute in a small way to the prevention of such accidents in the future.

Preventing Corporate Accidents An Ethical Approach R.B. Whittingham

AMSTERDAM • BOSTON • HEIDELBERG • LONDON • NEW YORK • OXFORD PARIS • SAN DIEGO • SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Butterworth-Heinemann is an imprint of Elsevier

Butterworth-Heinemann is an imprint of Elsevier Linacre House, Jordan Hill, Oxford OX2 8DP, UK 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA First edition 2008 Copyright  2008, R.B. Whittingham. Published by Elsevier Ltd. All rights reserved The right of R.B. Whittingham to be identified as the authors of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (+44) (0) 1865 843830; fax (+44) (0) 1865 853333; email: [email protected]. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permission to use Elsevier material Notice No responsibility is assumed by the publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data A catalog record for this book is availabe from the Library of Congress ISBN: 978-0-7506-8062-2 For information on all Butterworth-Heinemann publications visit our web site at books.elsevier.com Printed and bound in U.K. 08 09 10

10 9 8

7 6 5 4

3 2 1

Working together to grow libraries in developing countries www.elsevier.com | www.bookaid.org | www.sabre.org

Contents Preface Part I

ix Companies at risk

Introduction to Part I

1 3

1

Management error Introduction Human error The corporate environment An ethical approach Afternote References

7 7 9 14 16 17 18

2

The corporate entity Introduction Corporate origins Corporate characteristics Corporate accountability Corporate manslaughter Critique of legislation Conclusion References

19 19 20 22 28 33 45 48 49

3

Corporate ethics Introduction Ethics Ethics and the law Individual ethics Corporate ethical behaviour The influence of human actors Managerial and professional ethics Conclusion References

50 50 51 53 58 61 64 68 72 75

Part II

Strategies to prevent corporate accidents

Introduction to Part II

77 79

vi

Contents 4

Safety culture Introduction Culture Organizational culture Safety culture Changing the safety culture Case studies References

83 83 84 89 98 107 111 114

5

Understand the risk Introduction What is risk? Expressions of risk Risk assessment Risk perception Case studies References

116 116 117 120 128 137 141 142

6

Safety regulation Introduction Historical background Safety regulation in the UK Risk acceptance criteria The ALARP principle Reducing the regulatory burden Case studies References

144 144 145 147 154 158 164 170 173

7

Safety management Introduction Regulatory and standard setting approaches to safety management Auditing approaches to safety management Behaviour-based approach to safety management Analytical approaches to safety management A systems approach to managing safety Case studies References

176 176 178 185 190 197 198 206 208

8

The learning organization Introduction Organizational learning Learning from accidents Building a just culture Information disclosure Case studies in failures of organizational learning References

209 209 210 215 230 234 243 246

Contents 9

Corporate social responsibility Introduction Corporate ethical policy Corporate citizenship Corporate structure models Corporate social responsibility Case studies References

248 248 250 255 256 266 273 274

Conclusions Summary Part I: Companies at risk Part II: Strategies to prevent corporate accidents Case studies A better way forward? References

276 276 277 281 285 287 288

Appendix 1 Case studies in corporate manslaughter Introduction A1.1 The capsize of the Herald of Free Enterprise A1.2 The Southall rail accident References Disclaimer

289 289 290 298 307 307

Appendix 2 Case studies in corporate accidents Introduction A2.1 The loss of the space shuttle Columbia A2.2 The Davis-Besse nuclear power plant incident A2.3 The fire and explosion at the Conoco-Phillips Humber oil refinery A2.4 Children’s heart surgery at the Bristol Royal Infirmary, 1984--1995 A2.5 The Tokai-Mura criticality accident A2.6 The disposal of the Brent Spar oil storage facility A2.7 The Tylenol incident, Chicago, Illinois, USA, 1982 References

308 308 309 314

Appendix 3 Safety management tables Reference

346 351

Index

353

10

318 323 330 338 342 344

vii

This page intentionally left blank

Preface The idea of writing a book about corporate accidents followed completion of my previous book, which addressed the complex subject of ‘human error’ and its role in accident causation. The importance of the subject was underlined by the fact that according to the UK Health and Safety Regulator around 80 per cent of accidents are caused by human error. But when my last book was completed there still seemed to be unfinished business. I was particularly concerned with the part played by the corporate environment in causing (or preventing) accidents, an aspect which was outside the scope of my previous book. I therefore decided to investigate the subject of corporate responsibility for health, safety and environment and in particular the failures of corporate systems which have led in the past to serious accidents often involving many fatalities. The objective is to draw attention to the elements of these higher level systems which are essential to accident prevention in the hope that companies may be able to recognize and correct any deficiencies or improve their existing systems. It turned out that the subject matter is more related to legal, sociological and organizational studies than to engineering, psychology and ergonomics, the disciplines most relevant to my last book and with which most human factors practitioners are familiar. In the first part of the book I have dealt with subjects such as the nature of the corporation and how the legal concept of ‘corporate personhood’ is acted out by various stakeholders in order to fulfil the necessary responsibilities for accident prevention. The book also enters the difficult and sometimes controversial area of corporate ethics and later in the book it is shown how this is an important aspect of preventing corporate accidents. In the second part of the book I have selected six corporate systems which, I believe, when properly addressed, comprise important strategies to prevent corporate accidents. In the process I have tried to identify what I believe are the most important elements of these systems regarding accident prevention. The choice of these corporate systems is supported by a number of detailed historical accident case studies described in appendices. If this book can go some way towards assisting companies and their directors, senior managers and safety experts to reduce the chance of a serious corporate accident then it will have fulfilled its purpose.

This page intentionally left blank

I

Companies at risk

This page intentionally left blank

Introduction to Part I

This book has been conveniently divided into two parts. Part II identifies the essential features of a number of critical corporate systems which, if not fit for purpose, may lead to a serious accident involving harm to people or the environment. The accident case studies included in the appendices at the end of the book bear powerful witness to the tragic consequences of such corporate failures. The lessons to be drawn from these case studies help to ensure that this text is grounded in reality and not overreliant on theory. Part II can be classed as the more ‘strategic’ section of the book since, drawing on the experience of the author and many other quoted sources, it describes the strategies which a corporation must employ to prevent a ‘corporate accident’, as defined in Chapter 1. Part I of the book is more foundational in that it prepares the ground for Part II by exploring some issues pertinent to the strategies for preventing corporate accidents. The role of human error in accident causation is an important and continuous theme in the book, but is examined here at corporate level rather than at the more usual level of workplace activities. Consequently, the first chapter examines the nature of ‘management error’ (as a subset of ‘human error’) and explores how it can lead to serious accidents, the root cause of which may often be found in defective corporate systems. Part I also examines the concept of the corporation in its historical evolution from the partnership or small ‘hands-on’ family business to the larger businesses owned by individual stockholders, who generally took little active part in the enterprise. This business model was the main basis of trade from the beginning of the twentieth century, but gradually evolved owing to economies of scale and through mergers and acquisitions into the huge international corporations which have come to dominate the world of commerce today. In this model, ownership is usually institutional or corporate rather than individual and this has led to an even greater separation between ownership and control. The effect of this separation, together with the principle of limited liability, has led to a situation where any philanthropic

4

Companies at risk instinct or sense of moral duty which owners might have displayed in the past has become largely subservient to the claims of profit and share price. The basic structure of the corporation is explored, including the curious and elusive legal fiction of ‘corporate personhood’. This is a device which enables the corporation to be treated as an artificial person under the law so that it becomes something other than an inanimate entity – a corporate body. This legal device allows the corporation to interact more effectively with other corporations, with government and with society at large. Also examined here are the underlying economic theories which have led to modern corporatism and to a large degree have determined its impact upon society both for good and for bad. Part I starts from the premise that the main reason for the existence of a corporation, apart from meeting the need of society for goods and services, is to generate a profit and increase the value of the company’s stock for its owners. It is well known that the profit motive can easily come into conflict with the legitimate expectations of society regarding corporate behaviour and the requirement to limit the potential harm that the company can cause to people and the environment. One of the ways in which this conflict is triggered is through the mechanism of ‘cost externalization’. This is a corporate ‘reflex’ which tries to maximize profits at the expense of uninvolved third parties. It was identified by the economist Milton Friedman, the Nobel Prize winner and guru of neo-classical economic theory in the 1980s. This mechanism is fundamental to the theme of this book and is described in more detail in Chapter 2. Government controls and regulation are the counter-mechanism by which the worst excesses of corporatism are contained. However, the book maintains that legal compliance defines only minimum standards of corporate behaviour. This is because modern economic theory dictates that excessive government control limits entrepreneurial initiative and technological development. Over zealous regulation of business therefore needs to be avoided if corporatism is to deliver its full potential to the society it serves. The development of the modern corporation has produced huge benefits for society, but the process is always in danger of being overshadowed by a potential for societal harm. This has not gone unnoticed by the public, who now not only display a greater level of awareness about corporate failure but also have a greater aversion to unnecessary risk exposure. In the age of the internet and 24/7 media coverage, the glare of publicity which now illuminates corporate failure has resulted in a general raising of the expectations of society regarding corporate standards. Whenever there is a serious corporate accident involving major loss of life it stimulates an increased public desire for greater safety and justice for those who have been harmed by the accident. The result is often that government, responding to public concern, is prompted to take immediate action. Any serious mismatch between public expectation and corporate performance eventually leads to additional curbs being placed upon industry which may not always be proportionate to the actual risks being generated. In some cases, however, government action is justified and this has been demonstrated in recent decades by some prominent corporate manslaughter cases brought against large companies in the UK who failed in their duty to protect the public. When these prosecutions collapsed (for legal reasons which are outlined

Introduction to Part I in a later chapter and in Appendix 1) there were strident demands for errant companies to answer properly for their failures in a court of law. The result was the Corporate Manslaughter and Corporate Homicide Act 2007, in force from 2008, which aims to ensure that companies are successfully prosecuted and subject to appropriate penalties when they have been grossly negligent and society’s interests have been harmed. Apart from charges of corporate manslaughter, companies can be prosecuted under a wide range of other legislation varying from the Companies Act in the case of financial malfeasance to the Health and Safety at Work etc Act 1974, for industrial fatalities and injuries. Just as companies are increasingly held liable for the external consequences of the risks they generate, so the companies themselves are at risk from the sanctions that society will impose if a mistake is made; hence the title of Part I of this book, ‘Companies at risk’. These risks include not only heavy fines but also, more importantly, loss of corporate reputation, which can seriously damage customer confidence and sometimes threaten the very existence of the company. Senior company personnel face similar but more personal risks such as loss of freedom and career when they become implicated in a corporate failure to protect people and the environment. Whilst government regulation, particularly in the realm of health, safety and the environment, will always be necessary (and, indeed, compliance with regulation is a corporate strategy defined later in the book), it is suggested here that compliance alone is no guarantee of responsible corporate behaviour. This book suggests that if the modern corporation is to limit its own exposure to risk it needs not only to take account of its strict legal responsibilities, but also to subscribe to ethical policies which constitute a safety margin between normal and illegal operation. The final chapter of Part I introduces the complex, and in today’s world increasingly relevant, subject of corporate ethics and how failures in ethical practice can easily stray into illegality. The ethical approach which stems from this chapter permeates the whole book. It is taken up in more detail in Part II, where it is shown how the modern company must, if it is to retain the trust and support of its stakeholders and customers, be prepared to take its rightful place alongside them as a responsible ‘citizen’ of society. This not only is necessary to minimize the detrimental effects arising from its operations (a rather negative motivation), but also will help to guarantee future business success; it has been well demonstrated that safe and responsible companies are also successful companies.

5

This page intentionally left blank

1

Management error As we move towards the 21st century there is an ever-increasing awareness and expectation of the duties and responsibilities of large corporations in matters of health and safety. It is a sad fact that despite advances in modern technology from time to time major disasters occur. Often, perhaps more often than not, these are the result not of one isolated human error or technical failure, but a combination of several operating together. The corporation itself is in the best position to foresee and take steps to avoid such disasters, so why should it not be brought to book in the event of a culpable failure, so the argument runs. In one sense it can be through the strict requirements of the health and safety legislation. But a conviction does not carry the same stigma as a conviction for manslaughter and since one of the purposes of punishment is the emphatic denunciation by the community of the prohibited conduct as a crime, there is a compelling case for a company to be found guilty of manslaughter and punished accordingly when it is guilty of gross negligence that results in death. Mr Justice Scott Baker, Regina v Great Western Trains Company Ltd 1

Introduction The title of this book refers to a particular type of industrial accident which the author has termed ‘corporate accident’ and which, at the very start, needs to be defined. Although it is possible that this term has already been used outside the remit of this book, to the author’s knowledge ‘corporate accident’ does not have any standardized or accepted meaning and he is able to begin with a clean sheet! Obviously, the meaning of ‘corporate accident’ will become clearer as the book proceeds, but for introductory purposes, here is a very simple definition: A corporate accident is one whose ultimate root cause can be traced back to a failure of corporate systems. In writing the book, as during most of his career in accident prevention, the author has been particularly concerned with major industrial or other accidents having

8

Companies at risk severe consequence such as serious loss of life and/or asset damage. Such accidents have, in the past, tended to involve larger organizations whose operations pose a major hazard risk or some other kind of potential threat to their workforce and/or the public or environment if things go wrong. The book includes a number of case studies of corporate accidents, detailed descriptions of which are included in appendices and which are referred to extensively in the text. All these case studies happen to involve larger organizations and cover a wide range of industries as well as being international in their scope. The case studies include the US and Japanese nuclear industry, public transportation systems in the UK as well as accidents in the oil and gas, aerospace and medical sectors. They have been chosen because their root cause has been definitively established by others to be a failure of corporate systems reaching to the highest level of the organization. Sometimes, corporate accidents are so serious that they have led to a prosecution on perhaps the most serious charge that can be brought against a company, namely a charge of corporate manslaughter. When such prosecutions occur it is usually in relation to multiple-fatality accidents, particularly when members of the public have been killed, raising the level of society’s concern about safety in that particular sphere. It is natural, even if slightly sad, that the public aversion to multiple-fatality accidents is disproportionately greater than to single-fatality accidents which, in general, are much less newsworthy. The subject of societal versus individual risk and the perception of risk by the public is discussed in more detail in Chapter 5. The author does not wish to downplay in this book the seriousness of the many thousands of tragic accidents which occur every year resulting in single fatalities, serious injuries or occupational diseases. Some statistics about such accidents are included in Chapter 5 to illustrate the gravity of this problem. In the case of the more serious accidents, which are the main subject of this book, prosecutions for corporate manslaughter have in the past been quite rare. Certainly in the UK, where charges have been successfully brought and companies found guilty this has, in every single instance, involved small companies where a senior person in the company, such as a director, has been closely associated or identified with the activities leading to the accident. The very few prosecutions for corporate manslaughter brought against large companies have always failed because of the so-called ‘identification’ principle required under common law in the UK. This principle did not allow the corporate body to be charged with a common-law offence unless a person of sufficient seniority could be identified and who could also be prosecuted for manslaughter. The reasons for this are explored in Chapter 2 of the book, which commences with an explanation of the legal basis of the corporate entity. The subject of corporate liability under the law is dealt with in the same chapter, together with a comparison of a company’s vulnerability to manslaughter charges in various countries. It also explores the degree to which new corporate manslaughter legislation has brought about greater justice for those affected by a serious accident. When commencing this book the author assumed that just as the study of workplace error is important to accident prevention (since it has been shown that about 80 per cent of accidents are due to human error), in a similar way, ‘management error’ at the administrative level will be important to the prevention of accidents resulting

Management error from corporate failure. This initial assumption was largely borne out, but with some surprises. It was discovered that most managers, in an analogous way to workers at the shop-floor level, are often innocent victims of the systems which are imposed upon them and which they are obliged to follow. The main difference between ‘shopfloor errors’ and ‘management errors’ is the type of systems which govern the way work is carried out. This may be simplified to the distinction between ‘ergonomic’ systems in the case of shop-floor errors and ‘corporate’ systems in the case of management errors. This book therefore adopts a systemic approach to human error, as did the previous book.2 In this case it deals primarily with corporate system failure and how to prevent it. A basic knowledge of ‘human factors’ principles, particularly concerning the ways in which systemic human error occurs, is essential for an understanding of this book. For those not familiar with these concepts, some basic principles are set out in the next section. At the level of workplace tasks, safe and effective working is highly dependent upon the ergonomics of the systems of work, using the term ‘ergonomics’ in its widest sense. This would include working instructions and procedures which define closely and often rigidly how the work is to be carried out, the training and experience of the worker, the complexity of the task in relation to this and the quality of the human–machine interface (i.e. the equipment provided to carry out the work). At the administrative or management level, conventional wisdom holds that there is a much greater degree of flexibility in the way work is carried out and the work of others is controlled. It is true that many decisions and practices at this level depend upon the professional judgement and experience of individual managers. At the same time the work of managers is often guided, or sometimes strictly limited, by corporate systems which can constrain the degree of flexibility that is possible. In some cases, the requirements of corporate systems can override professional judgement and experience. If these corporate systems fail to take account of health, safety and environmental considerations then disastrous consequences can ensue. This is demonstrated by many examples and case studies in this book. It has to be concluded therefore that the main distinction to be made between human error (in hands-on workplace tasks) and management error (in strategic and administrative tasks) lies in the type of systems which govern the way they work. This may be simplified to the distinction between ‘ergonomic’ systems (in the widest sense of the word) and ‘corporate’ systems. That is why this book, as with the previous book, adopts a systemic approach to human error, but in this case dealing primarily with corporate system failure and how to prevent it.

Human error Before addressing the main subject of the prevention of corporate accidents, it is useful to summarize the subject of human error, which was dealt with in the previous book.2 There are two distinctive types of error which it is necessary to understand. These are active and latent errors, each of which is described below.

9

10

Companies at risk

Active errors As a human factors consultant, most of the human errors with which the author had to deal with during a twenty-year career in accident prevention were those that occurred in the workplace, or as he prefers to call it, the ‘workface’. The workface can simply be defined as the interface between the worker and the machine or work environment. The main thesis of the previous book2 was that nearly all human errors in industrial operations are systemic in nature: their origins can be traced back to defective systems – whether technological or procedural systems – in other words, the causes are to be found at the workface. Very few significant errors occur in a random fashion. Random errors are those which cannot be traced back to systemic causes, but arise from an unidentifiable internal human or psychological ‘malfunction’. By contrast, a systemic error is caused by an external ‘malfunction’ comprising some defective property of the work environment which degrades human performance, making an error more likely. Most errors at the workface are classified as ‘active errors’ because the effects or consequences of the error are usually observed or manifested immediately. An example of an active error is a train driver passing a red danger signal. As a result, the driver may be unable to stop in time to prevent a collision. The consequences of the error are revealed almost immediately the error has been committed. Either he overruns the red signal and brings the train to a halt by braking or there is an accident. Thus, whether the error results in an accident or not, it is still referred to as an active error. Clearly, active errors which may have resulted in an accident but did not, still need to be investigated so that the causes can be identified and corrected. In a recent serious rail accident causing multiple fatalities a train driver failed to stop because he was unable to see clearly the danger signal ahead as a result of an obstruction due to modifications made to a gantry. This active error (called a SPAD or a signal passed at danger) was the ‘direct cause’ of the accident. However, it was not the ‘root cause’ of the accident. The root cause was a defective system, in this case the gantry modification which allowed the obstruction of a signal. It was found that a management failure had allowed the railway to continue in operation with an obstructed signal until the inevitable accident occurred. Most experienced train drivers had realized there was a problem and prevented a SPAD occurring by proceeding cautiously when approaching the signal. The obstruction had been reported to management on a number of occasions. It was not immediately corrected and the active error that caused the accident occurred on a day that a train was being driven by a novice driver working on his own for the first time. The main point at issue here is that the cause of the accident lay primarily not with the driver, but with the system that he relied on to operate safely. The natural conclusion reached in the previous book was that systemic errors are not the fault of the person making the error but, if blame is to be assigned, then it must be assigned to a person who is responsible for the defective system that caused the error. That is principally why the previous book was called The Blame Machine; so often when a serious accident has occurred the ‘blame machine’ goes into action and the person making the error is held responsible. The result of this is that the root cause of the

Management error accident, the defective system and how it was allowed to cause an accident, is not discovered. When this happens the same error (and possibly the same accident) is doomed to be repeated indefinitely.

Latent errors A ‘latent error’ occurs when the effects or consequences of an error are not immediately observed. The consequences are delayed and occur at a later time and often in a place which is remote from the source of the error. The most common types of latent error are found in management tasks (involving failures in decision making) and in maintenance tasks. A latent error in a maintenance task usually leads to equipment failure when an item of maintained equipment is put back into service at a later time. Although the error occurred during maintenance the consequences were not revealed until the maintained item of equipment was recommissioned. Clearly, the consequences of maintenance errors can be limited by proof testing of equipment. In a similar way to maintenance errors, the consequences of management errors are not always manifested immediately, but the effects are separated from the original event by time and space. Latent errors are particularly insidious because of this gap between the situation where the error occurred and the situation when the consequences are manifested. Unless latent errors are detected and corrected immediately or soon after they occur, the scenario of an ‘accident waiting to happen’ will be established. Management errors, as a subset of latent errors, form an important part of this book and are dealt with in more detail below.

Management error The previous book2 concentrated on human error at the workface, including both active operational errors and latent maintenance errors; it also briefly examined the problem of management error. Management errors are also latent errors, but they occur not so much at the workface but at the administrative and corporate levels of the organization. They may be manifested as senior managers making faulty decisions or failing to make a decision when one was required. Sometimes management errors are euphemistically referred to as ‘organizational failure’ or ‘organizational error’ and some authors make frequent reference to these terms. They are terms which are avoided in this book because when an organization fails or is in error it seems to imply that it happened in some vague and indefinable way which did not involve people. Clearly this is not possible. It is akin to the frequently quoted excuse in service organizations that a mistake has occurred because of a computer error; everybody knows that computers need to be programmed by people before they can do anything useful at all! When ‘organizational errors’ occur then ‘people’ need to be identified if the errors are to be avoided in the future. It is also important to recognize the distinction between the direct cause and the root cause of an accident, since these terms are used frequently throughout the book. A simple definition is that the direct cause of an accident provides us with information about how the accident happened, whereas the root cause will tell us why the

11

12

Companies at risk accident happened. Clearly, if only the direct cause of the accident is established and corrected, it is likely that the accident will be repeated. If the root cause is also identified and corrected, then this accident and similar accidents can be avoided in the future. These distinctions and the theories underpinning them are explored in more detail in Chapter 8. In the case of the rail accident referred to above, resulting from a SPAD, the active error committed by the driver was the direct cause of the accident. The management failure or error which allowed the red signal to become obscured was a root cause of the accident. The root cause here can in theory be traced back to a management error in the project department which designed the modifications to the gantry which obscured an existing signal. This was probably what is called, in human factors parlance, an ‘error of commission’, since somebody actually did something wrong. However, another management error within the operations department was another root cause of the accident; this was an ‘error of omission’, since it was a failure to act when the problem was reported by train drivers. This may be an over-simplification of the actual scenario, but it illustrates the different sorts of error which can occur. In the same way that the root cause of an accident caused by active errors may be located within the systems which control the way work is carried out, so the same principles can be applied to management errors. In this case, the root causes could be postulated to lie in one or more of the following categories: 1. 2. 3. 4. 5. 6.

Failure of professional judgement Lack of experience Inaccurate information on which to base decisions Insufficient information on which to base decisions Wrongly influenced or instructed by superiors Defective corporate systems.

Other causes could well be added to this list. However, any or all of causes 1–5 could be subsumed within category 6, defective corporate systems. For instance, it is quite possible that failures of judgement and experience occur because managers are allowed by the company to work outside their level of expertise: that could easily be attributed to a failure of a corporate system. This might, for instance, be due to a corporate financial system which required staff cutbacks, resulting in shedding of qualified staff so that the existing staff had to take decisions for which they were unqualified. In this case, the corporate system is defective since it did not fully take account of the potential consequences of the cutbacks. Such a scenario is not unknown. The corporate system failure then becomes a potential root cause of an accident. Such accidents and the strategies to prevent them constitute the main theme of this book. It is sometimes quite difficult in accident investigation to tease out the exact sequence of decision making which took place in the run-up to an accident, and even more difficult to identify when and where specific management errors occurred. It may be rather obvious to the investigator that errors were made by managers, but it is sometimes difficult to ascertain the precise nature or circumstances of those errors. As a result, accident inquiry reports have a tendency to delve deeply into the direct

Management error cause of an accident such as a human error at the workface, while providing much less detailed information about the root causes at management level. The facts surrounding failures at the workface are often identified in great detail with photographs and diagrams to illustrate what has occurred. For an active error, the ergonomics of equipment design are analysed and compared with best practice in order to identify the defects which made an error more likely. Whereas active errors at the workface are explained in terms of defects in the human–machine interface, this is rarely the case with management errors. When management errors have occurred, the reports often refer to these failures in a generalized way, but are distinctly vague about why these failures happened. There is, unfortunately, no organizational ‘black box’ to be decoded following an accident. Sometimes it is possible that the passage of time, the blurring of memories and the natural desire of people not to reveal their mistakes may hinder the process of uncovering the full story. It has to be acknowledged that with management errors, even if it were possible to identify with any precision the errors which were actually made, it would still be difficult to determine from the circumstances exactly why the errors occurred. It is, however, possible to examine the corporate systems which might have allowed or encouraged errors or failures at management level. If corporate systems are at fault, then this has to be an important high-level root cause which must be corrected if future accidents are to be prevented. The previous book showed how, in the case of workface errors, merely correcting the direct cause of an accident (e.g. driver passed a signal at danger corrected by disciplining the driver) will not prevent future accidents so long as the root cause remains untouched (why the obscuration of the signal happened). In the same way, merely identifying specific management errors (and perhaps sacking the manager) will not necessarily get to the root cause of the accident. The detail of what actually happened in the manager’s office prior to the accident may be of interest to an accident investigator, but the reasons why it happened are much more important. Deficiencies in corporate systems which remain uncorrected will continue to wreak havoc within an organization, inevitably leading to accidents whose locus lies at the very heart of the company.

Common cause failure The concept of common cause failures (CCFs) is relevant to understanding the root causes of management error. Common cause failures are defined as ‘external mechanisms which have a common effect on two or more (activities or) items of equipment’.2 It is a concept which is frequently used in reliability analysis of both human and equipment failures to model combinations of events. Simple probability theory shows that the chance of two or more independent failure events occurring at exactly the same time is extremely small. This is because the combined probability is calculated from the mathematical product of the independent failure probabilities. When the latter are extremely small, the combined probability is even smaller. However, this depends upon the events being completely independent of one another. In industrial systems this hardly ever occurs. Usually some common cause will intervene to produce multiple failures at a greater frequency than would be expected

13

14

Companies at risk from the independent failures. The common cause may, for example in the case of equipment, be the failure of a common electricity supply to two electrical items which would otherwise appear to operate independently. The probability of the CCF therefore dominates the very small probability of the combined independent failures, which becomes negligible by comparison. Without the use of CCF modelling, the overall failure probability of an industrial system is likely to be underestimated. These principles apply in much the same way to both human failures and equipment failures, although the techniques which are used to apply CCF modelling may differ. Experience suggests that whenever there is a concurrence of apparently independent failure events there is a good chance that the failures will stem from a common cause. The common cause probability will be much higher than the joint probability of the events occurring independently. It seems feasible to apply the same principles to management errors which have occurred in different parts of a company and where the joint effects may lead to a corporate accident. For instance, in the example of the signal passed at danger, at least two separate management errors must have occurred, corresponding to failures in the project and operations department. This common cause is most likely to be found in a failure of corporate systems which affected both departments. This failure, if at a sufficiently high level, can clearly have a wide influence on management effectiveness throughout the organization. This may lead to critical management failures in almost any area of a company’s activities which either separately or in combination may have the potential to cause an accident. This would meet the above definition of a corporate accident. This book suggests therefore that the common cause for most management errors is likely to be deficiencies in the corporate systems which, on a daily basis, control the way in which managers undertake their work activities. In the process of accident investigation it is therefore important that the contribution of any defective corporate systems is identified.

The corporate environment One of the main premises of this book is that within the corporate environment there is a systemic source of root causes which can influence management behaviour and potentially lead to accidents. It has been suggested above that there is a strong analogy with the systemic nature of workface errors described in the previous book.2 In other words management errors are also systemic, caused not by indefinable human malfunctions but by the failure of systems upon which the human, in this case the manager, relies to operate safely. If these corporate systems are faulty or defective in any way then the number of management errors will increase and so will the frequency of accidents. Except for the fact that managers have much greater freedom in the scope of the decisions they can make, it is suggested that the analogy with systemic active errors is fully justified. Just as it is difficult to identify precisely where management errors occurred and how they were caused, so it may not always be possible to understand the exact way

Management error in which a defective corporate system led to the error being made. The case studies set out in Appendices 1 and 2 are used as examples of the failure of corporate systems which should have prevented the accidents. Above all, they illustrate the complexity of the root causes of an accident. In almost every case, these root causes stretch back in time, setting up the potential for latent errors long before the accident occurred. Sometimes we talk facilely about ‘an accident waiting to happen’ but, as shown above, latent errors are prone to lead to such a scenario. This is no less the case for accidents caused by corporate failures, which all seem to bear the hallmark of an accident waiting to happen. An examination of the case studies in Appendices 1 and 2 quickly reveals that in every case no one corporate system could be singled out for responsibility. Invariably, for each accident described there was a set of failures attributable to a number of root causes which had come together over a period of time to cause an accident. In order to impose order and investigate the potential influence of corporate system failure on accident causation it was necessary to develop some kind of taxonomy of corporate systems. Even though management errors are being considered here as systemic, it was considered beneficial for the purposes of the book to refer to a ‘corporate system’ as a ‘strategy’. This enabled the specific aspects of corporate systems which are important for accident prevention to be better identified and developed. Part II of the book is therefore entitled ‘Strategies to prevent corporate accidents’. The strategies which need to be developed to prevent corporate accidents were categorized in the following simple taxonomy, which provides the breakdown of chapter headings for Part II of the book:

• Chapter 4: Safety culture • Chapter 5: Understand the risk • Chapter 6: Safety regulation • Chapter 7: Safety management • Chapter 8: The learning organization • Chapter 9: Corporate social responsibility. Each of the strategies listed above makes its own unique contribution to a safe corporate environment. However, when investigating the failures of corporate systems lying behind the accident case studies it was possible in most cases to identify more than one strategy which was defective. This can be seen by reference to the table in Appendix 2, which attempts to correlate each of these accidents with its principal root causes. It has to be borne in mind, however, that the author’s interpretation has, of necessity, been based upon reasonably accessible information, usually publicly available accident reports and court proceedings. Other interpretations may well be possible and are not necessarily excluded by this interpretation. Similarly, the components of the defences listed above and which are described in each of the chapters of Part II are those which, in the author’s understanding and experience, are considered to be the most essential. No claim is made that these descriptions are necessarily fully comprehensive and the need for other or different components cannot be excluded, especially when particular corporate circumstances are taken into account.

15

16

Companies at risk

An ethical approach This book claims to adopt an ethical approach to preventing corporate accidents. This approach derives from a study of the ‘corporate entity’ in Chapter 2. The chapter examines the way in which the legal device of ‘corporate personhood’ has evolved over the centuries to enable the corporation to interact effectively with people, the state and other corporations. It also examines the legal accountability of corporations, and in particular the responsibilities of company directors and senior managers for health, safety and the environment. This necessitates the study of corporations in relation to criminal offences and particularly the common-law offence of manslaughter, since this has arisen in the context of a number of corporate accidents. Case studies of these accidents are included in Appendix 1. Arising out of these cases, specific corporate manslaughter legislation for the UK passed through parliament in July 2007 to be in force from April 2008. This is discussed in Chapter 2. Because of the complexity, and in the interests of brevity, these legal matters have been explained as simply as possible in layperson’s terms. As a result, the author would like to stress that this book is not a reference book providing legal advice for actual situations, where it is always essential to seek the help of experts in the field. However, corporate manslaughter per se is not the main concern of this book. Rather, it is used as an example of how companies can run foul of the law owing to the absence of effective corporate strategies to prevent the sort of accidents which may lead to a court case. Obviously, there are many more successful prosecutions for breaches of health and safety law than there are for corporate manslaughter. This is because health and safety is mainly enshrined in statute law rather than common law, so that the chance of successful prosecutions is much greater. In some cases these prosecutions involve extremely serious charges leading to large fines, loss of corporate reputation or even prison sentences. Although the behaviour of the corporate body in respect of managing its risks is subject to government regulation, the book maintains that this only determines the minimum standards the company must achieve for compliance with the law. In fact, it will be found that companies are much more highly regulated in terms of financial probity than they are in terms of the health and safety impact on those affected by their operations. Company directors, for example, have strictly defined legal responsibilities for managing the company’s finances, but have little legal responsibility for managing its health and safety standards. Because legal compliance with health, safety and environmental regulations is effectively a minimum standard, it is necessary to examine the degree to which companies should incur expenditure to exceed these standards. The legal purpose of most companies, its raison d’eˆtre as discussed in Chapter 2, is to increase the wealth of the stockholders in terms of profits and share value. However, if this were the sole purpose of a company and if it were consistently achieved at the expense of other duties and responsibilities to society, then it is suggested that eventually the company would find itself operating at the boundaries of illegality as far as health and safety law was concerned. However, few would argue today that companies have no responsibilities other than that of the profit motive. As Mr Justice Scott Baker in

Management error the court case Regina v Great Western Trains Company Limited remarked, ‘there is an ever-increasing awareness and expectation of the duties and responsibilities of large corporations in matters of health and safety’. The expectations of the public about the behaviour of corporate bodies have increased greatly over the past decade. This has prompted many companies to examine whether their performance matches up to ethical standards in addition to legal compliance. This inevitably leads us to examine the subject of corporate ethics in Chapter 3, a chapter which is key to the rest of the book. The ethical approach taken here attempts to place corporate behaviour along the same moral spectrum that would govern human behaviour. This is in order to identify any analogies which could point to any natural motivators that might exist for corporate ethical behaviour. In the human sense, the moral spectrum varies from mere politeness at the lower end to illegality at the upper end, with many different shades of ethical behaviour in between. It raises the important question whether a company, as an artificial ‘person’ under the law, is capable of behaving ethically without voluntary restraints being built into the corporate structures. It is concluded that companies which behave ethically are more likely to avoid serious accidents but in order to attain this, corporate strategies must be in place for the guidance of employees, managers and directors. Richard Breeden, Former Chairman of the US Securities and Exchange Commission, is quoted as saying, ‘. . . those managers who define ethics as legal compliance are implicitly endorsing a code of moral mediocrity. It is not an adequate ethical standard to get through the day without being indicted’. Although this was said in the context of financial compliance, it is maintained throughout this book that the argument remains valid in terms of legal compliance with health, safety and environmental regulation. The ethical approach outlined above and which is adopted by this book, is designed to help companies minimize the chances of experiencing a serious accident. It tries to emphasize the principle behind a disclaimer given out by many institutions when supplying financial products to the general public: ‘past performance is no guarantee of future results’. So often, health and safety statistics about accidents in the workplace are used as the sole measure of the company’s health and safety performance and therefore as an indicator of its future liability for accidents. While such statistics are important in measuring progress in reducing workplace accidents, recent studies have shown that there is little correlation between such statistics and the chance of a company experiencing the sort of corporate accidents which are described in this book: the ‘accidents waiting to happen’. The corporate strategies that companies will need to have in place to prevent these more serious accidents are described in Part II of the book, but it is maintained that the motivation to adopt these strategies is founded on ethical principles.

Afternote The author acknowledges that some readers of this book may form the opinion that it is anti-corporate in its overall theme and in the way some of the subject matter is treated.

17

18

Companies at risk This is not the intention and it is fully acknowledged that the corporate entity in its relatively short history, as outlined in Chapter 2, has contributed enormously to improvements in the well-being of humankind on a global scale. Inevitably, since the book is focusing on corporate failures which have caused serious accidents, it is unsurprising that when writing about some aspects of corporatism the text will seem to be quite critical. This is not meant to detract from the reality that most companies not only operate within the law, but take great care that the way in which they conduct their business is informed by ethical principles. The author considers that the purpose of the book will have been fulfilled if companies are helped to identify areas where improvements or changes can be made to corporate systems, thus reducing the potential for harm to people, society and the environment.

References 1. Mr Justice Scott Baker, Regina v Great Western Trains Company Ltd [1999] LTL C7800570, after the Southall rail disaster, September 1997. 2. Whittingham, R.B. (2004). The Blame Machine: Why Human Error Causes Accidents, Oxford: Elsevier Butterworth-Heinemann.

2

The corporate entity Did you ever expect a corporation to have a conscience, when it has no soul to be damned, and no body to be kicked? Baron Thurlow (1731–1806), Lord Chancellor of England1

Introduction The aim of Part I of the book is to study the relationship between the corporate systems of governance (which direct the affairs and operations of the company on a day-to-day basis) and the impact of those systems on the health, safety and welfare of the workforce, the public and anybody else affected by corporate activities. In particular, Part I will examine how the legal, moral and ethical aspects of corporate governance influence safety and how failures in these areas have led to serious accidents in some cases with managers and directors appearing in court on charges of corporate manslaughter. This chapter will first of all examine the way that the modern corporation has evolved historically from its earliest origins to the era of globalization. This is in order to identify any vulnerable features of the corporate entity which may lead to corporate failure and, for which suitable strategies may need to be adopted. For the purposes of the book the terms ‘corporation’ (mainly in the USA) and ‘company’ (mainly in the UK) are regarded as synonymous. However, in general, the ‘corporation’ will be referred to as the ‘company’, ‘corporate body or entity’ or in some cases simply the ‘organization’. Non-corporate bodies or non-profit organizations (NPOs) are not excluded from the scope of this book and a number of accident case studies in Appendix 2 refer to this type of entity. Whilst the direct causes of corporate failure may be traced to the action (or inaction) of individual managers and decision makers, already referred to as ‘management error’, the root causes are more likely to lie within the corporate systems that govern the way in which the company conducts its business. It is important therefore to examine the inherent nature of the corporation and how it is

20

Companies at risk constituted and constrained by corporate systems which in some cases may conflict with the requirements of health, safety and environment. Wherever possible, such conflicts will be illustrated by specific case studies, either in brief within the chapter or in more detail in Appendices 1 and 2.

Corporate origins The word ‘corporation’ is derived from the Latin word corpus or body, in this sense referring to a body of people. It is defined by the Oxford English Dictionary as a ‘group of people authorized to act as an individual’. This interesting definition introduces a theme that occurs repeatedly throughout this book: the concept of corporate personality or corporate personhood. The precise definition of a corporation will depend upon the legal system of the particular country in which it is incorporated. However, there are many common features which are concisely summarized in the following definition originating from the US legal system: An aggregate corporation is an ideal body, created by law, composed of individuals united under a common name, the members of which succeed each other, so that the body continues the same, notwithstanding the changes of the individuals who compose it, and which for certain purposes is considered as a natural person.2 The concept of a corporation having the capacity of acting as an individual, yet unlike an individual having perpetual succession, is important to themes explored later in this book. The managers, directors and owners of the corporation may come and go, but the corporate body continues until the day it is dissolved. The concept of the corporation goes back at least as far as Ancient Rome and many of its original characteristics can be seen today. For instance, it was always necessary for the existence of a corporation to be sanctioned by the state and to have a number of stockholders who invest money in a joint enterprise for a specific and stated purpose. The corporation ultimately evolved into a joint group entity which could have a separate identity from the people who owned it, known as its members. This introduces the idea that a corporation was more than the sum of its members and could continue a perpetual existence even after their death. This concept is fundamental to modern corporate theory and it paved the way for the development of the modern corporation which really began in England during the seventeenth century at the time of the Enlightenment. Before this, most trade had been conducted by entrepreneurial individuals or partners in business who owned and operated their concerns assisted by paid labour. However, single ownership businesses or partners had always been restricted in the amount of capital they could raise to expand their trade or manufacture. They were limited in effect to pooling their own resources to source the business. Following the Industrial Revolution, it was clear that the increased demand for capital could only be met by the formation of joint stock

The corporate entity corporations. For example, the capital raised to construct railways in England increased from £200,000 to £230 million between 1825 and 1849.3 By the midnineteenth century, company stock was being bought up not only by the wealthy but also by the new middle classes of Victorian England. The development of centralized factories located in the expanding industrial cities and powered by coal and steam accelerated throughout the nineteenth and twentieth centuries in the UK, developments mirrored in the USA and other industrializing countries. The resulting surge in international trade, fuelled by increasing industrialization in the Western world associated with the import and export of manufactured goods and raw materials, ultimately led to the so-called era of ‘globalization’ which exists today. The gradual acquisition or merger of smaller companies to form larger and larger organizations increased in scale and scope during the latter half of the twentieth century. This eventually culminated in the formation of large transnational companies (TNCs) whose main operations are based in countries peripheral to the organization’s host country. The total turnover of some TNCs exceeds the gross national product of some of the countries in which they operate. An unfortunate consequence of this is that the operations of TNCs can have a serious impact on the health, safety and environmental conditions in these overseas countries where regulation may not be as strict as in the host country. This can increase the attractiveness of overseas operations, enabling companies to increase profits at the expense of health, safety and the environment. In 1984, in Madhya Pradesh in India, the chemical processing plant of Union Carbide India Limited (UCIL) became the site of the world’s worst industrial accident. When water inadvertently entered a methyl isocyanate (MIC) storage tank a runaway reaction ensued which quickly spread a poisonous gas cloud over the neighbouring township of Bhopal, causing the deaths of at least 3000 residents, with an estimated 500,000 injuries. A $470 million legal settlement was eventually agreed by the Union Carbide Corporation (UCC) of the USA with the Government of India which went towards settling claims for damages by the victims of the accident. Inquiries into the disaster showed the direct cause of the disaster to be the injection of water into the MIC tank which had occurred owing to human error during maintenance operations. However, later investigations revealed that one of the main root causes of the accident was that safety, operational and maintenance standards at the Indian plant were far inferior to those that existed at a similar chemical plant owned by UCC and located in the southern USA. It is perhaps the earliest and certainly the most prominent example of how corporate accidents can arise owing to a lack of oversight by the directors and senior managers of the company in the host country, of operations in a peripheral country. On the more positive side, the advantage of globalization is the potential for exporting the best health, safety and environment policies and practices of the host countries, where these may be mandatory, to other regions of the world where they are not. Economically, globalization is integrating lower income nations into global product markets, which should eventually allow developing nations to move up the value chain rather than just producing low-wage and labour-intensive goods to compete in the markets of developed countries.

21

22

Companies at risk

Corporate characteristics The capitalist system In most industrialized countries of the modern world, the system known as capitalism has been adopted as the prevailing economic model. Capitalism, unlike the socialist command economies such as existed in the Soviet Union from 1917 to 1989, embraces the concept of private property and ownership of the means of production, distribution and exchange. It operates on the principle that all economic transactions are allowed to take place under conditions of free and unfettered trade. In a freemarket economy, individuals or companies trade, bargain, cooperate or compete with each other in order to determine the availability and pricing of goods and services. Under the capitalist system, the prime purpose of the rule of law is to establish and protect private property so that the market can operate freely. In order to allow free and unfettered operation of the market, capitalist dogma maintains that the minimum amount of government control is necessary. At its extreme, this is represented by the classic economic model based on the eighteenth century ideas of laissez-faire. Laissez-faire is a French expression literally translated as ‘let do, let pass’, and was first used as an appeal against government interference with free trade. The famous moral philosopher Adam Smith (1723–1790) was the founder of the modern discipline of economics. In his book The Wealth of Nations, he was one of the first to realize that the market could invisibly correct for shortages and surpluses of goods merely through the price and profit mechanism, without the intervention of government or other external controls.4,5 Smith’s book is probably the most influential ever to be published on economics and even today forms the underlying basis for any defence of capitalism. One of the more important defences of capitalism, first discerned by Smith, was the idea of the ‘invisible hand’. This stems from the concept that the whole community benefits when individuals act in their own self-interest, even though they have no particular regard for service to the community except in the provision of goods and services for profit. He wrote: As every individual, therefore, endeavours as much as he can both to employ his capital in the support of domestic industry, and so to direct that industry that its produce may be of the greatest value; every individual necessarily labours to render the annual revenue of the society as great as he can. He generally, indeed, neither intends to promote the publick interest, nor knows how much he is promoting it. By preferring the support of domestik to that of foreign industry, he intends only his own security; and by directing that industry in such a manner as its produce may be of the greatest value, he intends only his own gain, and he is in this, as in many other cases, led by an invisible hand to promote an end which was no part of his intention. Nor is it always the worse for the society that it was no part of it. By pursuing his own interest he frequently promotes that of the society more effectively than when he really intends to promote it. I have never known much good done by those who affected to trade for the publick good.5

The corporate entity Although Adam Smith popularized the idea of laissez-faire capitalism he also had a number of moral reservations which, fairly quickly, proved to be thoroughly justified. Even Smith was able to see that the pure market mechanism when left to its own devices may produce unacceptable distortions in society and that it would be the weak and vulnerable who would pay the price of success. With regard to the interference of government he wrote: Whenever the legislature attempts to regulate the differences between masters and their workmen, its counsellors are always the masters. When the regulation, therefore, is in favour of the workmen, it is always just and equitable; but it is sometimes otherwise when in favour of the masters.6 The publication of The Wealth of Nations in 1776 is usually considered to mark the beginning of classical economics upon which the understanding of modern capitalism is largely founded. The free-market ideas of classical economics later developed into more accurate models of how an economy operates. This became known as neo-classical economic theory. The neo-classical model fell out of favour in the decades following the Second World War when the theories of the British economist J. Maynard Keynes (1883–1946) were adopted by Western governments. The classical and neo-classical models had held that employment should be left to reach a natural equilibrium according to the laws of supply and demand. In contrast, Keynesian theory proposed that governments should ‘prime the pump’ through government borrowing for job creation programmes. This suggested that unemployment could be remedied by government control of the economy through increased public spending and/or reduced taxation, thereby adjusting the level of demand. Government intervention was believed to be necessary in order to avoid a repeat of the general economic collapse which resulted in the Great Depression of the 1930s. However, in more recent decades, thanks to economists such as Milton Friedman, neo-classical theory has returned to dominate the operation of the world’s leading market economies, this process having been started in the 1980s under the governments of Margaret Thatcher in the UK and Ronald Reagan in the USA. This is further discussed in the context of corporate social responsibility in Chapter 9. The discernment of economists like Adam Smith and those who followed after him enable us to identify some of the potential disadvantages of the capitalist system. For the purposes of this book, these disadvantages need to be identified in order to understand fully the potential root causes of corporate accidents, which are discussed later. This is not to undermine the huge contribution made by the capitalist system to the progress and well-being of humanity. At the same time, corporatism, as the modern face of capitalism, undoubtedly possesses a number of inherent dangers which, if not subject to some form of control, either by government or by the companies themselves, can cause harm to people and the environment. People who are potentially at risk include the company workforce, customers, neighbouring communities and the general public. The environment can be harmed in a variety of ways including pollution of the air and ground from the by-products of industrial processes. Any of these dangers may be realized during a company’s normal

23

24

Companies at risk operations, but are most frequently revealed through the incidence of a corporate accident. The consequences of this extend beyond the people and the environment affected to include the company’s own finances and reputation, perhaps even threatening the future of the company itself. The strategies that need to be put in place by companies to limit these potential risks form the main subject matter of Part II of this book.

The dangers of corporatism Cost externalization Most of the critiques of the capitalist system put forward by its detractors, from the time of Adam Smith to the present day, tend to include the following issues:

• exploitation of the workforce (including, in the Victorian era, the use of child labour and profiteering from slavery) • economic exploitation of other countries as sources of raw materials and cheap labour • plundering of natural resources (e.g. deforestation due to excessive logging of • •

timber, depletion of fish stocks, open-cast mining) leading to environmental damage pollution of the environment through disposal of waste products and harmful discharges lack of concern for safety and welfare of the workforce and the public by allowing them to be put at risk from the company’s activities.

These can all be summed up as the innate propensity of the corporate body, as far as possible, to ‘externalize the costs’ of doing business in order to maximize profitability. Historically, this process of externality has taken place at the expense of the vulnerable and less powerful sections of society, such as the workforce and the public as well as the environment. It operates on the principle that every cost that can be externalized is a cost that the company does not have to pay, thus increasing the amount of profit that can be generated. Milton Friedman (1912–2006), the prominent economist and Nobel prize winner, was a leading advocate of laissez-faire capitalism and was the chief proponent of neo-classical economic theory. He defined an externality as: the effect of a transaction between two individuals on a third party who has not consented to, or played any role in the carrying out of, that transaction.6 Externalities can also involve the transfer of potential costs to the company on to assets that are not owned by the company. Thus, a company uses the public road network to transport its goods to its customers, its security is protected by the police and defence establishments, it is able to discharge greenhouse gases to the atmosphere, thus externalizing its costs on to future generations. Of course, it can be argued that the company pays at least part of these costs in corporation tax and other taxes on profits. The main defence against the worst excesses of unfettered capitalism has been government regulation. Business, however, has always tended to view external

The corporate entity regulation as a ‘dead hand’ which rests heavily upon the free-market mechanism, inhibiting entrepreneurialism, efficiency and profitability. It is often seen as imposing onerous, complex and sometimes unnecessary and conflicting rules. As a result, in the modern world, the lobbying of governments to reduce business restriction and interference has become a major enterprise in itself. Some companies have, yet more cynically, come to see the imposition of fines, damages and penalties resulting from infringements of regulations as merely an additional cost of doing business. The penalty may well be recouped from the cost savings of the externality which led to the infringement. Government regulation and control as a strategy to prevent corporate accidents is discussed in more detail in Chapter 6.

Limited liability The earliest joint stock companies formed were effectively a special kind of partnership where the partners in the company, called stockholders, received ‘shares’ to represent their contribution to the company’s stock. Holding these shares meant that the individuals possessed both ownership interest and decision-making power in the company. The main distinctive feature was that stockholders were free to sell their shares to other people without requiring consent from the company. In a normal partnership an interest could only be transferred if all the partners agreed to it. This arrangement made the raising of capital much more flexible. The profit that each stockholder received was in proportion to the value of the shares that they owned. Thus, if a stockholder held 10 per cent of the stock, he would receive 10 per cent of the profits. At the same time, however, if the company made a loss, then he would be liable for 10 per cent of the company’s losses. This potential loss situation had the effect of limiting the availability of capital particularly from investors with limited means, since if the company were unable to meet its debts, the stockholders could be personally bankrupted. In order to reduce the risk to stockholders and make stockholding more popular, the principle of limited liability was introduced in the UK in 1851. Under this arrangement, a stockholder would only be liable for the value of the shares that he held, irrespective of the fortunes of the company. Thus, if a stockholder held £1000 worth of stock and the company failed and went into liquidation, then the maximum amount of money that he could lose would be £1000. In addition, directors of the company would not have any personal liability for the company’s debt, except in the event of fraudulent trading or where personal guarantees had been given. In addition, the stockholders would not be responsible for any criminal or civil offences committed by the company. The principle of limited liability had the desired effect of successfully introducing small investors into the business of stockholding by reducing the risk to their personal assets. It was even suggested at the time that this mechanism of limited liability could bring an end to class conflict by giving workers a financial interest in the companies which employed them. However, voices of dissent argued that the system of limited liability should be opposed on moral grounds since it effectively removed from investors the responsibility for the way the company, of which they were part owner, was operated. Prior to limited liability, the ever-present risk of personal

25

26

Companies at risk bankruptcy concentrated the mind of the stockholders and gave them a much greater incentive to satisfy themselves that the management was carrying out its duties diligently and effectively. Limited liability companies became part of corporate law in England from 1856 onwards and the same principle was adopted progressively across the USA during the latter part of the nineteenth century. The earliest limited companies tended to be family owned, the shares being kept within the family. Later, stock exchanges were set up where shares could be traded publicly, leading to the public limited company (or plc in the UK) which, today, is the normal business model in the UK for anything other than very small firms. It should be noted that limited liability also applies where the stockholder is not an individual but is another company such as a parent company. In this case the parent company is protected from liability for its subsidiary by what is known as the veil of incorporation. The overall result has been that the owners or stockholders of the corporation have, during its evolution over the centuries, become increasingly distanced from the way the company is operated. Very few businesses are now operated as partnerships or family-owned concerns where the owners of the business are also the management. In fact, ownership by individuals is now the exception rather than the rule; companies today tend to be owned by other companies. The concept of limited liability has thus come to intervene between ownership and control. Because of this, the ownership may not always fully recognize its ethical responsibilities, an issue discussed in more detail in Chapter 3. Limited liability is important in the context of this book. When a corporate accident occurs, the responsibility for the failure clearly must lie with the directors and senior managers of the organization. Any corrective actions which are to be successful in preventing future accidents must be aimed at this level in the organization. However, the financial detriments arising from the accident are borne not by the management (who are merely employees) or by the owners of the company (who have limited liability), but by the company itself. This makes it necessary in the following sections to examine more closely the nature of the company in respect of its accountability.

Non-corporate organizations Although this book is primarily interested in corporate accidents, resulting from management failures or failures of high-level systems in corporate bodies, there are many other types of non-incorporated organization which can present serious accident hazards as a result of their operations. These are referred to here by the generalized term of non-profit or not-for-profit organizations or NPOs. Quite often these will be set up to promote specific causes of private interest or public concern, but which do not primarily involve monetary profit. NPOs are involved in a wide range of activities including social issues such as civic improvements or relief of poverty, promotion of health and safety, research, education, healthcare, the arts, religion, sports and other similar endeavours. This part of the chapter investigates the relative vulnerability of NPOs to corporate accidents compared with corporate bodies. However, in this short section it is neither practicable nor necessary to refer in detail to every possible type of NPO, since huge variations exist with respect to different organizations and countries.

The corporate entity The main distinction between an NPO and the corporate entity will depend ultimately upon the laws of the country within which the organization operates. However, a common distinction would seem to be the lack of a commercial purpose of an NPO coupled with the absence of any need to distribute profits to owners or stockholders. This is not to say that such organizations may not hold major assets and have extremely large cash flows. It is also possible for such an organization to make a ‘profit’, but only in the sense that any surplus of income over expenditure after tax is internalized by being ploughed back into the work of the organization. However, a national government or investigative body may scrutinize whether such profits are excessive, in which case an NPO may forfeit its non-profit status. This is because NPOs often enjoy tax exemption privileges denied to corporate profit-making bodies. An NPO may have members and beneficiaries just as the corporate body will have stockholders and customers. Employees of NPOs may be volunteers or paid workers, but will still be subject to national employment legislation. Usually, the establishment and management of NPOs will be governed by national laws which may dictate similar requirements to those imposed on corporate bodies. For instance, such organizations may be required to publish annual financial reports which are available for public scrutiny. They may also be required by law to have board members or trustees who have a fiduciary duty to the organization in a similar way to company directors. It is possible that NPOs may have moral or ethical obligations, either externally or self-imposed, which would not normally be placed upon a corporate body. Such restrictions may arise from the purpose for which the entity was first organized. NPOs may take many forms, varying from charities, which in the UK must be registered with the Charity Commission and meet certain stringent requirements, to trade unions (which are also subject to specific government regulation), professional bodies, hospital trusts, churches, etc. The question that must be considered here is: are NPOs, as defined above, vulnerable to the same sort of failures as corporate profit-making bodies? At first sight it seems likely that the dangers of cost externalization and limited liability which arise with corporate bodies may not arise in the same way or to the same extent with NPOs. After all, if an NPO is a non-profit organization then there can hardly be a conflict of interest between the demand to make a profit and the protection of health, safety and the environment. However, two of the ‘corporate’ accident case studies in Appendix 2 arose from failures within an NPO; these are described in Case Study A2.1, the loss of the Space Shuttle Columbia, and Case Study A2.4, the deaths as a result of failures in children’s heart surgery at Bristol Royal Infirmary. The NPO in A2.1 is a US government organization, the National Space and Aeronautics Administration (NASA), and the main failures were those of safety culture and safety management. The NPO in A2.4 was a UK hospital trust and the main failures were in the areas of safety culture and organizational learning. However, in both case studies it is interesting to note that since these organizations depend primarily upon public funding to meet their objectives, externally imposed financial restrictions could have a major influence upon how their activities are carried out. If the non-profit-making activities have safety critical implications (as they did in both these examples) then it is quite possible that corporate accidents

27

28

Companies at risk will be made more likely in spite of the absence of the profit motive. Although in the case of the accident at Bristol Royal Infirmary financial limitations had no significant causational effect, many hospitals in the UK National Health Service (NHS) are, at the time of writing, operating under severe financial constraints. This is causing considerable public debate about the effects of financial cuts upon patient safety and welfare. In the case of the Space Shuttle Columbia, the cause of the accident was definitively linked by the investigating body to organizational changes within NASA which had been made in order to implement cost savings. Further details are provided in Appendix 2 and these two case studies are referred to extensively in later chapters. In general throughout this book, reference will be made to accidents arising from failures within corporate profit-making organizations. However, this is not to exclude NPOs from consideration, but merely to avoid having to make constant reference to these types of bodies. This brief investigation of NPOs and the two case studies referred to above make it clear that the strategies to prevent corporate accidents which are described in Part II of this book are equally applicable to both profitmaking and non-profit organizations.

Corporate accountability The evolution of corporatism over the past two centuries has led from the small familyowned business to the legalized monoliths of today which dominate our society and shape our culture. Without doubt, the modern corporation has employed modern technology to make an enormous contribution to the well-being of society by the efficient provision of goods and services. However, as the technology has advanced and the size of companies has grown, the potential for harm to people and the environment has also increased. It is therefore necessary to examine the nature of the modern corporation and how it can be made accountable for its actions, particularly those which can have detrimental effects and lead to corporate accidents.

The body corporate The technical term for attributing human qualities to non-human and inanimate objects is called anthropomorphism. Interestingly, when we examine the nature of the corporation we find that this description is not so wide of the mark. The formation of a company is undertaken by a process of incorporation involving the filing of formal documents with a government body which states the intention to incorporate. When incorporation is complete the newly formed company achieves ‘entity’ status, meaning that it is in fact a legally separate entity through the operation of the law. That is to say, the company exists separately from its incorporator. Upon incorporation the company effectively becomes an artificial ‘person’ which has specific rights and responsibilities under the law, which it can exercise or claim in a similar way to a natural person. When a company is referred to as the body corporate this not only is a legal description but also bears the hallmark of reality. We often, unthinkingly, use

The corporate entity anthropomorphic language when referring to a company. For instance, we refer to a company as being either a bad company or a good company with respect to its relationship to society, particularly in such matters as how it treats its employees and customers and its health and safety record. When we do this we are using moral terms to describe what essentially is a legal device; in this respect one can hardly expect a company to possess human qualities such as a sense of morality, as the famous quotation from Lord Chancellor Thurlow makes wonderfully clear. Did you ever expect a corporation to have a conscience, when it has no soul to be damned, and no body to be kicked?1 In Chapter 3 we will consider corporate ethics in more detail and whether a company can be expected to have moral concerns; indeed, whether there is any ethical correlation at all between corporate and natural personhood.

Corporate personhood Through the process of incorporation, a company gains many of the characteristics of personhood. Although the company is owned by the stockholders and controlled by its directors, it is in fact an artificial person or body which can do many of the things that a person can do, with some obvious exceptions; for instance, a company cannot marry, vote, hold a driving licence or travel on a bus! However, in contrast to a natural person, the company has under the law a ‘perpetual lifetime’, meaning that its existence continues beyond the natural lifespan of those who incorporated it. Legally, a company can undertake almost anything that a person who was the sole proprietor could do, such as conduct business in its own right, buy and sell goods and assets, hold shares in another company (even being nominated as a director of that company), employ workers and pay taxes. In the same way as a natural person, the corporate body is both protected by, and at the same time subject to, the laws of the land in which it operates. It is able, for instance, in the same way as a person, to seek redress in the courts when it considers individuals or other companies have defamed its reputation. In the UK, the USA and many other parts of the world, similar legal principles allow a company to be treated as an artificial person under the law. The precedent establishing this in the UK was the case of Salomon v A. Salomon and Co. Ltd (1897), where a sole trader (A. Salomon) turned his leather-making business into a company (A. Salomon and Co. Ltd). Later, when the company collapsed, the creditors tried to enforce their debts from Mr Salomon himself. Because no fraud was involved the court found that Mr Salomon was not personally liable for the company’s debts and established the principle of separate identity of a company from its owners. This principle of separate identity is today known as the ‘veil of incorporation’ and allows larger parent companies to own subsidiary companies, yet not be responsible for many of their liabilities. Where owners of companies are unable to claim the protection of separate identity, for instance in the case of fraud, this is referred to as ‘lifting the veil’.

29

30

Companies at risk

Corporate legal liability Although companies can bring other companies or individuals to court and be taken to court themselves when they contravene the laws of the land, not necessarily all the laws that would govern the conduct of a natural person can be applied to a company. For instance, it is extremely difficult to make a company liable for a criminal offence requiring intent such as murder, since the courts generally uphold the principle that a company cannot have a state of mind in the same way as a natural person. Legally, however, the situation is different in the case of manslaughter and attempts have been made to charge companies with corporate manslaughter following a serious fatal accident. Corporate manslaughter and its present position under the law are dealt with in more detail in a later section. Companies can be taken to court under both the criminal law and the civil law.

Criminal law Where a company violates specific health, safety or environmental legislation, or is in breach of the Health and Safety at Work etc Act 1974 (HSW Act), the case will be heard in a criminal court and prosecutions can be brought against companies, government bodies or other organizations. In addition, persons employed by those companies, who were in a responsible position when the breach was committed, or even the members (stockholders or owners) where they are in a position of management, may also be prosecuted. Penalties against companies who are found guilty of breaching health and safety legislation are levied as a fine. If individuals (e.g. directors or managers) are found guilty of such an offence, then a fine may be imposed, or a prison sentence in serious cases. A person who is so convicted and fined or imprisoned is then guilty of a criminal offence, with all the implications of possessing a criminal record, such as loss of reputation and career, possible curtailment of personal liberty and being incarcerated along with other criminals.

Civil law Civil law is a section of the law that deals with disputes between individuals or organizations; it is a mixture of statute law (derived from legislation) and common law (derived from historical judicial decisions established in earlier cases). It is up to the claimant to bring the case to court. The Crown Prosecution Service (CPS) is not involved in prosecuting a civil offence since the state has no interest in overseeing ‘civil’ disputes. Most civil cases, when successful, result in some form of compensation to the person claiming to have been wronged. Most civil cases brought against companies will relate to matters such as defamation of reputation or product, employment laws such as unfair dismissal, sexual harassment, discrimination, etc., breach of contract, consumer protection, copyright and intellectual property, and compensation for work-related injury (breaches of Health and Safety regulations are heard in the criminal court and do not deal with matters of compensation).

The corporate entity

Duties of company directors General duties The body corporate is an artificial legal entity with a legal status distinct from that of the stockholders, directors and senior officers. In law, it is the company which operates the business, employs staff and makes contracts with other organizations and individuals. However, as an artificial entity it cannot do anything for itself and therefore requires others to act on its behalf, these legally being the company directors. In this sense, the company is merely a legal device and financial conduit through which the interests of the stockholders are looked after by the directors of the company on their behalf. Company law decrees that the ‘business of the Company shall be managed by the Directors’. The directors therefore have a special status in law when compared with managers. The legal and financial duties of company directors must be carried out in accordance with the articles of association of the company. Their role is crucial to the success and continuity of the organization and the interests of the stockholders. Directors are said to have a fiduciary duty to ensure that the interests of the stockholders are always protected. A fiduciary is defined as a person who holds a position of trust in relation to another person so that he always acts in the best interests of that other person as defined by the scope of their relationship. This is a legal requirement. The courts have generally interpreted this to mean the maximization of share value and profits. To ensure this objective is paramount, directors are prohibited from pursuing any interests which do not advance the interests of the stockholders. Two types of legal duty are imposed upon company directors: statutory and common-law duties. Statutory duties are derived from legislation mainly through the Companies Act 1985 and allow for prosecution in the criminal court on matters of misconduct, with a possible prison sentence of up to seven years. These duties mainly relate to financial matters. Here, company directors are specifically required to act in a positive or proactive way rather than a passive way in managing the company. Thus, it is up to directors to assure themselves that the company’s financial performance and prospects are not in jeopardy. In other words, directors are not expected to act only when things go wrong. They are judged not only by what they know, but also by what they should have known. The objective here is to minimize financial harm to the company, and if they fail to do this then the courts can take action since they have failed in their fiduciary duty. Common-law duties are derived from historical judicial decisions based on tradition, custom and precedent and involving case-based reasoning. However, commonlaw duties placed upon directors reflect the same principles of positive action; that it is not sufficient for directors simply to stand on the sidelines and let the company conduct its business. They need to be actively involved. A recent Court of Appeal case confirmed that each director ‘owes it to the company to inform himself about its affairs’.3 Whilst directors may delegate particular tasks to others, they do not delegate their duty to the company and they remain responsible for the delegated function, the discharge of which they are still required to supervise. This applies to directors both individually and collectively.

31

32

Companies at risk

Health and safety duties Unfortunately, the requirement placed upon a company director to be actively, rather than passively, involved in the company’s business is not supported by Health and Safety legislation in the same way as it is by the Companies Act. This discrepancy between the directors’ responsibility for financial matters compared with that for health and safety has been a matter of some concern and attempts have been made to change the situation. The problem mainly arises from the wording of section 37 of the HSW Act, which is really the only legislation to set out the main statutory duties of directors in this respect. Section 37 provides that: Where an offence under any of the relevant statutory provisions committed by a body corporate is proved to have been committed with the consent or connivance of, or to have been attributable to any neglect on the part of, any director, manager, secretary or other similar officer of the body corporate or a person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and shall be liable to be proceeded against and punished accordingly.7 Section 37 is the only relevant legal requirement which specifically places health and safety duties upon company directors. However, an offence when committed is almost entirely negative since it has to be attributable to neglect, or there must be consent or connivance by a director or others purporting to act in this capacity. In the matter of neglect, the courts have found that this is impossible to prove unless there has been a specific duty placed upon the director regarding health and safety matters. Since there is no legal duty placed upon directors for health and safety, this duty must derive from the company, for instance through the wording of the company’s safety policy. If the company, in their health and safety policy, states in a fairly clear way that a particular director has health and safety responsibilities, then it might be possible to prosecute a director under health and safety legislation. In the matter of consent or connivance by a director, a different issue arises. In order for a director to consent or connive to commit an offence, he must be aware that an offence is being committed. Thus, a director is only liable under section 37 when he knows what is going on at shop-floor level, but is not required to take any steps to inform himself about what is going on. This leads to the rather perverse situation that if a director chooses not to become aware of health and safety matters, then effectively the director is shielded from any legal liability under the HSW Act. In large organizations, where directors are extremely remote from workplace operations both geographically and by virtue of the chain of command, it is extremely difficult to show that a director was in fact aware of what was happening at workplace level prior to an accident. In fact, in medium and large-size companies, no director has ever been convicted of an offence under section 37 in the thirty years during which the HSW Act has been in force. In small companies, of say fewer than ten people, it is more common for directors to be involved in hands-on operations in the company’s business. In this case, when an accident occurs, it is much easier to

The corporate entity allocate specific responsibility to a named director and bring a successful prosecution under health and safety law. In the UK over the past few years, serious concerns have arisen about the lack of clear director accountability for health and safety. As a result, a number of initiatives have been taken to define directors’ responsibilities more precisely. These initiatives include a set of Guidance Notes published by the Health and Safety Commission8 and The House of Commons Work and Pensions Committee Report on the Work of the Health and Safety Commission and Executive.9 The Health and Safety (Directors’ Duties) Bill10 was put before Parliament in 2005 but failed to pass its second reading in Parliament. In addition to convictions of directors for breach of health and safety legislation, several successful prosecutions of directors of small companies for manslaughter have been brought. Since about 1980, eleven directors have been convicted of such an offence, of whom five have been sent to prison, five have received a suspended sentence and one was in receipt of a community service order.11 Again, all of the prosecutions involved small businesses. Corporate manslaughter is addressed in the next section.

Corporate manslaughter Definition Manslaughter is generally defined as the unlawful killing of another person without premeditation or malice (‘malice aforethought’), either express or implied. Simply put, there has to be a lack of any prior intention to kill anyone or create a hazardous situation. In this respect, it is distinguished from murder, which requires malicious intent. The offence of manslaughter is a common-law offence. This means that the nature of the offence and the basis on which it may be prosecuted successfully have been developed over time by precedent. Precedents are set by the outcome of previous court cases, which are then interpreted by judges in subsequent cases. In other words, manslaughter is not covered by any legislative statute which would define the offence precisely. Two types of manslaughter exist under UK law: voluntary and involuntary manslaughter. Voluntary manslaughter occurs when there is an unlawful killing of another person after sufficient provocation, incitement or diminished responsibility. Since this requires an element of intent it cannot be applied in the context of corporate criminal liability since a company cannot have the necessary mens rea or ‘state of mind’ (see below). By contrast, involuntary manslaughter (sometimes referred to in the UK as gross negligence manslaughter) occurs when there is no intention to cause death or serious injury by those who kill. They may, for instance, in the case of a natural person, have committed an act which may possibly result in some minor injury but which, unforeseeably, led to death. Alternatively, they may have been extremely careless or negligent or been reckless as to whether death or serious injury could occur. On this basis, it is theoretically possible for a company to be charged with such a crime.

33

34

Companies at risk However, the scope of involuntary manslaughter is extremely wide. Lord Chief Justice Lane said in 1992 that involuntary manslaughter ‘ranges in gravity from the borders of murder right down to those of accidental death’.12 As a result, recommendations have been put forward over the past decade to reform the law on involuntary manslaughter. The recommendations13 of the Law Commission (a UK statutory independent body created to keep the law under review) included the abolition of the offence of involuntary manslaughter and its replacement by two new offences of ‘reckless killing’ and ‘killing by gross negligence’. It also recommended the creation of a special offence of ‘corporate killing’ by means of which companies could be brought to justice for offences which had led to fatalities. These recommendations were accepted by the UK government and eventually paved the way for the government’s legislation on corporate manslaughter which was passed in 2007 and which is further discussed below. It is often the case that when a serious corporate accident occurs, particularly when it involves many fatalities amongst members of the public, there is a heightened degree of societal concern over safety. This may lead to a desire for justice where it is perceived that companies have been negligent in their duty of care. Following a number of high-profile multiple fatality accidents in the mid-1980s, the possibility of bringing corporate manslaughter charges against companies came under consideration.

The ‘identification principle’ One of the foundational precepts of criminal law is that nearly all criminal offences require both a mental and a physical element. The mental element is the person’s knowledge that their conduct is criminal. This is known as the mens rea, which is a Latin phrase which basically means ‘a guilty mind’. The idea of mens rea arose in England around the year 1600 when the judiciary held that the commission of an illegal act alone was not criminal unless at the same time there was a guilty state of mind. The physical element of the crime is the criminal act itself or the actus reus. The legal requirement is therefore that there can be no guilt without a guilty mind. The guilty mind relates to the state of mind of the accused person at the time the criminal act took place. Thus, the carrying out of a criminal act on its own is insufficient for guilt to be established. There must also be present an intention to carry out the act before it is enacted. The accused must have knowledge of both act and intent. The ‘identification principle’ states that, in the criminal sphere, a company cannot be found guilty of an offence unless a person who is responsible for that offence can be identified with the company. Such a person is often referred to in the law as the company’s alter ego. There is a primary test for establishing whether a company can indeed be identified with some natural person so that the acts and omissions and state of mind of the person can be attributed to the company. That test is whether the person in question can be shown to be ‘the directing mind and will’ of the company, sometimes referred to (and from here on in this book) as the ‘directing mind’. The earliest statement of the identification principle can be found in the case

The corporate entity of Lennard’s Carrying Coal Co Ltd v Asiatic Petroleum Co Ltd, 1915,14 where the judge, Lord Haldane, said: My Lords, a corporation is an abstraction. It has no mind of its own any more than it has a body of its own; its active and directing will must consequently be sought in the person of somebody who is really the directing mind and will of the corporation, the very ego and centre of the personality of the corporation.12 Thus, before a company can be convicted of the crime of manslaughter it is necessary to identify a ‘directing mind’ at a high level in the company. This directing mind must be somebody who, through his actions and decisions, effectively embodies the company and who will themselves be guilty of manslaughter. Thus, in order to convict a company of manslaughter, sufficient evidence is required to procure the conviction of a senior individual in that company. Without this evidence, corporate manslaughter charges are impossible to prove and the company cannot be convicted. As discussed above, involuntary manslaughter provides the only realistic context for corporate manslaughter. To prove corporate manslaughter it needed (up until April 2008) to be shown there is a causal link between a grossly negligent act or omission of a person acting as ‘directing mind’ and the immediate cause of a fatality. Common-law precedents have determined that in order to be a ‘directing mind’ the identified individual must be at the level of director or other senior management position. The main common-law precedent which established the need for a sufficiently senior individual to be identified as the ‘directing mind’ arose, somewhat bizarrely in the writer’s opinion, from an appeal court decision in the House of Lords after a court case involving the overpricing of a package of washing powder in a supermarket! The case, Tesco Supermarkets Ltd v Nattras (1972),15 was brought against the company under the Trade Descriptions Act 1968 and at first sight seems remarkably trivial in view of its legal importance, since it resulted in neither an accident nor a fatality. A poster advertising a special offer on washing powder had been left on display in the Tesco shop even though the stock of product at a reduced price had been exhausted. A higher priced stock was put on the shelves which a customer then bought and for which they were overcharged. They claimed correctly that the offer was applicable to their purchase given that the notice was still being displayed. Legal counsel for Tesco claimed that their client had taken all reasonable precautions and due diligence to prevent the offence occurring. The local store manager was supposed to ensure the pricing was correct but on this occasion he had failed to follow company instructions. As a result, counsel claimed, the acts or knowledge of the store manager could not be attributed to the company and therefore the company was not liable. This was upheld by the judge at the Trial, Lord Reid, who ruled that since the store manager was acting on behalf of the company it followed that it was the company who was acting. In short, the company cannot blame the employee for the mistake, as they attempted to do in this case. This may then reflect badly upon the company’s reputation and explains why Tesco wished to claim third party responsibility.

35

36

Companies at risk However, Tesco appealed to the House of Lords, who importantly overruled the court’s decision on the basis that the third party defence claimed by Tesco was in fact valid. The Law Lords ruling stated that ‘. . . the branch manager was another person being the ‘‘hands’’ and not the ‘‘brains’’ of the company . . . accordingly, his acts or omissions were not those of the company’. The store manager was not therefore identifiable with the company but, just as Tesco had originally claimed, ‘he was somebody who was being directed, who was so to speak a cog in the machine which was devised: it was not left to him to devise it’. The Law Lords went on to make the important ruling that ‘normally the board of directors, the managing director and perhaps other superior officers of a company carry out functions of management and speak and act as the company’. A distinction has to be made between those who direct and those who are directed. In this particular case, the shop manager could not be held identifiable with the company since he had to take general directions and orders from his superiors. The result has been that the identification of a ‘directing mind’ has proved impossible where corporate manslaughter charges have been brought against larger companies. In large companies the directing mind is usually so senior that it can rarely be shown that they have direct knowledge of the failures which led to the fatalities. Effectively, the legal fiction of corporate personhood is an analogy which cannot be extended to include a ‘state of mind’. As a result, no successful manslaughter prosecutions have ever been successfully brought against large companies or their directors. Those prosecutions that have been successful have involved very small companies where the directors had ‘hands-on’ control and could therefore be identified not only as a ‘directing mind’ but also as having detailed knowledge of the failures which led to fatality. The two major attempts in the UK to bring corporate manslaughter prosecutions against large companies both failed spectacularly owing to the problems described above. The earliest prosecution was that of P&O Ferries in the case of the capsize of the cross-channel ferry Herald of Free Enterprise in 1989, which resulted in the deaths of 192 passengers and crew. The next failed prosecution took place ten years later and was that of Great Western Trains (GWT) following a rail accident at Southall near London in 1997, when a high-speed passenger train collided with a freight train at 125 mph, resulting in 150 injuries and the deaths of seven people. Both of these accidents are included as case studies in corporate manslaughter in Appendix 1, where the specific safety failures are described together with the reasons why the corporate manslaughter prosecutions were unsuccessful. Over the ten-year period between these two accidents a sea change took place in the public acceptability of risk, such that by the beginning of the twenty-first century public intolerance of perceived corporate negligence had greatly increased. As a result, the whole issue of corporate criminal liability caught the attention of the public mind. The failure of the prosecution of GWT for corporate manslaughter was commonly thought to be highly unsatisfactory. In particular, it was felt to be iniquitous and discriminatory that the success of such a prosecution depended less upon the factors involved in the case, or upon the guilt of the players, than

The corporate entity upon the size of the company being prosecuted. Not only was the inability of the law to hold large companies and senior individuals fully accountable perceived to be a gross injustice, but until it was corrected, those bereaved and injured by serious fatal accidents due to gross negligence would be denied the closure which they so desperately sought. In addition to failing to satisfy natural justice, these failures to deal with corporate criminality reduced the incentive for company directors to make themselves more aware of matters of health and safety, and in particular whether policies issued at the highest level were being implemented at the workface, as discussed above. As a result of these concerns, Corporate Manslaughter: The Government’s Draft Bill for Reform was published in March 2005 and included not only a proposal for the new offence but also a consultation paper calling for comments. After consultation, the Bill finally passed through Parliament in July 2007 and the new Corporate Manslaughter and Corporate Homicide Act16 created a new offence that is to be called corporate manslaughter in England and Wales and corporate homicide in Scotland. The new legislation is to take effect from April 2008. The main provisions are summarized below, followed by a comparison with similar legislation in other countries and a critique of the measures concerning the degree to which they will correct the previously unsatisfactory situation.

Legislating for corporate manslaughter It should be noted that the material presented below is intended to provide a layperson’s overview of the legal situation under various jurisdictions concerning the way they deal, or propose to deal, with corporate criminality, particularly corporate manslaughter. The complexity of the subject matter means that in a book of this nature it is only possible to provide a summary overview. The whole area is subject to wide interpretation even by legal experts. The text here, therefore, cannot be legally comprehensive and should not be used or relied upon in specific situations as an alternative to expert legal advice. As discussed above, the state of the law relating to corporate manslaughter in the UK was for many years regarded as unsatisfactory since, in particular, in order to prove manslaughter it was necessary to apply the ‘identification principle’ that a ‘directing mind’ at the very top of the company and who embodies the company needed to be identified. Whilst it was often possible to identify such a person, in large companies with complex or hierarchical management structures it always proved difficult to successfully link that person to the particular failures that caused the corporate accident. Other countries have experienced much the same difficulty in recent decades; notably this occurred in Scotland (where the legal system is separate from England and Wales), Canada and Australia. In July 2007 the Corporate Manslaughter and Corporate Homicide Act was passed by the UK Parliament, introducing a new statutory offence of corporate manslaughter (or homicide in Scotland) directed especially at companies where the law was perceived to be ineffective.

37

38

Companies at risk

Summary of UK Corporate Manslaughter and Corporate Homicide Act16 The offence For brevity, the offence will be referred to as corporate manslaughter except where there is a specific application to Scotland. An organization is guilty of the offence of corporate manslaughter when the way in which its activities are managed or organized by its senior management causes a person’s death and amounts to a gross breach of a relevant duty of care owed by the organization to the deceased. The organization is then liable on conviction to a fine. It should be noted that the legislation is principally intended to be applied to organizations and not to individuals. This is an important aspect which is further discussed below. Standards against which the conduct may be considered negligent are in the first instance based on compliance with current health and safety legislation (see below). The definition of a gross breach of a duty of care is when conduct ‘falls far below what can be reasonably expected of the organization in the circumstances’.16 In deciding whether a breach is ‘gross’ the jury will be asked to consider relevant or applicable health and safety legislation or guidance and, if there was a failure to comply, how serious was that failure and how much of a risk of death it posed. The jury is required to: . . . consider the extent to which the evidence shows that there were attitudes, policies, systems or accepted practices within the organization that were likely to have encouraged any such failure . . . or to have produced tolerance of it (section 8, clause 3, author’s emphasis).16 This clause reflects the holistic approach of this book outlined in Chapter 1: that merely to identify and correct individual management errors is not very different to the often futile attempts to correct only the direct cause of an accident, the operational or immediate error which led to it. As with operational errors, most management areas are also systemic in nature. The main difference between a management and an operational error is the type of system which has caused the error. In the case of operational errors these systems are usually found, as might be expected, at the interface between human and machine. Management errors are more likely to be caused by failures of corporate systems; the strategies to guard against such failures are described in Part II of this book. Many of these strategies will be seen to correspond in many respects with the ‘attitudes, policies, systems or accepted practices within the organization’,16 as defined in the legislation.

Application to organizations The offence applies to a corporation, a department or other body listed in Schedule 1, a police force, a partnership, or a trade union or employers’ association, that is an employer. Schedule 1 is a list of government departments, etc., including a wide range of ministerial and non-ministerial government departments and offices. A Crown body is to be treated ‘as owing whatever duties of care it would owe if it

The corporate entity were a corporation that was not a servant or agent of the Crown’. HM Prison Service has, controversially, been excluded for a period of three to seven years pending a review of organizational structures. Non-corporate bodies such as the police force and business partnerships are ‘for the purposes of (the) Act . . . to be treated as owing whatever duties of care it would owe if it were a body corporate’.16

Application to individuals One of the more controversial aspects of the Act relates to whether the offence should be applied to individuals. The Act states that there is no individual liability and ‘an individual cannot be guilty of aiding, abetting, counselling or procuring the commission of an offence of corporate manslaughter’.16 This came out of an earlier recommendation of the Law Commission that the new offence of corporate manslaughter should focus upon the liability of the corporate body itself and should not involve punitive sanctions against individuals unless they themselves could be found guilty of manslaughter. The original consultation on the draft Bill sought views from a wide range of organizations on whether individuals should or should not be included in the corporate manslaughter offence. Strong opinions were expressed on both sides of the argument. The main view coming from trade unions, victims’ organizations and the wider public was that without individual liability a company is able to commit crimes with impunity. Since the only sanction which can be applied to an organization is a monetary fine it is possible that the fine would be insignificant when compared with company profits or even the cost of safety modifications to prevent future fatalities. As a result, it was suggested, there will be no deterrent effect upon those individuals in the organization who are responsible for health and safety, i.e. the ones who should be held accountable when a fatal accident occurs owing to corporate failure. The opposing viewpoint, expressed mainly by employers and industry organizations representing those most likely to be affected, or even prosecuted, by the new law, considered that inclusion of individuals was a step too far. It was suggested that such a step would impose an additional and unacceptable burden upon companies, their senior managers and directors. In the end, the UK government came down on the side of business and individual liability is excluded from the scope of the legislation. This decision to exclude individual liability is in stark contrast to similar legislation which has been suggested or applied already in other countries around the world (see below).

Senior management failure The Act states that ‘. . . an organisation is guilty of an offence under this section only if the way in which its activities are managed or organised by its senior management is a substantial element in the breach . . . of a duty of care’.16 Liability therefore hinges upon the way a particular activity, which might have led to or had an influence upon an accident, was being organized. This has the effect, intended or otherwise, of not focusing exclusively upon the direct cause of an accident (the immediate operational failure or human error) at the expense of identifying the root cause of the

39

40

Companies at risk accident as discussed in Chapter 1. The root cause of corporate accidents almost by definition (and certainly in all the case studies in Appendix 1) stems invariably from some failure of senior management which affects the working practices of the organization. In concentrating on corporate rather than individual liability, the intention seems to be to raise the level of scrutiny above specific managerial errors to focus on wider questions about organizational practices. This allows for the collective appraisal of senior management conduct without having to identify specific individuals, or indeed a directing or controlling mind. In referring to senior management, the legislation (paragraph 1.3) defines this class of persons as those who play ‘a significant role in the making of decisions about how the whole or a substantial part of its activities are to be managed or organized or the actual managing or organizing of the whole or a substantial part of those activities’.16 This would seem to exclude those who might play a minor or supporting role in the management of the organization in order to concentrate on the higher levels of responsibility where the root causes of an accident are more likely to be found. At these lower levels, it is more likely that the individuals will be held accountable under other legislation such as the HSW Act. As with the much quoted legal precedent of the branch manager in the case of Tesco Supermarkets Ltd v Nattrass, above, the Act is aimed at the ‘brains’ rather than the ‘hands’ of the company. It is important to note that the management failures which led to a fatal accident must be sufficiently gross since the company is being charged with a serious criminal offence. Where a company has already made reasonable efforts to ensure the health, safety and welfare of their workforce and others affected by the operations (using ‘reasonable practicality’ as described in Chapter 6) it is unlikely they will be prosecuted under the Corporate Manslaughter and Corporate Homicide Act even if there has been a work-related fatality.

Penalties Since the legislation sets out to exclude individuals from punitive sanctions, there is limited scope for a penalty which applies only to organizations. In general, this penalty has to be financial and therefore companies found guilty of corporate manslaughter would face a fine as stated in Clause 1.6. However, a restorative aspect has been allowed for and in the case of a conviction the court may insist that a company satisfies the conditions of a remedial order requiring actions to be taken to correct the failures which led to the gross breach of a duty of care (Clause 9). This is really no different from the situation which would pertain if there were a breach of health and safety law, where a company would need to correct the deficiencies before they were allowed to continue to operate. Whether a financial penalty and the exclusion of individuals from prosecution are sufficient motivation for a company to change its behaviour is further discussed below.

Investigation and prosecution There is no change from the current common-law offence of manslaughter in terms of investigation by the police and prosecution by the CPS. In the case of this Act, investigations will be conducted calling upon the advice and expertise of the Health

The corporate entity and Safety Executive, not least to probe the question of further liability under relevant health and safety legislation, but also to advise the police in their manslaughter investigations. Protocols already exist for liaison between the various agencies. In the event that private prosecutions are brought by individuals or other bodies then it will be necessary for these persons to obtain the consent of the Director of Public Prosecutions before proceedings can be started. This is in order to avoid prosecutions which are insufficiently well founded and which would ultimately fail.

Other jurisdictions The jurisdictions of Australia, Canada and the USA are the most appropriate to consider here since much of their legal systems are derived from English commonlaw. As discussed above, corporations can only operate through the actions of corporate employees. However, in order, to prosecute corporate lawbreakers it is necessary to ‘pierce the corporate veil’ to gain access to the individuals who are the ‘directing mind’ of the corporation. Possible ways of approaching this include:

• the ‘identification’ or ‘directing mind’ theory (see above) unsuccessfully pursued in the UK • specific legislation to make corporate manslaughter a statutory offence, adopted in the UK from April 2008 • corporate culture (see below), which has not been used in the UK but is part of the approach adopted by the Federal Australian authorities, as described below • vicarious liability adopted in the USA (see below), but rejected in the UK since it means that corporations can be held responsible for actions of which they were not aware.

The ‘identification’ or ‘directing mind’ theory has been discussed above, together with the Corporate Manslaughter and Corporate Homicide Act designed to overcome the problems. The other approaches are discussed below.

Australia Over the past decade new laws have been passed in Australia dealing with corporate manslaughter. Although common-law in Australia is largely derived from English law, the Australian authorities have followed a different route to corporate criminalization than that in the UK. This route is intended to tackle the controversial question of the prosecution of individuals in order to place an additional deterrent upon the corporation in an attempt to change its future behaviour. Under federal law, a corporation is liable where it can be proven that ‘the body corporate’s board of directors (or a high managerial agent) intentionally, knowingly, or recklessly carried out the relevant conduct, or expressly, tacitly or impliedly authorized or permitted the commission of the offence of the body corporate’. Alternatively, the corporation is liable where it can be proven that ‘a corporate culture existed within the body corporate that directed, encouraged, tolerated or led to non-compliance with the relevant provision, or the body corporate failed to create and maintain a corporate culture that required compliance with the relevant provision’.

41

42

Companies at risk Thus, actual or inferred intent of the corporation’s executive or management may result in liability. Alternatively, liability may be incurred when there is a corporate culture which encourages non-compliance with health and safety law. The importance of corporate culture in general and safety culture in particular is discussed in detail in Chapter 4. Somewhat different legislation exists for the Australian Capital Territories (ACT), including Canberra and surrounding areas, where the persons made responsible can include any officer occupying an executive decision-making position. The objective is to prevent senior managers and directors from hiding behind the corporate veil so that they can conduct unlawful business with impunity, and exposes them to personal criminal liability rather than their conduct being regarded as the conduct of the organization. The person, not including the corporation, would be reckless in their conduct if it led to an industrial fatality if ‘they were aware of a substantial risk that serious harm would result to the worker; and having regard to the circumstances known to them, it was unjustifiable to take that risk’. Similarly, a person would be negligent in their conduct if it led to an industrial fatality if it involved ‘such a great falling short of the standard of care that a reasonable person would exercise in the circumstances or such a high risk that the death of a worker would result’. If recklessness is proven causing death to the worker then it is possible that another offence such as murder under the Criminal Code will apply. If it is the employer’s negligent conduct which causes the death of a worker then only the offence of manslaughter will apply. The maximum penalty for the offence under the amendment is a fine in the case of an employer or imprisonment for twenty-five years and/or a fine in the case of an individual. In addition, more creative penalties are possible, including publicizing the offence, notification to a specified person or persons, such as stockholders, and a requirement to carry out a specified project for the public benefit. Similar legislation is now being considered in New South Wales (NSW) where, owing to the same legal barriers that existed in the UK, there has never been a successful prosecution for corporate manslaughter arising from a workplace fatality. The Australian authorities are now getting to grips with the problem of successfully prosecuting corporations and other bodies for corporate manslaughter, with the provision to make both the corporate body and individual senior personnel responsible for contraventions of health and safety leading to a fatality. At the same time, there has been a more creative use of imposed penalties to extract the maximum social deterrent and restitutive effect.

Canada Just as in the UK, following the failed corporate manslaughter cases arising from two major accidents (see Appendix 1), the arguments for the criminalization of corporate behaviour in Canada were driven by an industrial fatal accident. The Westray mine disaster occurred in Nova Scotia in 199217 and involved an explosion that led to the deaths of twenty-six miners. An inquiry led by Mr Justice Richards of the Nova Scotia Supreme Court found that the accident occurred as a result of numerous failures in health and safety protocol at various levels in the organization. The inquiry

The corporate entity also found that senior executives up to the level of president of the company were grossly negligent in complying with health and safety standards. Although charges were brought against various employees of the Westray organization, they were never prosecuted and convicted, with the result that serious violations went unpunished. Therefore, it was widely maintained that the victims’ families had been failed by the criminal justice system. The Westray disaster public inquiry recommendations suggest that: The Government of Canada . . . should institute a study of the accountability of corporate executives and directors for the wrongful or negligent acts of the corporation and should introduce in the Parliament of Canada, such amendments to legislation as are necessary to ensure that corporate executives and directors are held properly accountable for workplace safety (Recommendation 73).17 As a result of these failures, discussions took place concerning how, and to what extent, these concepts of individual moral fault in criminal matters should be attributed to a corporate entity. The Canadian Federal Government, in the wake of the Westray disaster, decided not to create a new offence of corporate manslaughter as in Australia and the UK, which would enable corporations to be held liable in the same way as individuals. After much consultation, the Canadian Bill C-4518 passed into Canadian law in 2005, making organizations criminally liable as a result of the actions of senior officers who oversee day-to-day operations but who may not be directors or executives. However, organizations are also criminally liable when officers with executive or operational authority intentionally commit crimes to benefit the organization or become aware of offences being committed by other employees but do not take action to stop them. The overall intention of Bill C-45 is to modernize the law on the criminal liability of organizations to reflect the increasing complexity of today’s corporate structures. It should be noted that Bill C-45 deals with the criminal responsibility of the organization itself and does not change the law in any way with regard to the personal liability of directors, officers and employees, who are always liable for crimes they commit personally, whether this be in the context of their employment or not. In addition, Bill C-45 refers to ‘organizations’ rather than corporations, in order to apply to all forms of joint enterprise carried out by individuals regardless of the way they are structured, formed or incorporated. The provisions of the new bill were first controversially put to the test in Ontario in March 2005, when a construction supervisor was charged with criminal negligence causing death in an occupational health and safety incident. The charges arose from the collapse of a trench in which a worker died as a result of being trapped. A sixtyeight-year-old supervisor pleaded guilty to three of eight charges concerning an excavation which was not properly shored up or protected and for failing to ensure that workers were wearing protective equipment. However, in the event, the charges were withdrawn. Following a plea bargain agreement he escaped liability when the ‘criminal negligence causing death’ charge was withdrawn. Instead, the supervisor

43

44

Companies at risk agreed to pay a fine of $50,000 for the three contraventions of health and safety regulations to which he pleaded guilty. Otherwise, under the new law, he might have faced life imprisonment and certainly would have faced a twelve month sentence for each of the charges. It is questionable whether Bill C-45 was ever intended to charge somebody at supervisory rather than executive level. The case showed that even new legislation can encounter the same difficulty of bringing criminal charges against senior personnel in an organization who are ultimately responsible for the provision of adequate safety systems but who are far removed from the actual work. There is always a temptation to prosecute the person who is directly involved because the chances of a successful prosecution are much greater, even though this person does not represent the root cause of the accident. The use of the new Act to prosecute somebody at supervisory level would therefore seem to contradict the original intention of Recommendation 73 (see above) arising from the Westray public inquiry.

USA The approach to corporate homicide in the USA varies from state to state, but differs from that adopted in the UK, Australia and Canada. In the USA, the ‘agency’ or ‘vicarious liability’ approach is generally followed. Very few prosecutions for corporate homicide have been brought against US corporations, successfully or otherwise. The difficulties in convicting corporate bodies for culpable homicide in other countries, which have arisen as a result of the ‘directing mind’ principle, have not been a factor in the USA. In addition, the USA has not attempted to bring in specific legislation that would enable companies to be convicted of corporate homicide. The ‘agency’ approach which is generally adopted is based on attributing liability to a corporation when an offence is committed by an agent of that corporation. In effect, it imputes the illegal act of an employee to the corporation itself. The agent does not need to have a high-level controlling function in the corporation, and although it can be a director or senior officer, it may also include any employee of the organization or other person authorized to act on its behalf. This approach is also known as the ‘vicarious liability’ doctrine. Effectively, it makes the organization responsible for the potential acts or omissions of every employee, officer or agent performing on its behalf, whether or not the ‘directing mind’ (as it were) was aware of what was occurring. The ‘hands’ of the organization can be responsible even though the ‘brains’ are unaware of what is happening. However, three conditions must be fulfilled: 1. An individual employee must have committed the offence with the required mens rea (guilty mind) referred to earlier. Only if that individual’s state of mind is established as such can the offence be imputed to the corporation. 2. The employee committing the offence must have done so within the scope of employment, usually meaning that the offence occurred while the employee was carrying out an activity related to a job of work assigned to him/her by the employer. 3. The employee committing the offence must have had the intention of acting for the benefit of the corporation, that is, not acting maliciously.

The corporate entity Superficially, this approach appears to avoid the problem of finding a ‘directing mind’ with which the organization can be identified in order successfully to bring a charge of corporate homicide as previously required under English law. Under the vicarious liability approach, corporate fault is made to depend almost entirely upon individual fault without the need for proof that the corporate body acted illegally. Although it may be desirable for the highest level in the corporation to be aware of any deficiencies at operational level which may cause one of its agents to commit an offence, this is not always realistic. Vicarious liability can result in the stigma of a criminal offence being imposed upon a corporation when it is acting in good faith. Another undesirable aspect is that the root cause of corporate accidents, that is, failures of organization and management, can easily be overlooked when all the attention is directed towards the individual agent of the corporation who actually committed the act which caused the accident.

Critique of legislation This review of legislation for corporate manslaughter in the UK and in a number of other English-speaking countries with similar legal systems reveals a wide diversity of approaches. It also indicates a general trend leading away from prosecuting companies for manslaughter under common law, as applicable to natural persons, and a move towards the introduction of statutory legislation directed specifically at the corporate body. This trend has arisen because of the legal impossibility of a corporation having the mens rea or guilty mind necessary under common law. Charges against individuals and organizations under statute law, such as the HSW Act in the UK, are much easier to prosecute successfully. Often this has been the only realistic recourse of prosecutors when a serious fatal accident occurs and charges of corporate manslaughter have so far proved impossible to uphold because of the identification principle. Although it may be possible to identify such a person, in large modern and complex organizations it is usually found that they are only responsible for the strategic direction of the company and cannot always be aware of the way in which workplace activities are carried out. The required level of knowledge and awareness just does not exist. Persons at the level of directing mind are also more easily able, if they so desire, to distance themselves from what is actually happening lower down in the company, since there is no legal requirement for them to cultivate awareness of health and safety matters. The new legislation in the UK, the Corporate Manslaughter and Corporate Homicide Act described above, is an attempt to overcome longstanding difficulties in securing prosecutions against companies for corporate manslaughter. Many who have studied the new legislation regard it as being fatally flawed in the following respects.

Senior management failure The definition of ‘senior management failure’ which is to be used as a basis for prosecution is rather vague since it is not well defined in the Act. This may result in

45

46

Companies at risk persons who are ultimately responsible for safe operation at the top tier of the company being able to pass the blame down to lower levels. It also raises the spectre of the ‘directing mind’ problem if it is attempted to identify individuals at this higher level. As happened in a recent application of the Canadian legislation described above, this problem with the new UK law may indeed lead to individuals at lower levels carrying the blame and bearing the penalty which was due to their superiors.

No individuals can be found guilty Under the new UK Act, individuals ‘cannot be guilty of aiding, a betting, counselling or procuring the commission of an offence of corporate manslaughter’ and therefore they will not be prosecuted. The Act assumes that the existing laws, both for manslaughter and for health and safety offences, are sufficient to deal with individuals who are found to be criminally liable in the event of a fatal accident. Nevertheless, history has shown that the number of directors of companies who have been successfully prosecuted for manslaughter is extremely low even for small companies and is non-existent for large companies. If they cannot be prosecuted under this legislation then on past experience it is unlikely that they can be prosecuted at all. The question remains: is there a moral case for individuals as well as companies to be prosecuted under corporate manslaughter legislation? The main argument for securing the prosecution of individuals is that it provides a greater degree of justice for the victims of serious or fatal accidents and their families. The concept of ‘corporate personhood’ is relatively meaningless to the average layperson. In reality, it is simply a legal fiction enabling companies to be held responsible under many of the laws applying to natural persons as discussed earlier in this chapter. It is difficult to sustain the analogy of personhood in the face of demands for deterrence and restorative or retributive justice when a company causes harm or injury to natural persons. This is because:

• the limited range of penalties, mainly fines, which can be applied to a company is rarely seen to be proportionate to the level of harm inflicted • unless some individual liability is identified, a company is perceived to be able to •

commit criminal offences with relative impunity with a perceived lack of accountability on the part of its senior officers a company is unable to express or demonstrate compunction or regret. Even when companies have stood trial for manslaughter, their directors have sometimes failed to appear in court (e.g. Appendix 1, Case Study A1.2) to express regret on behalf of the company, presumably because of the danger of implicating themselves in the circumstances of the accident.

It is fairly obvious to the victims and bereaved families of those killed in corporate accidents that a company is unable to act except under the volition of the individual agents which it employs from the level of directors downwards. When an accident occurs individual responsibility has to lie somewhere within the organization. It has long been recognized that to provide closure for those affected, it is necessary to understand how the accident was caused or was allowed to happen. Victims of

The corporate entity accidents will always want assurances that the individuals responsible are not only identified but also made to answer personally for their failures. Sometimes it is appropriate that answers should be given in a court of law or at a public inquiry and individuals should not be allowed to hide behind the corporate veil. There have already been calls to amend the law so that senior executives and directors cannot escape accountability for health and safety matters under cover of the corporate veil, in the same way that the veil cannot be used to hide from the penalties of financial malfeasance. Unfortunately, since the new UK corporate manslaughter legislation specifically excludes individuals from prosecution, a more accessible route will have been provided for a minority of directors to evade liability.

Penalties In addition to the lack of individual accountability, the imposition of the only available penalty, a fine upon a company, will rarely be sufficient to satisfy the sense of injustice and the desire for closure of victims and families, no matter how punitive the level at which the fine may be set. The imposition of a fine and the stigma of a court case may result in loss of reputation for a company, but will not necessarily change the way in which the company operates. If the company is fined, the individual actors who control the company at senior level are not personally affected; perhaps the worst consequence is temporary loss of employment and possibly brief social stigma. However, the incentive of these persons to reflect upon what has happened and to make the necessary changes is considerably increased if they are held personally liable for the failures of the organization. Furthermore, personal liability is more likely to result in accident prevention if senior employees have the possibility of a fine or imprisonment to concentrate their mind on health and safety matters. Without needing to prosecute individuals, there may be some advantage in adopting a more creative approach to the penalties imposed upon companies in order to make them more effective, as mentioned above. Deterrence should be the principal reason for imposing a penalty on a company in the event of a corporate accident in the hope that its performance may improve in the future. If the costs of committing the offence greatly exceed any benefits which might have accrued, such as saving money on safety improvements, then a company is more likely to be deterred in the future. Naturally, the fine should in any case be proportionate to the seriousness and consequences of the offence as is currently the case when companies are successfully prosecuted under health and safety law. This principle was demonstrated by the severity of the fine imposed upon Transco following the fatal gas explosion in Scotland, as described in Chapter 3. An alternative penalty which might make a company more inclined to consider the consequences of its actions could be ‘equity fines’ which impact upon the share value of the company and remind stockholders of their responsibilities as owner. Alternatively, fines could be based upon relinquishment of a proportion of annual profits. In some cases the punishment might be tailored to fit the crime and involve some form of community service to benefit those affected, thus adding an element of restitution to that of deterrence. If fines were accompanied by ‘corporate probation’ then an element of rehabilitation would also be included. This would require a company to

47

48

Companies at risk bring its operating standards up to a declared level over a defined period before the probation order could be lifted. Companies are always vulnerable to loss of reputation and this may translate into monetary terms from loss of customers and revenue when news of a serious incident is publicized. The Brent Spar incident described in Appendix 2, Case Study A2.6, is an example. Denunciatory penalties (or naming and shaming) could take the form of ‘publicity orders’ including the requirement for senior executives to attend trial hearings and thus publicly admit their complicity through their presence in court. This could also occur to some degree with a probation order. The ultimate sanction is perhaps ‘corporate capital punishment’, where a company is completely dissolved. However, the consequences of this upon a wide range of relatively innocent stakeholders would be so severe as to limit it to the most serious cases of corporate criminality with intent.

Conclusion This chapter has briefly examined the nature of the corporate entity and its legal accountability in the event of a corporate accident. It was appropriate to consider these matters since an awareness of the consequences of corporate accidents must precede an understanding of the preventive strategies which need to be put in place to avoid them. Such strategies are considered in Part II of the book. However, so far, the book has only discussed the principal raison d’eˆtre of the corporation: the need to make a profit for the stockholders and increase the value of their shares. If a company possessed no imperatives beyond these it would almost certainly represent a corporate accident in the making, especially when the corporate will and intention to control the risks which are generated come into conflict with the desire to maximize financial returns for the stockholders. In theory, there should be no conflict; it has been shown that safe companies tend to be successful companies. In practice, short-term financial objectives can obscure the importance of operating safely. The aspirations of a company need to be much greater than constantly scanning the bottom line and believing that compliance with the law is sufficient in itself. Although companies are constrained to some extent by external health, safety and environmental regulations, these are only intended to set minimum standards, as will be described in Chapter 6. This book will maintain that neither the profit motive nor compliance with regulation will provide sufficient incentive for companies to develop effective preventive strategies against corporate accidents. Other imperatives need to be absorbed into the company’s culture if the strategies are to prove effective in the long term. Freedom from corporate accidents is in itself a long-term strategy and, like many investments, it carries the warning that past performance is no guarantee of future success. A higher motivation must be in place to govern the way companies are operated and this motivation originates in the more abstruse realm of ethics and morality. The next chapter, entitled ‘Corporate ethics’, considers the moral and ethical standing of the main stakeholders in the corporation and examines ways in which they can act ethically both as individuals and as corporate actors while still upholding the financial interests of the company. These themes are continued in Chapter 9.

The corporate entity

References 1. Poynder, J. (1844) Baron Thurlow (1731–1806), Lord Chancellor of England, cited in Literary Extracts, 1, 268. 2. Bouvier’s Law Dictionary (1856). Revised 6th edn. http://www.constitution.org/bouv/ bouvier.htm 3. Anon (1996) Journal of Legal History 17, 63. 4. Smith, A. (1776). An Inquiry into the Nature and Causes of the Wealth of Nations, Vol. 2, Book IV, Chapter 2, p. 350. 5. Smith, A. (1776). An Inquiry into the Nature and Causes of the Wealth of Nations, Vol. 2, Book I, Chapter 10. 6. Bakan, J. (2004). Milton Friedman. In The Corporation: The Pathological Pursuit of Profit and Power, Documentary based on the book by Bakan, J., TV Ontario, www.thecorporation.com 7. Health and Safety at Work etc Act 1974, http://www.hse.gov.uk/legislation/hswa.pdf 8. Health and Safety Executive, Director’s Responsibility for Health and Safety, INDG343 02/02 C700, http://www.hse.gov.uk/pubns/indg343.pdf 9. House of Commons Work and Pensions Committee, 2004, The Work of the Health and Safety Commission and Executive, http://www.publications.parliament.uk/pa/cm200304/ cmselect/cmworpen/456/456.pdf 10. Russell, J. (2005). Health and Safety Commission Report, Directors’ Responsibilities for Improving Health and Safety Performance – Proposed Report to the Government, HSC/05/ 90, found at http://www.corporateaccountability.org/dl/Directors/hsepapertohscnov05.pdf 11. Centre for Corporate Accountability, London, UK, http://www.corporateaccountability.org/ directors/convictions/manslaughter/main.htm 12. Walker (1992) 13 Cr App R (s) 474, 476, in Reforming the Law on Involuntary Manslaughter: The Government’s Proposals, London: The Home Office, http://www.homeoffice.gov.uk/ documents/2005-corporate-manslaughter/cons-manslaughter-0500?view=Binary 13. Reforming the Law on Involuntary Manslaughter: The Government’s Proposals, The Home Office, http://www.homeoffice.gov.uk/documents/2005-corporate-manslaughter/ cons-manslaughter-0500?view=Binary 14. Lennard’s Carrying Coal Co Ltd v Asiatic Petroleum Co Ltd [1915] AC705 (HL) 15. Tesco Supermarkets Ltd v Nattrass [1972] AC 153 16. Corporate Manslaughter and Corporate Homicide Act 2007, http://www.opsi.gov.uk/acts/ acts2007/20070019.htm 17. Justice K.P. Richard, Commissioner (November 1997). Report of the Westray Mine Public Inquiry, Canada, http://www.gov.ns.ca/enla/pubs/westray 18. Department of Justice, Canada. Canadian Parliament Passes Bill C-45: Stronger Laws Affecting the Criminal Liability of Organizations, http://www.justice.gc.ca/en/news/nr/ 2003/doc_31024.htm

49

3

Corporate ethics When we sincerely follow the ethical path we become one with it, When we become one with the ethical path, it embraces us. Lao Tzu (c. 600 BCE) Those managers who define ethics as legal compliance are implicitly endorsing a code of moral mediocrity. It is not an adequate ethical standard to get through the day without being indicted. Richard Breeden, Former Chairman, Securities and Exchange Commission The Law cannot regulate all human behaviour which also needs professional and social ‘conventions’ to prevent anarchy and tyranny. Reverend Gordon Dunstan1

Introduction Recent high-profile business scandals such as Enron, WorldCom, Arthur Anderson and others have drawn attention to the controversial subject of corporate ethics. Although these particular scandals have involved financial impropriety and mismanagement at the highest corporate level, similar issues can arise with failures to protect health, safety and the environment. As discussed in Chapter 2, the corporate body, by the very nature of its founding principles, is required to maximize profit and asset value for its stockholders. In order to achieve this, there is a natural tendency to externalize as many of its costs as possible. In the process of externalizing costs companies may, knowingly or inadvertently, cause a detriment to third parties affected by their operations. Third parties may include employees, customers, the local community or the general public put at risk by the creation of safety hazards and environmental impact which in some cases can lead to corporate accidents. This tendency can be counteracted in a number of ways. During the historical development of the corporation, governments found it necessary to impose conditions upon how companies were allowed to conduct their businesses to limit harmful effects. These limits were applied in the form of statutes and regulations which controlled, for instance, the way in which company stock could be

Corporate ethics traded in order to protect stockholders. Similar measures were introduced to prevent accidents or limit the consequences of hazards arising from a company’s operations; these often followed on from serious corporate accidents which aroused public concern. Many examples are provided in Chapter 6. It is neither possible nor desirable for government to regulate every aspect of a company’s operations. Over-zealous regulation of business deters entrepreneurial activity and restricts initiative, holding back business development, and detracts from the common good of the nation. Control of business by regulation must achieve a balance between imposed rules and adherence by companies to voluntary and ethical codes of practice. Over the past two centuries the pendulum has swung between the two poles of government controls and voluntary self-regulation. At the time of writing, certainly in the UK, there has been a move by government towards simplifying over-burdensome regulatory controls (see Chapter 6). At the same time government is encouraging companies to embrace the principles of corporate social responsibility; this topic is addressed in more detail in Chapter 9. The natural temptation of some companies to externalize costs in detrimental ways is curbed by the desire of companies to project an image of ethical business practices in order not to alienate public perception and erode customer confidence. There are several recent cautionary tales of how big companies have, at their peril, risked losing their customer base and reputation through unethical activities, and a case study of such an incident is presented in Appendix 2, Section A2.6. Protection of business reputation is an important persuader of companies to act in ethical ways, lessening the need for the heavy hand of regulation. This chapter addresses a number of issues in corporate ethics arising mainly in the context of health, safety and environmental risks rather than in the area of financial impropriety. It defines the scope of morality and ethics within the context of business and examines whether the motivators for ethical behaviour at human level can be translated to the corporate level. The roles of the various human actors within the corporate entity are identified and the degree to which they can influence corporate ethical behaviour is examined. This chapter also pursues the much debated question of whether companies which do good, also do well. Henry Ford once said, ‘Monopoly is bad for business. Profiteering is bad for business’.2 Is the pursuit of cost externalization in the end counterproductive, diminishing profitability rather than improving it? Finally, the difficult issue of professional (as opposed to corporate) ethics is explored, including situations where the moral qualms of a senior manager or director are expected to be subservient to business success. The chapter commences with a discussion of ethics in general terms before proceeding to the study of corporate ethics.

Ethics Definition The origin of the word ethics is the Greek word ethos, which means ‘character’. The Code of Hammurabi was one of the earliest law codes and was developed in Babylon

51

52

Companies at risk in the 18th century BC. It was carved upon a black stone obelisk, eight feet high and placed in public view. The code regulated the way society was organized and included modern-day ethical dilemmas such as bribery, giving false testimony (telling lies) and the faulty construction of houses which collapsed on their occupants. These and many other ethical misdemeanours were regarded as crimes which often bore grim retaliatory punishments; for example: If a builder builds a house for a man and does not make its construction firm, and the house which he has built collapses and causes the death of the owner of that house, that builder shall be put to death. Hammurabi, the king of righteousness, on whom Shamash has conferred right (or law), am I. My words are well considered; my deeds are not equalled; to bring low those that were high; to humble the proud, to expel insolence. Code of Hammurabi, c. 1800 BC Since that time most societies have developed ethical codes, many aspects of which have found their way into present-day law, forbidding and punishing crimes such as murder, assault and theft. Ethics is not quite the same thing as morality, although the two are often confused. The best way of illustrating the difference is to say that while morality sets the standards (i.e. morals) ethics defines the behaviour which supports and upholds those standards. In this book we will talk about ethical behaviour rather than morality. A simple modern definition of ethics is ‘a code of behaviour considered correct, especially that of a particular group, profession or individual’ (Collins Dictionary). However, several prominent theories of ethics deriving mainly from the work of past philosophers have influenced the modern study of ethics. Three of these are considered below, although space permits only a very simplified account of the complex work of these outstanding philosophers.

Virtue ethics The Greek philosopher Aristotle was one of the first to study ethics as a separate subject, over 2000 years ago. For Aristotle, ethics was more than simply a moral, religious or legal code imposed by the authorities which must be obeyed under penalty of imprisonment or death. Rather, he understood ethical behaviour as something founded on personal knowledge that promotes virtue. Virtues are defined as moral characteristics that encourage human development (e.g. perseverance, courage, compassion, truthfulness). Action must be virtuous and carried out to achieve a common good. To define whether an action by an individual or group is ethical he would ask whether the consequence of the action was good both for that individual or group and for society. The main criticism of virtue ethics is that since it does not provide a set of rules or codes for behaviour, it cannot provide guidance for action; nor can it always resolve moral dilemmas (e.g. while honesty demands absolute truth, compassion may require us to remain silent or even lie).

Corporate ethics

Utilitarianism Jeremy Bentham, the English philosopher and social reformer, in 1789 proposed the principle of utilitarianism: that actions should be judged on their consequences, in particular their propensity to produce the greatest happiness for the greatest number.3 One of the main problems with utilitarianism is that it is quantitative: there is no guidance on how to measure the greatest happiness (although various attempts have been made). Also, if there is only one act which produces the greatest good then any act which produces a lesser good must be wrong; this is patently untrue. Some people may not be interested in the greatest happiness for all and therefore ethical action may be possible in the absence of this. Another problem is that it only measures the consequences of actions and not the actions and motivations which lead up to them; it raises the question: is it permissible to do something morally wrong in order to bring happiness to many people? This problem is addressed by duty ethics (see below).

Duty ethics Emmanuel Kant, the German philosopher and enlightenment thinker (1724–1804),4 sought a system of ethics that would be based on reason and not on a cold calculation of utility. As a result, he emphasized that the ethical life was centred on duty; he also believed that if action was to be ethical the moral imperative behind it must be categorical (e.g. a rule applying in all circumstances) and not conditional (e.g. a whim depending on circumstances). Thus, our ethical actions should be an end in themselves and not a means to an end; this is the opposite of the utilitarian idea that the end justifies the means. For Kant, the motive is all important: being ethical is doing the right thing for the right reason. If we are motivated to act ethically because there is a payoff then Kant argues that this is not ethical action, but action conditional on the possible consequences. He differentiated between two types of duty: perfect duty, which we are obliged to do all the time (e.g. not harming others), and imperfect duty, which we should do as often as possible but not universally (to be compassionate, charitable, etc.). The main criticism of duty ethics is that it is not easily able to resolve conflicts of duty. Apart from these theories, there are many branches of ethics which can be studied, including meta-ethics (the study of the origin and meaning of ethical concepts), normative ethics (how to define the moral standards that govern right and wrong conduct) and applied ethics, which is the study of specific, often controversial, moral issues such as abortion, animal rights or euthanasia. This book is mainly concerned with applied ethics and in particular the field of business ethics which applies to corporate entities. This includes the ethical responsibilities of companies in areas such as employee rights, advertising, financial management, and the protection of health, safety and environment.

Ethics and the law The relationship between ethics and the law is of interest for this book since externally imposed government regulation is one of the main preventive measures

53

54

Companies at risk Impoliteness

Moral issues

Increasing seriousness

Illegal activities Legal boundary

Figure 3.1 Spectrum of unethical behaviour.

against corporate accidents and is studied in Chapter 6. In modern societies, the legal justice system is closely related to ethics in determining the standards of right and wrong behaviour and the enforcement of the rights and duties of groups and individuals. The legal justice system not only adjudicates on whether deviations from these standards have occurred, but also imposes punishments. However, most ethical behaviour is defined not by the law but by standards of morality and by the expectations of society. Ethical behaviour can be considered to lie along a spectrum which varies from, at the lower end, impolite behaviour to, at the upper end, illegality. This is simply illustrated in Figure 3.1. Impoliteness, not being courteous and considerate to others, certainly falls within the scope of unethical behaviour, but hardly merits a place in the study of applied ethics since it is a basic expectation of the way people should behave socially rather than a serious moral issue. Further along the spectrum lie the various moral issues, many of which have long been accepted as unethical (such as untruthfulness, lack of respect, greed and cheating), but are not necessarily illegal. Other issues are less clear-cut and are subject to debate by society (such as animal testing and genetic engineering), but are not illegal for the time being. Of course, there will never be a complete consensus on every moral issue as to what is acceptable and what is unethical. Behaviour which one person finds unethical may be quite acceptable to the next person. This is why the law is often used to regulate the most controversial ethical or moral dilemmas in society. The result is that some issues are at the borderline of illegality and therefore subject to legal restrictions (such as abortion and the use of human embryos). At the far end of the more serious moral issues lies the somewhat fuzzy legal boundary which differentiates unethical behaviour from illegal activities. Beyond the legal boundary lie the actions which society, via the legislature, has already decided are completely unacceptable. Most illegal behaviour is probably, by definition, unethical in nature since it is behaviour which has been condemned by a consensus of society and made subject to the law. The main point of Figure 3.1, however, is to demonstrate the fuzziness of the boundary between unethical and illegal behaviour. The location of the boundary will vary according to societal trends and over time. Liberalization and reform often result in previously illegal activities becoming legal but not necessarily ethical. Sometimes the law is blind to behaviours that would not bear ethical scrutiny in the eyes of many people. Conversely, increasing volumes of legislation tend to push previously unethical behaviours across the boundary into illegality. At other times, particularly in the context of corporate activities, it is found that behaviour which might have been classed as unethical has suddenly strayed across the boundary into illegality following a corporate accident. This is prone to happen under non-prescriptive

Corporate ethics umbrella legislation such as the Health and Safety at Work etc Act 1974 (HSW Act) in the UK. The HSW Act can often be invoked where a company is found not to have given due consideration to the safety and well-being of employees or any other persons affected by their operations. This may arise as a result of regulatory inspection or following a serious accident. In effect, the Act allows for corporate behaviour which is unethical, but not necessarily illegal under any more specific regulation, to be tested in court. As a result, there are many instances of where, particularly following a corporate accident, behaviour which might have been considered merely unethical prior to an accident becomes illegal after an accident has occurred and a successful prosecution has been obtained. This is a powerful argument for companies to practise self-regulation and have a strong ethical policy in place, as described in Chapter 6. The objective is to avoid inadvertently crossing the boundary of illegality. Companies creating externalities may be sailing close to the wind regarding this boundary. Two examples of this are given below.

The Hatfield rail accident 2000 The derailment of a high-speed train at Hatfield in the UK in October 2000 led to the deaths of four passengers and was due to the sudden disintegration of a section of railway line owing to inadequate inspection and maintenance. The maintenance contractor, Balfour Beatty, and the operator of the infrastructure, Railtrack, were charged with various offences under the HSW Act and fined £10 million (later cut to £7.5 million) and £3.5 million, respectively. At an individual level, five executives were all cleared of breaking health and safety rules, and health and safety charges against four other Balfour Beatty managers were dropped. In a statement, Balfour Beatty reiterated its view that the accident ‘arose as a result of a systemic failure of the industry as a whole’. The lack of maintenance to the infrastructure was an economic decision made by Railtrack, the privatized owner, some years earlier. Drastic reductions in maintenance staff were made following privatization, in-house knowledge was effectively diluted and the work was contracted out to less experienced contractors. As a result of competitive tendering it is probable that maintenance schedules were trimmed. These measures were taken solely to improve the financial performance of the company through cost savings, thus increasing profits to the stockholders. Although little information is available about internal decision making, it is probable that professional engineers in Railtrack were fully aware of the potential dangers of this policy. In any case the company’s actions can only be classified as unethical. Following the accident the behaviour became illegal as well as unethical. It was probably pure chance that the accident occurred at Hatfield; it could have occurred at many other locations on the rail system where similar defective sections of rail were later discovered. On this basis, there is some justification for Balfour Beatty protesting that they were singled out unfairly because the accident happened to occur on a section of track that they had maintained.

55

56

Companies at risk At the same time inspection failures by Balfour Beatty specific to this section of track were identified and it was these failures which became the basis for the charges under the HSW Act. It is important to note, however, that these failures were only the direct cause of the accident and not the root cause; the root cause was the systemic failure of Railtrack to ensure proper oversight of maintenance of the infrastructure. It is known that the safety regulator (HM Railway Inspectorate) were already concerned about lack of maintenance of track prior to the accident. Their concerns had been made known to the operator (Railtrack), who could not have been unaware of the potential for a serious fatal accident resulting from their cutbacks in the company’s maintenance regime. It is difficult therefore to understand how such an accident could not have been foreseen and action taken. It is possible to speculate that this was allowed to happen because following privatization senior management in the company were hired not for their knowledge of railway operations but for their expertise in making a profit and improving the returns to stockholders. Knowing the potential consequences of a lack of maintenance, the situation clearly came down to an ethical policy issue which should have been addressed by Railtrack. However, the specific failures for which Balfour Beatty were prosecuted under the HSW Act crossed the boundary dividing the seriously unethical from the illegal.

The Larkhill explosion 1999 A similar maintenance-related accident occurred at Larkhill, Lanarkshire, Scotland, in 1999, when four members of the same family were killed in a gas explosion at their home. The cause of the accident was a gas leak from a ten-inch diameter corroded iron supply pipe (external but close to the house) which ignited, causing a blast which was heard fifteen miles away, totally destroying the property. Smells of gas in the area had been previously reported to Transco, the pipeline division of Lattice, the UK gas transportation and distribution group, who owned the corroded pipe. The accident resulted in a two-year investigation by the Hamilton Procurator Fiscal (the public prosecutor in Scotland), the Health and Safety Executive (HSE) and the Fraud and Serious Crime Squad of Strathclyde Police. As a result the company faced the first ever prosecution for culpable homicide, the equivalent in Scotland of a charge of corporate manslaughter. These charges were later dismissed on appeal after three senior Scottish judges ruled that the prosecution had failed to name an individual at Transco who could fulfil the legal definition of ‘safety director’. They also faced charges of contravention of sections 3 and 33 of the HSW Act. Shortly after the accident, Transco and the HSE announced that an inspection of the same gas main had revealed a total of nineteen leaks over a short length. Transco were, similar to Railtrack in the previous example, a privatized company responsible for gas distribution and had once been part of the British Gas public utility. Before the accident Transco had been criticized by Ofgem for falling 29 per cent below its target for replacement of ageing cast iron pipelines (Ofgem is the government watchdog for the industry which regulates the gas and electricity markets). In 1997 Transco had reduced its maintenance workforce by 1000 engineers and was forced to admit that it had become critically short of the resources needed to maintain safety

Corporate ethics on the distribution network. The company claimed that the job cuts were necessary to offset a loss of revenue which had resulted from price cuts imposed by Ofgem. Transco was ordered by the HSE immediately to replace the ductile iron piping and to speed up the replacement of ageing gas mains throughout the UK. Later, the HSE announced the decision to replace all ductile and cast iron gas mains in Britain located within thirty metres of buildings (some of which are at least forty years old, and some are over 100 years old) with polyethylene pipework under an accelerated programme. At the hearing at the High Court in Edinburgh in 2005, it was suggested by the prosecutor that Transco had put profits before safety and, furthermore, had tried to put the blame on to an internal pipe leak in the house, something for which it was not responsible. The outcome was that Transco was fined a record £15 million (profit the previous year was £390 million) after being convicted of gross and numerous safety breaches which led to the deaths of the family of four in the explosion. In addition to fining the company, the judge, Lord Carloway, was extremely critical not only of their safety failures in adequately maintaining the network, but of their failure to take responsibility for the cause of the accident ‘despite overwhelming evidence to the contrary’ coupled with the fact that the ‘corporate mind of Transco has little or no remorse for this tragedy which, they ought at least now to accept, was exclusively their own creation’.5 Lord Carloway also stated that ‘Transco were well aware that sections might already be corroded and that this could cause a leak and result in a serious incident, potentially involving multiple fatalities. That, of course, is precisely what did happen in 1999 when the explosion killed the entire Findlay family’. Here again it is possible to discern the difference between the root cause and the direct cause of the accident. The direct cause was the failure by Transco properly to investigate previously reported smells of gas in the area around the failed pipeline. The root cause was the overall lack of maintenance and slow replacement of the ageing gas mains across the country, largely stemming from economic reasons. The root cause of the accident is systemic, namely a failure of ethical policy by Transco who, even in court in the wake of the accident, seemed reluctant to admit responsibility. The overriding impression was that they were incapable of seeing beyond the balance sheet to recognize that they should give priority to the safety of their customers and the public. Corporate citizenship models, which are able to address systemic issues such as these, are discussed in Chapter 9. These examples demonstrate the difficulties faced by the safety regulation regime in pre-empting serious accidents by detecting and acting upon incipient root causes. Even where suspicions already exist of high-level corporate shortcomings, it will come down to a question of their seriousness and the likelihood that they would lead to an accident. In both these examples, the potential consequences of the maintenance deficiencies were not limited to the location where the accident occurred. The accident was effectively a random event which could have occurred at any time and in any place. In short, the regulator cannot be expected to detect and notify all companies which are at risk of a corporate accident, never mind predict where an accident is likely to occur. As stated previously, accident prevention will ultimately depend upon self-regulation by companies through operating an adequate ethical

57

58

Companies at risk policy and having proper strategies in place. Nevertheless, there will always be rogue companies operating so close to the margins of acceptability that at some point in the future they are likely to cross the boundary between unethical and illegal behaviour. Unfortunately, some companies may even have made a tradeoff between the cost benefits and detriments of creating externalities. Government safety regulation as it exists and its effectiveness in preventing corporate accidents are considered in more detail in Chapter 6.

Individual ethics Before exploring the possibilities for corporate ethics, it is useful to examine ethics in the context of the behaviour of individuals. This will reveal the underlying societal pressures which are the determinants of ethical behaviour which cause individuals to behave ethically most of the time. The concept of ‘corporate personhood’, the fact that under the law a company is regarded as an artificial person, has already been explored in Chapter 2. It is therefore useful to consider whether there is an analogy between the ethical motivations which apply to individuals and those which apply to the corporate body and, if so, whether these same motivators influence how organizations conduct their business.

Restraints upon personal liberty One of the idealistic aims of a modern political democracy is to allow individual citizens sufficient personal liberty and freedom of action to pursue their own interests without impinging unduly upon the liberty of others to do the same. The key word here is ‘sufficient’. If personal liberty was completely unrestrained then individuals need not have any regard to the interests of others. In such a society, driving a motor vehicle on any side of the road at any speed would be perfectly permissible. The cost of such liberty would be unacceptable carnage on the roads, which would be in nobody’s true interests. Thus, liberty involves the voluntary renunciation of certain freedoms for the benefit of all citizens. For the most serious matters people agree (usually) to accept legal restrictions upon personal freedom. In a democracy, this consensus is implemented by the elected government through the various laws, statutes and regulations which define standards of personal behaviour. At the same time there are limits on how much we will allow government to interfere with our lives. There are certain inalienable freedoms which we believe should be guaranteed, such as freedom of speech, freedom of assembly and the freedom to work in occupations of our choice, to take but a few examples. Essentially, we desire the freedom to pursue our own personal interests without restriction so long as they do not interfere with the interests of others. Legal restriction of freedom is rightly limited to matters where our actions can have a serious social impact upon the well-being of others. For lesser matters, the same result can often be achieved through an informal consensus on what is considered to be ethical behaviour. As citizens, life would be very simple if, when we

Corporate ethics had fulfilled all our legal obligations to society and the state, we need do no more. We could then sit back and enjoy our guaranteed liberty to follow our chosen lifestyle. Within the legal restrictions placed upon us, we could in theory do whatever we wish. If what we do harms others, but it is not illegal, than in theory we can continue to do it. However, to be a citizen within a society, especially a corporate citizen, places other obligations upon us which are not defined by the law. This brings us into the realm of morality and ethics.

Determinants of individual ethical behaviour The study of what motivates individuals to behave ethically may throw some light upon whether the same factors can be brought to bear on corporate ethics, on the basis that a company or corporation is legally defined as a person with many of the rights and obligations of individuals. The question ‘why should I behave ethically?’ has been explored, if not fought over, by moral philosophers and others down the centuries. The range of answers is wide indeed, but this book puts forward three important determinants. The first two are driven by seemingly opposite human concerns: concern for others and concern for self. The third is more complex, but is clearly of interest: the personality of the individual, which clearly has an influence on moral choice and ethical action in a given situation. Each of these is considered here in the individual context so that any analogies with corporate behaviour may be identified in the next section.

Unselfish concern driven by empathy There is a social or caring impulse shared by most people which goes far beyond mere politeness (at the lower end of the ethical spectrum) and responds to the interests of others, sometimes requiring us to relinquish individual self-interest. When we encounter somebody who is injured or distressed it may be inconvenient to stop and render assistance, but hopefully we have an impulse to relieve that person’s suffering or call for help. This is not a requirement of the law but falls within the scope of ethical behaviour (although in some countries it is an offence not to stop and render assistance at the scene of a road accident, for example). We do this at least partly because our common humanity allows us to identify or empathize with the misfortune of others. In identifying or empathizing we put ourselves in the place of the other and imagine how the other is feeling. This social or caring impulse usually operates at the level of direct person-toperson contact. However, we can also be motivated to help indirectly when, for instance, we give money or time to charities which are set up to help those less fortunate than ourselves. In this case we still empathize with the dilemma of others, but we act at a distance using our imagination to visualize a remote situation where people are in need. We may learn of this situation through media reporting or by word of mouth or because somebody we know has been affected. Again, this indirect social impulse is not a requirement of the law, although the state may encourage such action by providing tax breaks or other advantages to charitable organizations or to

59

60

Companies at risk personal giving. The state does this on the principle that encouraging the social impulse helps to smooth the running of society by overcoming the natural individualistic tendency of people to look after only their own interests.

Self-concern driven by social pressure An equal and opposite motivation for ethical behaviour derives not from empathy or social concern for others, but rather from self-concern. This is linked to the reason why some people might abstain from illegal behaviour: the fear of social stigma or punishment. In the same way, we may decide to behave ethically in order not to lose our moral standing in the opinion of society and to avoid the disapproval of others. Along with this, as a result of our upbringing or socialization, we may feel ashamed or guilty if we behave unethically. Simply put, we would not feel comfortable with ourselves if we did not behave in the way society expects. This motivation to ethical behaviour is driven by social pressure and self-preservation, rather than empathy for others. Apart from the negative motivation of avoiding social stigma, there may sometimes be a positive reward for our ethical behaviour: improving our image in the opinion of society. The theory of duty ethics would maintain that behaviour prompted by this sort of motivation is never ethical even if the outcome is good, since the end cannot justify the means. Conversely, utilitarian ethics would allow this sort of behaviour to be ethical since it is only interested in the end and the means are irrelevant. Ethical behaviour motivated by self-concern is important when we later come to examine corporate ethics. Thus, for the purposes of this book, it will be presumed that self-concern is a valid motive where the utilitarian balance of benefit is likely to be positive. This would support the argument of many that ethical behaviour must be much more than good intentions or warm feelings; it is the translation of moral concerns into action that is important, whatever the motive.

Personality Innate human personality, whether by genetics or upbringing or both, is an important determinant of each individual’s ethical tendencies in a given situation. Classical Darwinism would seem to exclude the human evolution of morality and innate ethical tendencies. On this basis all ethical behaviour would be derived from upbringing and socialization. However, few experts today would agree with this extreme view. Social Darwinism and its offshoots6 have come to provide a more flexible model for human behaviour, one in which Darwinian competition and reciprocal altruism (or cooperation) can go hand in hand. This works on the principle that the cooperative aspects of human behaviour have evolved along with the competitive instincts in order to ensure the survival of the community. However, the balance between the competitive and cooperative aspects has a tendency to favour the competitive unless other motivations intervene, as discussed above. These three prime determinants (there may be others) of human ethical behaviour provide us with a simple model which can be examined at the corporate level for its veracity and usefulness. It enables us to consider the ethical behaviour of corporations in the context of corporate personhood, as discussed in the previous chapter.

Corporate ethics

Corporate ethical behaviour The ethical corporate entity? The corporate body is, under the jurisdiction of the law, regarded as an artificial person and as a result is attributed with many of the legal rights and obligations which apply to real people. Whether this analogy can result in ethical behaviour is influenced by the fact that the concept of corporate personhood is really only a legal device invented to ensure that corporations can effectively interact with each other, with society and with the state. Strictly speaking, the corporation can act only to pursue the legal ends set out in its articles of incorporation to fulfil the purpose for which it was originally founded. To pursue objectives other than those for which it was incorporated may indeed be illegal. In short, the corporation has essentially no motivation to act in an ethical way outside the established legal framework, in the same way a human actor may be motivated to do. The question asked by Edward, First Baron Thurlow (1731–1806), an eighteenth century English jurist and Lord Chancellor of England, is pertinent here: Did you ever expect a corporation to have a conscience, when it has no soul to be damned and no body to be kicked?7 This observes that any expectation of corporate ethical behaviour is foolish because the corporation lacks most of the characteristics of human personhood, such as a moral framework which directs its actions. Likewise, in present-day consumerist society there is a generally low expectation that companies will behave ethically, mainly based on a number of well-publicized incidents such as the corporate manslaughter case studies in Appendix 1. There is a common belief that corporate bodies are allowed a great deal of latitude in being able to increase the wealth of the stockholders at the expense of third parties, including health, safety and the environment, while avoiding significant liability. As discussed earlier, the only real penalty which can be applied to a company is a fine and the amount of this may be trivial compared with the monetary benefits to the company of the unethical behaviour. This has led to increasing demands by society for ethically responsible behaviour, and if this is not forthcoming it is argued that many of the present freedoms and privileges that companies enjoy should be removed by means of legislation. The question to be answered therefore is whether it is possible for the company to have legitimate moral concerns which may be objectified in ethical behaviour which goes beyond the need to stay within the law as applied to corporations. It must also be considered whether it is necessary for an organization to behave ethically once it has met the requirements of the law.

Corporate ethical motivation Each of the main determinants of individual ethical behaviour described above is now considered in the context of corporate behaviour.

61

62

Companies at risk

A selfless motivation In individuals, this motivation is prompted by the empathy felt for others brought about by our common humanity and the mental ability to imagine ourselves in somebody else’s place. This quality is a part of what defines us as being human. Since the moral or social impulse to ethical behaviour is driven solely by human-tohuman empathy the analogy clearly breaks down in the case of the corporate body. The moral framework for this impulse is probably formed in individuals mainly as a result of upbringing and socialization; this simply does not exist with the corporate person. Serious problems arise therefore when we attempt to transfer this particular motivator from a human being to an organization or a corporate body. In the case of a corporate body there is no quality analogous to human empathy to motivate ethical behaviour; the influence of the human actors who animate the organization through their corporate roles is considered later.

A self-seeking motivation In individuals this motivation is prompted by the desire to look better in the eyes of society, reinforced by feelings of guilt and shame when failing to act ethically. The motivation (albeit somewhat negative and not necessarily ethical according to some theories) may exist to some degree within a corporation if it wishes to enhance its image in relation to its competitors. This, of course, is not driven by any feeling of shame or guilt if it fails to act ethically, as in the human case. It is driven solely by self-interest and the desire to enhance the reputation of the company, but only so that the wealth of the stockholders is increased through improved business. As with the human motivation it also requires publicity in order to bolster the image of an ethical company. A typical example of this might be an oil company which, in order to overcome the negative connotations of the oil extraction industry such as pollution of the environment, emissions leading to global warming and depletion of non-renewable resources, may try to project a ‘green’ image. The publicity will be achieved by adopting a green logo and promoting itself as, for instance, supporting the renewal of forests and the production of cleaner products with less harmful emissions, and being concerned for the environment. Although this may appear to look like ethical behaviour over and above that required by the law, it is in fact self-seeking behaviour driven by the profit motive. Of the two motivators to ethical behaviour described above, social concern and self-concern, only the second can be applied to corporations. Even so, it only operates in a limited way and is not entirely analogous to human behaviour. Ethical behaviour will be practised only so long as it is well publicized and results in increased profitability or competitiveness. If this benefit is no longer realized, then the company must cease the behaviour; it is legally required to do so to meet its own founding principle of benefiting its stockholders.

Corporate ‘personality’ and culture Corporate culture, and in particular safety culture, is considered to be a major defence against corporate accidents and is explored in detail in Chapter 4. Here, an analogy is

Corporate ethics developed between corporate culture and personality. This is to attempt to answer the question: does a company have a ‘personality’, perhaps reflected in the company culture, which can influence ethical behaviour? In Chapter 2 it was shown how the company or corporation is sometimes described in anthropomorphic terms as the body corporate. This is reflected in the legal recognition of a company as possessing some of the characteristics of personhood. It was shown how legally, the company is an artificial person or body with many of the prerogatives of an individual to act under the law and to seek the protection of the law. It was described how, under the law, a company has a ‘perpetual lifetime’ so that its existence is independent of the lifespan of its owners and the people who work for it. The analogy of corporate personhood can be extended to compare it with the human body, where the dying cells are replicated over a lifetime so that the physical appearance of the body remains recognizably the same (although ageing as a result of imperfect replication) and the personality is largely unchanged. Chapter 4 shows that a company culture is emergent over time rather than something which is ‘handed down’ from the top of the company. The culture is something that a company is, rather than something that a company has, which is a common assumption. This has implications for changing the culture, as discussed in Chapter 4. The main implication here is that the company culture continues largely unchanged over time and is therefore independent of those who own and work for the organization at any one time. Like the cells in the human body, ownership and employment in a company are not static but are, as it were, replicated over long periods. This suggests that it may be useful to represent an organizational culture in terms of the analogy of a corporate personality. This theme was taken up by Joel Bakan, a professor of law at the University of British Columbia and an internationally recognized legal authority on corporations, in his book The Corporation,8 in which he describes how the corporate personality might be defined in psychiatric terms. Bakan in his book, however, took the rather pessimistic view that because the sole purpose of a company is to increase its profits and the value of its stock, it will always do this by externalizing its costs on to third parties. Its ethical and moral behaviour as a member of society will always therefore be determined by its purpose, fulfilling the dictum of Baron Thurlow mentioned above. In fact, Bakan tested some of the moral characteristics of the corporation against a psychodiagnostic checklist devised by Robert Hare9 to identify patients with sociopathy. As a result, Bakan reached the rather startling conclusion that the essence of corporate personality is sociopathic (also called psychopathic) in nature. The Hare checklist includes such characteristics as manipulative, grandiose, lack of empathy, asocial tendencies, inability to feel remorse and refusal to accept responsibility for one’s own actions. No doubt some companies have at times exhibited sociopathic symptoms. However, this book maintains that with checks and balances such as regulation, corporate citizenship and a corporate ethical policy (see Chapters 6 and 9) companies can be made sufficiently accountable that corporate self-interest will mostly coincide with society’s interests. Using the analogy with the way personality evolved in the human species to include a moral sense, it might be said that a company ‘personality’ also

63

64

Companies at risk evolves in the social Darwinian sense, which is able to balance self-interest with the interests of the community in which it operates. The ethical aspect of the corporate personality which emerges is probably reflected somewhere in the culture. What is certain is that many corporate accidents stem from an inadequate culture, or using the above analogy, defects in ‘personality’ which lead to an organizational failure. Quite often these failures are driven by a narrow focus on short-term financial gain through externalizing costs in the interests of a limited number of stakeholders. The tradeoff between competing interests (self and society) then becomes out of balance. One of the main premises of this book is that the tendency of the corporate personality to veer towards these deviant behaviours can be overcome by setting up a system of adequate strategies such as those described in Part II. Some of these strategies imply the need to change the company culture so that ethical behaviour becomes a natural element of the corporate personality. These topics are dealt with primarily in Chapter 4, ‘Safety culture’, Chapter 8, ‘The learning organization’ and Chapter 9, ‘Corporate social responsibility’. The concept of corporate personhood taken alone provides very little motivation for the adoption of ethical policies, mainly because the analogy with individual ethical behaviour is incomplete. In this respect the outlook is rather bleak. However, the influence of the various human actors and stakeholders who operate the corporate ‘strings’ needs to be taken into account, as does the way in which the corporation is structured, organized and managed. These topics are now addressed.

The influence of human actors In reality, the corporation, whilst legally described as an artificial person, can do nothing of its own volition. It is merely a legal entity which is unable to comprehend the finer points of ethics and morality. It can act only through the intention and will of the human corporate actors which have an influence on its behaviour. These human actors can be placed into four groups: directors/managers, owners/stockholders, workforce and consumers/public. The degree to which the individuals in each group are able to influence the company’s ethical policies and actions is explored below.

Directors and managers Those with the greatest power to influence ethical policy in the organization are the company’s directors and senior managers. The corporation might indeed be an artificial person, but those in control of the company are real people with the capacity for moral integrity and a potential desire to act ethically. Yet, when wearing their corporate hats, they are merely the servants of the company and its stockholders, hired for a time to further the company’s interests, and by so doing, further their own self-interest in terms of rewards, bonuses, salary and status within the organization. The real people behind the persona of those carrying out their corporate duties are hidden behind the ‘corporate veil’ mentioned in the previous chapter. As servants of

Corporate ethics the company they are contracted to take on an assigned corporate role and their private roles must be put to one side. However, should you ‘lift the veil’, the real person – in a sense, the ‘little man’ – emerges carrying all the civilized trappings of humanity like the rest of us. This may be a person with a home and a family life, someone who perhaps, is on the board of school governors, a person who gets involved in charitable and other good works in the local community and feels empathy for those who are in trouble. Here is a person with moral concerns who in their private life will act ethically and whose conscience would suffer if they did not. In this private role is found a person who would not dream of harming society or exploiting other people for his own benefit by allowing them to be exposed to serious hazards. But when the veil is in place, the private person disappears and re-emerges as just another company servant whose personal rewards depend upon acting in the interests of the company alone. Whether he will act ethically in this capacity depends not upon his character or conscience or personality, but upon his impact on the financial performance, competitiveness and survival of the company. As a company servant he is driven solely by the determinants of corporate ethical behaviour as defined above, rather than human. The corporate entity cannot of itself possess any moral imperatives to ethical action. But if the corporate purpose is geared only to the financial interests of the stockholders, those in control of the company will be constrained from acting in ethical ways which may conflict with this aim. To overcome this constraint it will be necessary to introduce moral imperatives by means of some of the corporate citizenship models described in Chapter 9. In Chapter 9, alternative corporate structures are described which define how ethical behaviour can be legitimately pursued and encouraged by directors and senior managers. If the corporate structure actually specifies ethical aims and objectives then the constraints upon directors and management may largely be lifted.

Owners and stockholders One of the most influential groups affecting corporate behaviour should be the owners of the company and its assets: the stockholders. Whilst their main purpose in investing in the company may be to increase their personal wealth through the value of the stockholding and by receiving generous dividends, they may still be interested in owning an ethical business. There was a time when most stocks and shares were owned by individuals; that is, real human beings who might have legitimate ethical concerns. Sometimes the shares were held privately by a family who demonstrated paternalistic and humanitarian values in the way the company’s business was conducted. Since the family would also be closely involved in the management of the company, they would have the power to make decisions about the way the company was operated based on ethical or moral standards. In more recent times, the close connection between ownership and control (which existed with large individual stockholdings and family-owned businesses) was severed as company shares were increasingly disposed of in the marketplace. The result has been that the majority of shares of most larger companies are today owned by institutional

65

66

Companies at risk investors such as pension funds and insurance companies. Any interest in ethical behaviour is then subject to the requirement to maximize return on investment and the need to act in the financial interests of their own stockholders and investors. When companies own companies then any residual ethical instinct is sublimated to financial performance. It can be argued that if a company demonstrates ethical behaviour in the pursuit of self-interest then this is entirely satisfactory for the owners, and if it results in improvements to the safety, health and welfare of people and the protection of the environment then this is a bonus. The problem arises when the costs of acting ethically outweigh the monetary benefits to the company. Stockholders may well have ethical concerns, but their level of concern is likely to be limited by financial considerations. If they are an institutional stockholder, then they also have to stay in business. At this point the owners of the company will surely expect the company’s charitable instincts to be curtailed. In fact, company law itself will prohibit the expenditure of company money on any concerns which do not accrue monetary benefit to the company. The management of the company must remain true to the principle of maximizing share price and dividends distributed to the stockholders. Profitability is the order of the day and how this is achieved is of little relevance to an investor so long as unethical behaviour does not place profit or share value in jeopardy. Even where such behaviour might put the company at risk financially, the principle of limited liability described in Chapter 2 protects the investor against the worst consequences. The maximum liability of the owners of the company is limited to the value of their stockholdings, so that the most serious outcome is company bankruptcy. This may be serious for the owners, but it is the workforce and customers who are usually last in the queue when it comes to compensation. Stockholders and government tax authorities will take priority here. A bankrupt company has limited resources and suddenly becomes like a real person in the sense that it can only compensate people to the degree that it has the funds to do so; it is not possible to get what somebody doesn’t have! Although the ‘artificial person’ which is the corporate entity is theoretically owned by real people (e.g. the investors in a financial institution which owns companies) the separation between ownership and control has in recent years become effectively total. The influence of the ownership on whether or not ethical practices take place has correspondingly been reduced.

The workforce Company employees have a direct stake in the success of the company which employs them. If that company becomes more successful then the work will expand, providing opportunities for promotion with the possibility of higher wages. If the company fails then staff cuts and unemployment will be the result. If, in order to maintain profitability, the company resorts to behaviour which is unethical then it is likely that at least some members of the workforce will become aware of this. This always poses a moral dilemma for the employee since on the one hand there may be a desire to bring matters to the attention of the company and on the other hand an

Corporate ethics instinct to keep quiet in order to serve the company’s interests as well as protect their job. If the unethical behaviour does not affect the worker directly (as it would with health, safety or working conditions) then it is more likely that the employee will remain silent. The problems faced by lone whistleblowers are well known and are discussed in Chapter 8, ‘The learning organization’. Although the job and rights of whistleblowers are now theoretically protected by the law in some countries, based on recent evidence they remain vulnerable to victimization and exclusion. This has even resulted in workers being unable to find future employment in the same industry since other employers will regard their reputation as being tarnished rather than enhanced. Even workers who suffer the direct consequences of deliberate cost externalization are not always in a strong position to remedy an unsafe situation if a company is determined to permit unethical work practices. Although under the law companies are obliged to consult with worker representatives through the medium of safety councils, etc., it is a management decision whether or not to act upon the recommendations of those bodies. Lack of resources, the high cost of downtime or simply the expense of modifying old and outdated equipment to improve the working environment are often cited as reasons for failure to act. The industrial power of workers through trade union organization to bring pressure to bear on employers has diminished considerably in recent years. This is partly through anti-union legislation to protect business from excessive trade union power and partly due to less and less unionization of workers in general. Employees acting alone are virtually powerless to effect change and promote corporate ethical practice. Their only recourse may be to seek employment elsewhere when the situation becomes sufficiently intolerable.

Consumers and the public Consumers and the public have become increasingly politicized over recent years and are much more willing to exert their buying power to influence the ethical policies of companies that have come to their attention. As a result the power of consumers and the public to influence the ethical behaviour of companies is probably much greater than any of the other groups of people referred to above. The success of any business in terms of meeting its chief objective of maximizing its sales and profits is highly dependent on maintaining a large, loyal and preferably expanding customer base. The customers of a company have the unique power to vote against the company with their wallet by taking their custom elsewhere. Consumers acting individually may be of little consequence to a company, but when they act collectively they can wield enormous influence over the financial fortunes of a company. Successful boycotts of products and services are an indication of the growing effectiveness of consumer power, although companies often play down the role of consumer pressure when they make changes to their ethical policy. Perhaps the most widely publicized example of a company which changed its behaviour as a result of consumer action was Shell UK, who operated the Brent Spar floating oil storage facility in the North Sea. When the time came to decommission this facility in 1995, Shell decided to attempt deep-sea disposal in the North Atlantic.

67

68

Companies at risk The environmental group Greenpeace instigated a campaign against the dumping of the platform and when this was picked up by the public, consumers began to boycott Shell products. As a result, sales of Shell petrol were down by 70 per cent in Germany, causing the company to reverse its policy after only a few days. Full details of the Brent Spar incident are presented as a case study in Appendix 2, mainly to illustrate the principles of corporate social responsibility explored in Chapter 9. There are many other similar demonstrations of the power of consumers and the public to bring major financial detriment to a company which behaves unethically. Chapter 9 highlights the importance of companies having a written statement of ethical policy to which directors, managers and employees are required to subscribe. Effective organizational systems will then need to be put in place to ensure continued compliance with the policy. These systems can be included in the company’s safety management system, as described in Chapter 7. The main point of the ethical policy is to ensure that the company is operating within legal requirements which, as stated in Chapter 6, is usually a minimum standard, but it will also protect the company against corporate accidents as a result of unethical management practices or actions by employees approaching the boundary of illegality.

Managerial and professional ethics Apart from corporate ethical policies there is a further line of defence against unethical behaviour, which exists at the level of individual professional functions in the organization. In many companies there will be a significant number of individuals who are members of professional bodies on which their employment will depend. These bodies will in most cases have their own rules of professional conduct for members, including requirements to behave ethically within the scope of their work responsibilities and in their private lives. These codes of conduct will vary considerably depending mainly upon the type of work being carried out and its potential impact on society or other individuals affected by their activities. The reason for having professional standards is to widen the ethical scope of the profession beyond the merely legal requirements, which should already be covered by the employer’s systems and procedures, and which in many cases set only a minimum standard. Professional people are required to make sometimes difficult judgements based on incomplete or complex knowledge and therefore require guidance in areas which are not necessarily regulated by the law. In making these judgements it is important that professionals are not motivated purely by self-interest or the narrow interests of the employer. Professional codes of conduct are a form of self-regulation which must be essentially independent of politics and government. Although professionals must obey the law they must also take account of wider societal and ethical issues arising from their work. Professional codes of conduct are also an important means of inculcating public trust. ‘Without the intervention of conscience, the law cannot govern. There must be a moral basis of trust’.1

Corporate ethics

Professional codes of conduct Medical and legal professions A well-known example of ethical professional codes is in the medical profession, where medical doctors are required upon qualification to take the Hippocratic oath (written in the fifth century BC) ‘to pursue their patients’ best medical interests, to avoid harming or exploiting them, and to maintain their confidence’.10 Failure to comply with ethical medical standards will result in the practitioner being struck off the professional register and banned from engaging in the profession. In the case of the legal profession, practitioners are required to adhere to professional codes of conduct which provide protection for individual clients and the public in general by upholding the rule of law and the proper administration of justice. The ethical codes for solicitors,11 for instance, are quite complex, involving different areas of activity, but mainly the solicitor’s independence or integrity and a duty to act in the best interests of the client. The financial services professions are also required to conduct themselves ethically. This was put in place following a number of industry scandals, such as investment misselling, unfair treatment of customers and deceptive advertising, which led to a loss of confidence by the public in the financial investment business. In all these cases it should be noted that while unethical practice may not necessarily be illegal, it is often at the borderline of illegality. As a minimum, practitioners who do not meet the standards make themselves vulnerable to loss of career and compensation claims by clients and at the worst may find themselves in court.

Science and engineering professions Of importance in the prevention of corporate accidents are the codes of practice applied to members of the scientific and engineering professions. Although perhaps less publicized than in the case of the medical, legal and financial industries, rigorous professional standards are crucial to the safe design, construction and operation of major hazard installations such as chemical and nuclear plants, oil and gas installations, and public transportation systems. Most scientific and engineering institutions produce their own ethical codes of professional conduct so that in the UK, for instance, chartered and registered engineers must agree to abide by the particular ethical codes of their qualifying institutions. In spite of this there is a great deal of commonality between the ethical codes of different institutions. In other countries, Canada and Australia for instance, there has been a much greater degree of harmonization between different engineering specialities. Part of a typical professional code of conduct, from the UK Institution of Chemical Engineers, is reproduced in Table 3.1. Most professional bodies, such as the Institute of Occupational Safety and Health (IOSH), have similar codes of conduct to that shown above. IOSH is Europe’s leading body in accident prevention, with membership of over 31,000 health and safety professionals worldwide. Their professional code of ethical practice contains guidance on a range of questions on moral and ethical matters as they affect members, and discusses what is meant by ‘professional conduct’.13 The involvement

69

70

Companies at risk Table 3.1 Extract from the rules of professional conduct for chemical engineers12 Example rules of professional conduct A code of professional conduct and related Rules designed to cover broad ethical principles must necessarily be drawn up in general terms. These Rules, published by the Council, indicate the manner in which members are required by the Council to conduct themselves in most situations. This conduct must be of a high standard: members must discharge their duties competently, with reasonable skill, care and diligence, and shall comply with the standards of behaviour, integrity, competence and professional judgement which other members might reasonably expect of them. For situations not specifically encompassed by these Rules, members are required to order their conduct in accordance with the principle that, in any conflict between a member’s personal interests and the fair and proper interests of the community, the member’s duty to the community should prevail. Members when discharging their professional duties shall act with integrity, in the public interest, and to exercise all reasonable professional skill and care to: • Prevent avoidable danger to health or safety • Prevent avoidable adverse impact on the environment • Competence – Maintain their competence – Undertake only professional tasks for which they are competent – Disclose relevant limitations of competence • Managerial roles – Accept appropriate responsibility for work carried out under their supervision – Treat subordinates fairly and without bias – Encourage others to advance their learning and competence • Conflicts of interest – Avoid where possible real or perceived conflict of interest – Advise affected parties when such conflicts arise • Observe the proper duties of confidentiality owed to appropriate parties • Reject bribery and any other corrupt practices • Assess relevant risks and liability, and, if appropriate, hold professional indemnity insurance • Notify the Institution if convicted of a criminal offence or upon becoming bankrupt or disqualified as a Company Director • Notify the Institution of any significant violation of the Institution’s Code of Conduct by another member • Be mindful at all times of the dignity of the profession in their personal conduct By permission of The Institution of Chemical Engineers.

of chartered safety and health practitioners is an important aspect of developing effective accident prevention strategies at corporate level, as essential, for instance, as the involvement of chartered engineers and scientists in developing safe and reliable technological solutions. In many industries, membership of a professional body is a prerequisite of employment as an engineer, scientist or health and safety practitioner. This is clearly necessary to establish that the employee has the required level of competence to undertake his duties and maintain adequate standards of work. Less obvious but equally important is that it provides evidence of assent to an ethical code of conduct. The assurance of professional competence is certainly understandable and the example code presented in Table 3.1 rightly includes the maintenance of professional

Corporate ethics competence and disclosure of competence limitations. One of the other purposes of the code, however, is the general duty placed on engineers and safety experts to uphold the public interest when there is a conflict between that and the self-interest of the employee, even when the duty is not directly enforceable as a matter of law. This is more likely to occur when ethical issues arise in the borderline region between unethical and illegal behaviour. Problems in adhering to the ethical aspects of the professional code during routine day-to-day duties will rarely arise and the detailed requirements of the code will not need to be invoked apart from in exceptional circumstances. These codes therefore only tend to be called upon when a conflict of interest, or a perceived conflict, occurs, and it is then that they begin to provide a useful backstop to potential unethical behaviour by a company.

Public interest disclosure If a professional employee believes that his work would involve unethical or unprofessional behaviour, say potentially leading to a serious accident, then first of all the matter must be brought to the attention of the employer. If his protestations are ignored and the employee is ordered to continue the work then it might be necessary to inform the regulatory authorities, by-passing the employer. In the UK the employee will be protected against victimization by the employer by the Public Interest Disclosure Act 1998. Similar legislation is in place in the USA. The UK Act provides protection for all employees if they can demonstrate that within the scope of the Act public interest ‘whistleblowing’ was an appropriate course of action. This aspect of ethical behaviour is discussed in more detail in Chapter 8. This Act therefore provides protection for professional employees where there is a ‘conflict between a member’s personal interests and the fair and proper interests of the community’.12 In this case, according to the Institution of Chemical Engineers’ rules in Table 3.1, ‘the member’s duty to the community should prevail’.12 The conflict with the member’s personal interests would arise were they to take action which could lead to a loss of career prospects or possibly loss of employment. Public interest disclosure protection is most likely to be effective when the behaviour of the employer is illegal rather than just unethical, bearing in mind the fuzziness of the boundary between the two. Where a professional employee believes that his duties are in contravention of the general ethical principles set out in his professional code of conduct, but not in contravention of any particular law, then the issue might become more difficult to resolve. This situation has occurred on many occasions. One of the most well-known and well-researched incidents was associated with the loss of the NASA space shuttle Challenger in 1986.

The loss of the space shuttle Challenger The loss of the space shuttle Challenger in 1986 (briefly mentioned in a case study of the later accident to the space shuttle Columbia in Appendix 2) is a good example of where a company acted unethically but was not breaking any specific regulations. A US company, Morton Thiokol, designed and manufactured the solid fuel rocket boosters for the space shuttle. Engineers in the company became aware of a serious design fault in the ‘O’ rings sealing the booster segments where the sealing rings

71

72

Companies at risk could be ineffective at temperatures below freezing. The Challenger orbiter launch was scheduled to take place in January 1986 under freezing conditions. In spite of the reservations of senior engineers at Morton Thiokol, the company’s executive advised NASA to proceed with the launch. Seventy-three seconds after launch leakage of hot gases from the O-ring seals penetrated one of the main fuel tanks, causing the shuttle to explode and resulting in the death of seven astronauts. The decision to launch was made for political and economic reasons when Morton Thiokol were placed under extreme pressure from NASA. Strictly speaking, the decision to launch was not illegal, but the failure at a senior corporate level to respond to the serious moral concerns of the professional engineers involved in the launch was clearly unethical. The official inquiry into the Challenger disaster14 found that the brittle failure of an O-ring seal in the shuttle’s solid rocket motor under cold conditions was the direct cause of the total loss of the space vehicle. In this case a matter of ethical engineering principles was raised as a serious safety issue, but this was not covered by any specific codes, regulations or health and safety law. It became a matter of professional judgement where a fundamental difference had arisen between engineers and the company’s senior executives. As far as Morton Thiokol was concerned there was a conflict of interest between safety and the desire to satisfy the client by allowing the launch to proceed. The recommendation of the engineers that the shuttle should not be launched in the freezing conditions was ignored and their judgement was overruled. The executives in Morton Thiokol were more concerned, in view of the huge financial cost of delaying the launch, to protect the company’s reputation and future business. The inquiry into the disaster also found that Roger Boisjoly, a structural engineer, had raised this problem with both his employers and NASA many months earlier, but his warnings had gone unheeded over a long period. Boisjoly’s dedication in bringing the matter to the attention of his employers provoked considerable hostility from his superiors. As a result, not only did he lose his employment with Morton Thiokol, but he was subsequently unable to find future employment in the industry. This is not uncommon in the case of whistleblowers, there being many other examples. It is one of the penalties that the professional might pay for acting ethically when this is against the company’s interests.

Conclusion This chapter has attempted to translate ethical behaviour, essentially a human characteristic, into the corporate realm in a way that may illuminate why companies may behave ethically in the absence of a moral imperative to do so. To assist in this process an analogy was developed between ‘personhood’ expressed in the human and the corporate form. Since the latter is merely a legal device to enable the corporate body to interact with other similar bodies, people and the state, the analogy does not hold up very well in the moral sense. The only real motivation to ethical behaviour which was discovered, and which is analogous with human behaviour, was the selfseeking motive of wishing to present an ethical image to the world. However, the

Corporate ethics extent of this behaviour is limited by the main purpose of the company, which is to deliver the best financial result for its stockholders. Any ethical behaviour over and above this, unless it is demanded by the law, is effectively prohibited. Essentially, ethical behaviour must promote the purposes of the company as set out in its articles of incorporation. Unless the behaviour leads to financial benefits for the company and its stockholders it is illegal. It was commented upon that such a self-seeking motivation to behave ethically is not in fact ethical according to some theories. A further analogy was developed between corporate culture, dealt with in detail in the next chapter, and personality, which is an important driver of ethical behaviour at the human level. There is certainly a resemblance between culture at the group level and personality at the individual level, as explored in the next chapter. Culture is later shown to evolve or emerge along a path which is not entirely under the control of the individuals who are a part of it. However, if it were possible to guide the corporate culture along a route which is able to balance the corporate and community interests, then a more ethical behaviour pattern might be a consequence. Whatever the theoretical basis, it has been demonstrated on numerous occasions, as witnessed by most of the case studies in Appendix 2, that an inadequate safety culture is one of the most common root causes of corporate accidents. In reality, a company can only behave ethically when directed to do so by the groups of stakeholders which animate it, namely the directors, managers and employees. These ‘insider’ groups may, as individuals, have a desire to act ethically, but in practice the same limitations apply to them as apply to the corporate body. Since they are servants of the company, they are bound to act so that no conflict arises between the way they behave and the company’s financial duties to the stockholders. Company law does not help in this respect since it has little to say about ethics. The problem arises because in the course of providing benefits to the stakeholders companies also have considerable potential for bringing harm to those affected by its operations. To some degree this harm is limited by government regulation, as dealt with in Chapter 6, but this can never be fully effective as a strategy to prevent corporate accidents unless it is backed up by an ethical policy. The quotation at the beginning of this chapter expresses this succinctly: ‘those managers who define ethics as legal compliance are implicitly endorsing a code of moral mediocrity. It is not an adequate ethical standard to get through the day without being indicted’ (Richard Breeden, Former Chairman, Securities and Exchange Commission). This chapter has shown how behaviour which is unethical can very easily become illegal following an accident when it fails to meet the implicit standards of non-prescriptive health and safety regulations. The other main stakeholders, apart from those directly employed by the company, are the owners (stockholders) and the customers (public). It has been suggested that these ‘outsider’ groups may have more power over whether the company behaves ethically than those employed by the company. Certainly there are stockholders who have an interest in owning an ethical company. Socially responsible investment (SRI) is discussed in Chapter 9, and the demand for SRI portfolios has continued to increase over the past few decades. In spite of this, the modern trend is that large companies today tend to be owned by other large companies or institutions rather than

73

74

Companies at risk individuals. The result is that the owners’ duty will be primarily to their own stockholders, who are then distanced from the behaviour of companies down the line, of which they may have little or no knowledge. For them ethics is not a problem until it leads to a corporate accident which affects the value of their stockholdings. However, it has been shown that the power of the company’s customers can be influential in encouraging ethical behaviour. Two case studies relating to this can be found in Appendix 2, sections A2.6 and A2.7. The rise of consumerism in a world of instant communications and media coverage has meant that companies who step out of line ethically are increasingly likely to be subject to intense public scrutiny. The result may be a loss of business that threatens their customer base. In order to stay ahead of the game and impress their customers, competing companies may vie with one another in flaunting their ethical credentials. Whether this is really translated into ethical business practices is another matter entirely. Protection of brand and reputation to ensure continued customer approval is probably not the most pragmatic and lasting motivation to induce a company to behave ethically. It is almost entirely negative, since it is an avoidance of unethical behaviour to achieve an objective rather than a belief that it is better to behave ethically. When the objective is achieved it may be that the ethical behaviour is no longer necessary or too costly. It is clearly better if the motivation to behave ethically arises from within the company itself simply because it is the right thing to do. This depends upon motivating the ‘insider’ group of stakeholders, the directors and senior managers of the company, bearing in mind the conflict which can arise between ethical behaviour and profitability. In order to overcome this conflict, it is necessary to ensure that the organizational structures which are in place are based on an ethical corporate model. In other words, the ‘rules’ of the organization will require these stakeholders to behave ethically all the times rather than making ethical behaviour conditional upon meeting other objectives. Instead of merely allowing the corporate actors to take account of ethical concerns in the service of the company, the corporate model will oblige them to do so in specific ways. The ways in which such an ethical policy and corporate model can be developed and applied are addressed in more detail in Chapter 9. It is suggested that the final defence against unethical corporate behaviour may be the unwillingness of professionals within the organization to become involved in behaviour which they consider unacceptable or which is proscribed by their professional code of practice. In doing so, of course, professionals may face the problems traditionally experienced by whistleblowers, those of exclusion or victimization, where they are seen to be acting against the interests of their employer. Another potential problem is that real professionalism, as it existed perhaps a few decades ago, is gradually being managed out of the corporate system. This is happening not only within private companies but also within not-for-profit, but cash-strapped, public service organizations such as hospitals and local government. Whilst ethics may be of importance to engineers, scientists, doctors and other members of the professions, who create the benefits, their work is increasingly managed by the bureaucrats, accountants and financial experts, who control the wealth. As a result, professional decisions may be overruled in the interests of the

Corporate ethics organization as a whole. When this happens, the organization comes to be governed not by ethical or social concerns but by the concerns of accountants and the financial bottom line. This is more likely to happen in an organization which does not have specific ethical policies built into its corporate structure, as discussed in Chapter 9. The long-term danger is that, although professionalism may once have provided a ‘backstop’ for corporate unethical behaviour, it is now becoming increasingly marginalized. The subject of corporate ethics has been dealt with at some length for the simple reason that when a company has ethical policies and practices in place it is much more likely that the hidden risk factors which could lead to a corporate accident will be revealed and acted upon to pre-empt any nasty surprises. Companies which assume that merely remaining within the ambit of the law is sufficient protection against a corporate accident are likely to receive a fundamental shock at some point. This has been proven over and over again, as many of the case studies in Appendix 2 will reveal. It has been suggested by W. Michael Hoffman (Executive Director of the Center for Business Ethics, Bentley College, Waltham, Massachusetts, USA) that the appointment of a compliance manager rather than an ethics manager is indicative of the values of an organization. The general theme of corporate ethics and how it may be managed is dealt with in more detail in Chapter 9 in Part II of the book, which follows. Part II will examine all the main strategies to prevent corporate accidents which a company should have in place. It will also be shown in the next chapter that unless the culture of the company is grounded in ethical practice, many of these strategies will be seriously undermined in their effectiveness.

References 1. Dunstan, G. (1974). The Artifice of Ethics. The Moorhouse Lecture 1973, London: SCM Press. 2. Ford, H. (1922). Ford on Management – My Life and Work. Garden City, New York: Doubleday, Page and Co. 3. Bentham, J. (1789; 1907 edn). An Introduction to the Principles of Morals and Legislation, Oxford: Clarendon Press. 4. Kant, I. (1964). Groundwork of the Metaphysic of Morals, London: Harper and Row. 5. Robertson, J. (Law Correspondent) (2005). Transco fined £15m for killer gas blast, The Scotsman Newspaper, 26 August, http://thescotsman.scotsman.com/index.cfm?id=1843952005 6. Singer, P. (1999). A Darwinian Left: Politics, Evolution and Cooperation, London: Weidenfield and Nicholson. 7. Poynder, J. (1844). Lord Chancellor Thurlow (1731–1806), cited in Literary Extracts, 1, 268. 8. Bakan, J. (2004). The Corporation: The Pathological Pursuit of Profit and Power, London: Constable and Robinson. 9. Hare, R.D. (2003). The Psychopathy Checklist – Revised, 2nd edn, Toronto: Multi-Health Systems. 10. British Medical Association, http://www.bma.org.uk/ap.nsf/Content/AZusefulsites# HippocraticOath

75

76

Companies at risk 11. The Law Society, http://www.lawsociety.org.uk/documents/downloads/Profethics_ PracticeRules.pdf 12. Institution of Chemical Engineers, Rugby, UK, http://www.icheme.org/ByLaws2004.pdf 13. Institute of Occupational Safety and Health, Professional Code of Conduct, http:// www.iosh.co.uk/index.cfm?go=about.conduct 14. Rogers Commission (1986). Report of the Presidential Commission on the Space Shuttle Challenger Accident, http://science.ksc.nasa.gov/shuttle/missions/51-l/docs/rogerscommission/table-of-contents.html

II

Strategies to prevent corporate accidents

This page intentionally left blank

Introduction to Part II

Part I examined the nature of the ‘corporation’ and how the concept of ‘corporate personhood’ evolved historically, citing the underlying economic theories behind this development. In reality, of course, corporate personhood is merely a legal fiction which enables a corporation to have a separate existence from those who own and animate it. Thus, corporations are able to act in a sense as citizens, taking their rightful place in society so that they can more usefully fulfil the role set out in their articles of association. However, it cannot be denied that the principal purpose of the corporation is to increase the wealth of its owners. As a result, there is a natural tendency for companies to externalize their costs on to third parties if not restrained from doing so. This may place an unacceptable burden on certain sectors of society from a health, safety and environmental point of view, and possibly in other ways as well. This tendency towards externalization must therefore be curbed if society is to be protected. Limiting the worst excesses of externalization is partially achieved by government regulation. It is achieved only partially because in a free-market society there are two interrelated problems with regulation. The first problem is the damping effect of regulation on entrepreneurial activity, often described as the ‘dead hand’ of government. The second problem stems from the first: in order to lighten the burden of regulation only minimum standards of corporate behaviour are imposed. However, the public’s expectations of companies and how they behave have increased immeasurably over the past few decades, making it necessary for companies to behave, or at least to be seen to behave, ethically as well as legally. In other words, just being legal is unacceptable for modern companies and their standards must go beyond the minimum regulatory requirements. The reasons for this were explored, with examples, in Part I. For this to happen, organizations must have corporate systems which take account of matters such as corporate social responsibility as well as profit maximization. These systems need to be integrated into all the company’s activities through action at the highest level so that all employees, whether workers, managers or directors, are guided towards high ethical standards in their work.

80

Strategies to prevent corporate accidents As described in Chapter 1, six particular corporate systems were identified as being essential to achieving the requisite standards of health, safety and environmental protection. So that the systems were relevant to the avoidance of corporate accidents they were designated as ‘strategies’. Thus, ‘Strategies to prevent corporate accidents’ is the title of Part II of this book, which now leaves the subject of corporate accountability to explore how the ethical concerns discussed in the previous chapter can be translated into practical action. The accompanying diagram summarizes the six selected strategies together with the chapter numbers which deal with each subject. Strategies to prevent corporate accidents Safety culture Chapter 4

Understand the risk

Safety regulation

Safety management

The learning organization

Corporate social responsibility

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Safety culture is the first of the strategies to be considered and this is explored in the next chapter. It is considered that the effectiveness of the other five strategies shown in the diagram is highly dependent upon the culture of the organization and whether this encourages or inhibits the day-to-day application of these strategies. Thus, in the diagram, the strategies described in Chapters 5–9 are shown as flowing from safety culture, described in Chapter 4. Since safety culture is so important and yet, in many ways, not very well understood, the next chapter examines the subject of culture from first principles. A thorough exploration of culture in general is needed to understand the full implications of safety culture for corporate accident prevention. It discusses two fundamentally opposed cultural paradigms and whether it is possible to change a defective safety culture. The strategies shown above tend to fall into either one of two categories, pragmatic or holistic:

• Pragmatic

– Understand the risk (Chapter 5) – Safety regulation (Chapter 6) – Safety management (Chapter 7)

are classified as more pragmatic strategies. They are judged to be pragmatic because each is specifically directed towards a particular aspect of accident prevention rather than across all corporate activities at the same time.

Introduction to Part II

• Holistic

– Safety culture (Chapter 4) – The learning organization (Chapter 8) – Corporate social responsibility (Chapter 9)

are classified as more holistic in nature. This term is usually used in medicine to refer to treatment of the complete human person, physically, mentally and spiritually. It tends to see every aspect of life as equally valuable and closely interconnected. Here, in a similar way, the term holistic is applied to the corporate ‘body’ in that these strategies must be applied right across every aspect of corporate life (not just accident prevention) if they are to be effective as a whole in reducing the incidence of corporate accidents. When perfectly applied, it is possible to imagine all the parts of the corporate body working effectively towards a common ethical purpose. Safety culture is holistic since, as described in Chapter 4, it is an integral part of the general corporate culture which pervades the whole organization. Each strategy is now described in the chapters that follow.

81

This page intentionally left blank

4

Safety culture The establishment of a safety culture within an organization is one of the fundamental management principles necessary for the safe operation of a nuclear facility. (It should be) recognized that safety culture is both structural and attitudinal in nature and relates to the organization and its style, as well as to attitudes, approaches and commitment of individuals at all levels in the organization. International Atomic Energy Agency, Safety culture in nuclear installations1

Introduction Safety culture is the ‘top-level’ strategy to prevent corporate accidents. Other organizational defences against corporate accidents, which are dealt with in later chapters, must in some way stem from an adequate safety culture. The importance of safety culture cannot be overemphasized. A failure to recognize when the safety culture has become compromised, or is no longer appropriate to the level of risk from the company’s operations, makes the company exceptionally vulnerable to a corporate accident. When such an accident occurs, deficiencies are often found in the defences that were supposed to protect the company. For instance, it may have been discovered that the direct cause of the accident was a human error when staff violated operational procedures. In the wake of such an accident, steps may be taken to improve the procedures and perhaps implement more effective training of the operators who violated the rules. This will rarely provide a long-term solution; somehow, somewhere, yet another procedure will be violated. The question that needs to be asked is: why was the procedure for this task allowed to fall out of use? This is not the fault of the operator; this is a failure of management and of corporate responsibility. If the root cause is traced back to its original source, it will probably be found that there is a defect in the company’s safety culture which allowed this to happen. The failure of the operator to follow procedures may have been occurring on a daily basis; all that was needed was a triggering event to cause

84

Strategies to prevent corporate accidents the accident. This would indicate a failure by management to monitor the work. If a culture exists that allows this to happen, then it is likely that many other procedures, or indeed a large part of the safety management system, may be similarly defective leading to further accidents. This is why it is important to trace the accident back to its origins, especially where this is the safety culture. If the safety culture is faulty, then other defences against corporate accidents may have been compromised. This willingness and ability to identify the root causes of accidents is an aspect of organizational learning which will be dealt with in a later chapter. Culture is an exceedingly complex subject with ramifications which are well beyond the scope of this book. Many authorities, including some safety regulators, have taken the view that a company culture can be measured using a set of indicators which can then be compared with some normative ideal culture. It is claimed that any discrepancies in the culture can then be remedied by making adjustments to specific corporate parameters in order to bring the culture closer to the ideal state. Later in this chapter it is shown how the safety culture of an organization may be measured by using a set of suitable indicators with the objective of cultural change. It also considers the development of safety culture from a purely prescriptive or rulebased approach to a more modern risk-based culture in line with current legislative requirements. However, in approaching the subject of safety culture, the complexities of culture in general cannot be ignored. Two approaches to understanding culture are therefore considered in this chapter. Firstly, the classical approach, which allows for cultural characteristics to be measured with specific implications for being able to change the culture. Secondly, the Gestalt approach, which considers culture to be so deeply embedded in a society or an organization that conventional methods of measurement and mechanistic approaches to changing the culture are effectively ruled out. The main objective of this chapter, however, is to understand safety culture and in order to do this it is necessary first of all to consider the basic concept of ‘culture’ in a wider framework, in both national and sociological terms, leading ultimately to the study of culture in organizations.

Culture Perhaps the simplest way to understand culture is to see it as a collective aspect of human activity lying somewhere between on the one hand ‘human nature’, that which all people have in common, and on the other hand ‘personality’, that which distinguishes one individual from another. This is illustrated in Figure 4.1 Whereas personality distinguishes one individual from another, culture distinguishes one group of people from another. Human nature, in the broad sense used above, does not distinguish between individuals or groups, but is a characteristic of the whole species and is inherited through our genes. Culture, unlike human nature, is not inherited but in its richness and variety is absorbed and passed on down the generations in ways which are sometimes difficult to define. Historically, different cultures have retained their distinctiveness and remained remarkably stable over long

Safety culture

Personality

Culture

Human nature

Figure 4.1 Culture.

periods, although in the modern era of rapid travel and communications this may be changing. Later it will be shown that organizational culture, including safety culture, is also remarkably resistant to change. This can sometimes compromise safety; if the safety culture is unable to adapt to external changes then its ability to meet safety objectives will be undermined. Culture is most often defined in anthropological terms. A standard textbook definition (which will be useful later when we come to define safety culture) is: The system of shared beliefs, values, customs, behaviours, and artefacts that the members of society use to cope with their world and with one another, and that are transmitted from generation to generation through learning.2 Culture will be studied at the three basic levels at which it exists:

• national or regional level • social level • organizational level. Organizational culture, of which safety culture is a subculture, is an important area of interest for this book. Because of the way safety culture permeates an organization it has a wide-ranging impact on all company activities. Furthermore, numerous inquiries into corporate accidents have shown a correlation between the safety culture of a company and the accident history of the company. Some of these corporate accidents are discussed as case studies in Appendix 2 and at the end of this chapter. Because it is impossible to improve a safety culture in isolation from the organizational culture it is necessary to understand the latter in order to define the former. In the same way, an examination of culture in general will enhance the understanding of culture in organizations. Each of the cultural levels listed above will therefore be examined in turn before turning later in the chapter to the ways in which safety culture can be defined, measured and possibly changed.

85

86

Strategies to prevent corporate accidents

Culture at the national or regional level Human societies have existed for over 10,000 years. It is believed they developed when small, mobile hunter–gatherer groups settled into more stable farming communities which later amalgamated into larger settlements, towns and regions. The development of national groups or political units, with which individuals, settlements and regions became identified, adopting a differentiated language and unique customs, is a much more recent phenomenon. Anthropologists and social scientists have attempted to identify the cultural characteristics which distinguish one nation or region from another, but this has proved to be difficult and complex. Apart from differences between nations, cultural differences exist within the nation state across geographical regions and especially across ethnically or religiously diverse groups. Even within a nation these differences may be striking and conflict between different cultural groups is evidenced by recent history. In order to identify, differentiate and compare cultures, social scientists will seek dimensions which are common to all cultures and which can be measured. The term dimension in this context will be used frequently in this chapter to define and measure culture. Typical dimensions might include, for example:3

• the relationship between citizens and authority • the degree to which a society is individualistic or collectivist • the social implications of gender within a society. By measuring these or similar dimensions in a systematic way social scientists try to make objective comparisons between different cultures and aim to exclude the subjective value judgements which are often applied by one culture to another. It has been said that we can only really understand another culture by reference to the culture in which we ourselves have grown up. Because culture is so complex, a full explanation is beyond the scope of this book. However, a simple illustrative example from the cultural history of the USA is useful here. It is often believed that a culture exists which is unique to the USA. Indeed, for many people the wearing of baseball caps and the consumption of Coca-Cola are representative of American culture. However, as discussed later these are merely artefacts and represent only the surface appearance; an artefact may enable one culture to be distinguished from another, but it does not necessarily provide any clues to the underlying nature of a culture. In fact, the USA is a nation descended almost entirely from immigrant populations originating in widely diverse cultures. Although it may appear that these cultures have been subsumed in the immigrant ‘melting pot’ to form a unique American culture, a geographical exploration of the country would quickly reveal that this is not entirely the case. A ‘salad bowl’ may be a more accurate description than a ‘melting pot’! Many of the characteristics of the national cultures of the original immigrants are still retained within specific groups and regions (e.g. Irish and Jewish cultures in New York, German and Scandinavian cultures in the mid-west, Hispanic culture in the south-west). This is witness to one of the most important characteristics of culture, its enduring nature and inherent stability over time.

Safety culture It will be shown later, in the context of safety culture, that the artefacts of a culture, that is the outward appearances, do not necessarily reflect the underlying basic assumptions of that culture. For instance, in an Asian country, the Philippines, the people are an ethnic mix of Malay, Chinese, American, Spanish and Arab antecedents. The artefacts of North American culture are prevalent in Filipino society because the country was for some decades a colony of the USA. Yet these outward appearances do not signify that a primarily American culture exists within that society. Before the American occupation the Philippines was, for two centuries, a Spanish colony and as a result absorbed many aspects of European culture including Roman Catholicism. Although this may today be reflected in the deeply conservative nature of Philippines’ society, the culture remains predominantly Asian, with elements of strong kinship and family ties, respect for age and hospitality differing from those found in Europe or the USA. Philippines’ society exhibits only superficial characteristics of the cultures of foreign occupiers, again reflecting the strong persistence of ethnic cultural characteristics. This may seem far removed from the main topic of this book, but its relevance will become clear when, in later sections, we consider the difficulties which can be experienced in trying to change the culture of an organization.

Social culture Within the larger national or regional cultural grouping there will exist smaller groupings based on social relationships. These groupings will exhibit specific cultural characteristics in much the same way as a national or regional group. Strictly speaking, these groups do not come together in the same way as national and regional groups which are made up of random individuals. Rather than random groupings, individuals in a social culture fall into specific categories defined by aspects such as gender, generation, class, education, occupation and religion. The nature of these social groupings will vary considerably and have widely divergent cultural characteristics which depend on the group. Three aspects of social culture, each of which has some relevance for organizational and safety culture, are considered here, namely gender, class and generation.

Gender culture Gender is a term which is used to denote the social distinction rather than the biological distinction between male and female. Gender roles are therefore an important aspect of social culture. While the biological differences between men and women are absolute, gender roles, in society and industry, are not in theory constrained by this. Yet within society there are wide differences between male and female culture which are often reflected in the jobs done by men and women, respectively. In many countries women are effectively excluded from certain occupations and professions, not because they are unable to do the work, but because of the ingrained gender culture of the country. In Japan, for instance, it is very rare for women to have a role in management and sales activities, which are seen as strongly competitive roles. In most Western countries women’s involvement in these careers

87

88

Strategies to prevent corporate accidents is now taken for granted. Conversely, in some countries it may be culturally unacceptable for men to take on certain jobs such as domestic cleaning and caring for children which have traditionally been carried out by women. This tendency can even be seen in the UK, for instance, in primary education where there are very few men in teaching roles; this is undoubtedly due to the persistence of cultural expectations. Gender stereotypes in the workplace still reflect to some extent perceived masculine and feminine characteristics such as male assertiveness and competitiveness and female nurturing and caring. In spite of burgeoning legislation to promote gender equality, men still tend to dominate industry, commerce and politics, while women continue to fill more subservient and domestic roles. These cultural dimensions of gender are perpetuated down the generations by being passed on to children through socialization but, arguably, may be partially inherited through hardwired biological differences between the sexes.

Class culture The effect of social class and upbringing still has a powerful cultural impact on the way individuals progress within the world of work. Social class and educational opportunities continue to go hand in hand in spite of government efforts to promote more equal access. In addition, strong and identifiable cultures continue to exist within certain occupations, cultures which effectively limit access to the profession to those from certain backgrounds. Education and occupation are important determinants of cultural conditioning and when closed or club cultures are strongly perpetuated within the professions they can have a negative impact on safety culture. The reasons why certain groups become segregated by class, education and occupation are not always clear and there will be considerable differences from country to country. One particular case study in Appendix 2, Case Study A2.4, Children’s heart surgery at the Bristol Royal Infirmary (further discussed at the end of this chapter) provides a disturbing example of how a closed professional culture can lead to a corporate accident. In this case, the closed nature of the medical culture resulted in the concealment over a number of years of a serious lack of competence which prevented the underlying problems from being recognized and addressed. As with many of the case studies considered in this book, it took the emergence of a corporate accident to reveal the cultural deficiencies. History has shown that individuals working within a closed culture are very reluctant to break ranks and disclose information about failing colleagues, either within the organization or to the regulating authorities, even if the lack of disclosure may lead to serious consequences. Whistleblowing, although usually a last resort, remains an important strategy to prevent corporate accidents in circumstances such as these, and must be encouraged by means of a more open culture. Whistleblowing is addressed in Chapter 8.

Generational culture Cultural differences between generations, particularly in the way different generations relate to each other in the work context, in terms of respect for authority for instance, vary considerably from country to country. In Western cultures there is a tendency for the younger generation to question authority based only on seniority,

Safety culture since it is considered that respect and loyalty is not bestowed by age or experience but must be earned. In Eastern cultures, seniority earns respect in its own right, probably deriving from cultural norms within the family, in particular the strong authoritarian nature of the male family head in these countries. This is a national cultural dimension being carried over into the workplace. In Eastern societies, entry into an occupation may depend more upon family background and connections than upon qualifications, skill or aptitude for the work. Such a situation exists, for instance, within the Indian Railways, a cultural relic perhaps of the colonial power extending back to Victorian times. Where there is a strong generational culture it may be found that promotion is dependent more upon loyalty to the company and time of service than upon any particular ability to carry out the work. Thus, the presence of a generational culture within a company can have a strong influence upon organizational and safety culture. As with the closed professional club culture mentioned above, in societies with more hierarchical and authoritarian cultures there may be a reluctance to question the decisions and actions of those who have seniority in the organization, even where a serious risk has been perceived. Authoritarian cultures are also a feature of organizations which have adopted a military-style hierarchy, such as found amongst aircrew in the civil aviation industry; many present-day senior aircrew were recruited from the ranks of airforce pilots in earlier decades. Reluctance by junior aircrew to question the actions of senior pilots has in the past led to aircraft accidents. This brief foray into social culture has shown the pervasive influence of cultural characteristics within the workplace with a potential negative impact on safety. It will be found that many dimensions of social cultures are highly dependent upon the national culture which has nurtured them. Even in the widely differing examples of social culture given above, the earlier definition of culture in general still holds true, that the members of a cultural group will hold shared beliefs, values, customs, behaviours, and artefacts. Social cultures are of interest here for the way in which they impact on the safety performance of a company, and several of the case studies in Appendix 2 demonstrate how defective cultures have in the past led to major corporate accidents.

Organizational culture The term ‘organizational culture’ became popular in the 1960s as a concept capable of distinguishing one company from another, just as the national or regional culture distinguishes one group from another. The basic premise has always been that if an organizational culture can be understood and measured then there is the possibility of bringing about change. This has provided a challenge to management consultants and sociologists and numerous paradigms of organizational culture have been developed over the years, differing considerably in their usefulness for bringing about change. Although there is no consensus, a review of these paradigms seems to reveal two basic approaches to understanding organizational culture. The author has classified these as the ‘classical approach’ and the ‘Gestalt approach’. One of the important differences is the degree to which each approach would allow for measurement of

89

90

Strategies to prevent corporate accidents culture (and in particular safety culture) with the possibility of intervention where a change in the culture was found to be desirable. The classical approach is the more analytical and systems oriented, and has been the basis of a number of methods of improving safety culture, an example being that of the International Atomic Energy Agency (IAEA) described later in the chapter. Both approaches are briefly summarized below; the Gestalt approach is included mainly in order to highlight the difficulties in understanding and implementing changes in organizational and safety culture.

The classical approach The classical approach operates from the basic premise that the culture of an organization is something that can be objectively measured, and this theory is therefore supportive of the idea that undesirable aspects of a culture can be changed. Many inquiries into corporate accidents have identified an inadequate safety culture as one of the main root causes (see the case studies in Appendix 2). Thus, the classical approach has proved to be extremely attractive since the ability to improve effectively a safety culture would be a major strategy to prevent future accidents. Most classical approaches use some form of external questionnaire to pin down the nature of a particular company culture. If safety culture is of interest, then the questions will generally be safety oriented. The writings of two eminent workers in the field have been selected to illustrate a number of features of the classical approach which may be brought to bear on the problem of safety culture.

• Edgar Schein defined the levels at which organizational or safety culture can be •

understood. This method of understanding culture has been widely used in the assessment of safety culture, particularly in the IAEA approach described later. Geert Hofstede defined a set of dimensions by which organizational culture may be measured. This has been less widely adopted in safety circles than the previous approach, but can throw some light on dimensions which are conducive to a good safety culture.

These two alternative but complementary schemes to address organizational culture are considered in the following sections.

Levels of organizational culture The scheme discussed here is based on the work of Edgar Schein, a management and organizational psychologist. His contribution to the subject was to transform abstract notions of culture into a practical tool that leaders could use, by proposing4 that organizational culture has identifiable levels varying from a set of obvious surface characteristics to features which are largely concealed from view. Artefacts This is the most obvious level of culture which is visible when entering an organization, say as a new employee or a visitor. It will include the first impressions received when entering the company premises via the reception area. Artefacts here may

Safety culture include the architecture of the building (modern or traditional), the way space is utilized within the reception area (welcoming or inhibiting), offices (open plan or individual offices and workplaces), car-parking provisions (reserved or open to all), method of greeting (formal or informal), etc. Upon entering a work area such as a production line, control room or maintenance facility, other artefacts will become apparent and add to the first impression. Aspects such as tidiness, degree of activity, amount of supervision, provision of information, safety signs and management presence will now be noticed. Each artefact tells its own story and adds a little to the overall picture of what the company culture may be like. The observed artefacts, however, provide only an impression which may or may not be linked to the actual culture of the company. The artefacts are unable to provide an indication of why the company culture is the way it is; to extract this sort of information it is necessary to go to the next level down. Espoused values These aspects of the company culture are less obvious than artefacts and are revealed by communication with company employees or through reading company literature. This sort of information can be quickly gleaned by a new employee after only a few days in the job. It comprises commonly held values which employees of the company will say that they support and which they will communicate to others through either statements or behaviour. Espoused values will include aspects of company culture such as the strategy and aims of the company, the importance of customers, whether good performance by employees is rewarded, how easy it is to communicate with higher levels of management, etc. In the case of safety culture it will espouse such values as the degree of priority given to safety over production. However, it needs to be remembered that espoused values may be values which the company or employees have a preference for, rather than an expression of what actually happens. In order to determine whether there are inconsistencies between espoused values and reality it is necessary to examine culture at an even deeper level. Basic assumptions These are fundamental but hidden beliefs which are not usually stated or expressed but are generally understood and subscribed to by employees who have worked in the organization for some time. They may well conflict with espoused values as described above; what people say and the basic assumptions to which they subscribe may be entirely different. As an example, managers in the company may state that they have a familyfriendly approach to the organization of work such that their subordinates, who need time off work for family reasons, will be accommodated. This is an espoused value. In reality, it may be found that when a family situation requires an employee to take time off and this conflicts with production, the company’s interests always take priority. A similar example is the way male and female employees are treated. A company may state that it has an equal opportunity policy, but if its employment records are examined it will be seen that male employees are given preference over female employees when it comes to promotion. A UK company recently in the news,

91

92

Strategies to prevent corporate accidents selling ‘fair-trade’ bananas to leading supermarket chains, was found to be subjecting the mainly immigrant workers in its packing plant to inhumane working conditions, in contradiction to its stated fair-trade ethos. In all these cases the espoused values of the company culture is contradicted by the hidden reality of the basic assumptions. Within the safety subculture of a company it is possible to find similar contradictions. For instance, it may be found that safety practice does not reflect the espoused value attached to a safety policy statement. Clearly, in order to establish whether the culture of a company does in fact support the company’s best intentions it is necessary to delve down to the level of basic assumptions to validate the espoused values and artefacts.

Dimensions of organizational culture Many schemes claim to measure organizational culture by means of a set of dimensions. The main purpose of such schemes is to enable different cultures to be compared on the same basis rather than to define in detail any particular culture. The dimensions chosen will therefore depend to some degree on the type of comparison to be made. In line with the classical approach it is better to choose dimensions which can easily be assessed by means of a questionnaire put to employees. For the purpose of this book it is useful to examine some general dimensions, not specifically related to safety, but which may throw some light upon the safety culture of an organization. The scheme chosen is one based on a well-known study of organizations undertaken by Geert Hofstede between 1985 and 1987 under the auspices of the Institute for Research on Cultural Co-operation (IRCC, University of Limburg, Maastricht, the Netherlands).5 This method of dimensional analysis has since been used by other researchers. The authors suggest that the dimensions were chosen to lie on poles between two extremes, but specifically avoiding labels suggesting a ‘good’ or ‘bad’ aspect of culture. The six dimensions are described briefly below, listing some of the main characteristics: 1. Process oriented versus results oriented Process-oriented culture: is characterized by a high level of bureaucracy and a dependence on rules. The emphasis is upon ‘means’. It tends to attract employees who are happy for every day to be the same, even if tedious. Results-oriented culture: has a dependence on ‘outcomes’. The emphasis is upon ‘goals’. The work environment tends to be more challenging and these employees are more comfortable with risk taking and the unknown. 2. Employee oriented versus job oriented Employee-oriented culture: has an interest in the employees’ welfare, and personal problems are taken into account. Important decisions tend to be taken by groups or committees. Job-oriented culture: the performance of the employee at work is the main issue and completing the job is all important. Decisions tend to be taken by individuals. 3. Parochial versus professional Parochial culture: employees tend to identify with the organization which generates their norms of behaviour at work and at home.

• • • • •

Safety culture

• Professional culture: the private life of the employee is distinct from the

organization. Employees tend to be more highly educated and identify mainly with their profession rather than the organization. 4. Open system versus closed system Degrees of openness reflect the way internal and external communications are handled in the organization. Open system: the ethos is that ‘anyone is welcome’ and efforts are made so that newcomers are able to find their place easily in the organization; the rules of the organization reflect this. Closed system: the organization tends to be secretive and an element of ‘mystery’ is fostered such that only special people are allowed to have a place; the rules are purposely kept vague. 5. Loose control versus tight control These dimensions reflect the degree of formality exercised by the organization, sometimes reflected in dress code (an artefact). Loose control: cost and time considerations have less significance and in this sort of organization it is permissible to make humorous remarks about the company or the job. It is characteristic of more creative concerns such as research laboratories and advertising agencies. Tight control: cost and time are considered a measure of success, and the company and the job are always taken seriously. It tends to be characteristic of high-technology industries such as banks and pharmaceutical companies. 6. Normative versus pragmatic This dimension defines how the organization deals with external relationships, such as those with customers. Normative culture: tends to be rigid in the application of rules, so that the ‘process’ is always more important than the ‘results’. The approach to ethics is dogmatic or invariant in nature. Pragmatic culture: is more market oriented towards the needs of the customer, and the rules may be suspended since the results are more important than the process. A more pragmatic or expedient attitude exists towards company ethics.

• •

• •

• •

Whether one or the other poles of a dimension is ‘good for business’ will, as hinted at in the above descriptions, depend on the dimension and the type of business. There may, however, be some absolutes; for instance, it is difficult to conceive a company with a ‘closed system’ being more successful in the long term than one with an ‘open system’. From a safety point of view, where there is a definite aim in mind, it is possible to identify at which poles a good safety culture is promoted. This is shown in Table 4.1. Hofstede makes the important point that it is rare for these dimensions to be intentionally ‘decided’ by individual managers or even collectively by the organization. However, it is probable that they strongly reflect the attitudes of top management in the organization. The use of the classical approach to analyse and diagnose a culture has been questioned by many organizational researchers. It is claimed that the idea of being

93

94

Strategies to prevent corporate accidents Table 4.1 Dimensions of organizational culture promoting safety Dimension no.

Tendency towards

Reason

1

Process oriented

How work is done (the process) is more important than the result if safety is to be achieved

2

Employee oriented

The welfare of employees is more important than completing the job at any cost including at the expense of safety

3

Professional

‘Professional’ standards are probably more conducive to working safely than company-generated norms which may conflict with safety aims

4

Open system

Open communication is essential for safety concerns to be voiced and acted upon

5

Tight control

Formal control of work practices is an important element of safety management (see Chapter 7)

6

Normative

Pragmatic and expedient attitudes to safety are likely to lead to procedural violations

able to manipulate organizational culture externally, say by using management consultants, may be illusory. Gestalt theory (see below) challenges the idea that culture is tangible and has system-like properties that can be analysed using a mechanistic approach. Furthermore, the use of a questionnaire to gather ‘data’ about a culture is itself questionable. It treats an organizational culture as a ‘property’ of the company, or something which the company has. As will be suggested below, culture is much more deeply embedded than, say, a company policy or a set of objectives; it is something which the company is. The use of a questionnaire can lead to a spurious sense of precision which can mislead managers or regulators into believing that culture is just another safety statistic like lost time accidents which can be controlled and monitored. The classical approach ignores what one writer has called the ‘dynamic and emergent aspects which anthropologists see as the core of culture’.6

The Gestalt approach Culture is a Gestalt Some managers, especially those who come from a technology rather than a social science background, may find it difficult to understand the way in which an organization’s culture develops. There is a very simple reason for this. Organizational culture is often perceived to be something that the company has, something which is tangible that can be observed and therefore manipulated, similar to other corporate assets. In reality, the only information that can be observed is at the level of artefacts. In the case of safety culture these may include artefacts such as safety notices, safety meetings, wearing of protective clothing, etc. If it could be seen in its entirety, organizational culture would resemble an iceberg with nine-tenths submerged below the surface; the surface appearance can belie the hidden depths. The essence

Safety culture is so deep rooted that culture is something that the company is rather than something it has. Company culture is, in fact, a phenomenon described by psychologists as a Gestalt. Science and technology tends to operate using a systems approach. This takes a complex whole and breaks it down into its component parts. The parts are analysed separately and then reassembled so that the relationship between them can be understood; the operation of the whole can be manipulated by tweaking the parts. In contrast, ‘a Gestalt is essentially a whole, the behaviour of which is not determined by that of its individual elements, but where the parts are themselves determined by the intrinsic nature of the whole’.7 Simply put, the whole is more than the sum of its separate parts, and to some degree the parts are determined by the whole. The dimensions of an organizational culture can certainly be studied (as described above), but these dimensions cannot be added together to make the whole in the same way as a technological system can integrate separate components. However, cultural dimensions are still useful in making comparisons between:

• organizational cultures in different companies, or • the culture of the same company at different times, say before and after changes have been implemented.

To a limited degree it may be possible to apply a systems approach to a Gestalt, but only on a comparative rather than an absolute basis, and even then it may provide only a superficial comparison.

Culture is ‘emergent’ The Gestalt approach seems to suggest that an organizational culture (including a safety culture) is not something that can be developed or intentionally shaped by a company to conform to a desired pattern. Rather, it suggests that organizational culture is ‘emergent’. Richard Seel, a management consultant working in the field of organizational complexity, claims that the culture ‘emerges’ from ‘the conversations and negotiations between the members of an organization’ and can only be defined ‘by participative inquiry rather than external diagnosis’.8 In order to define a particular culture, Seel suggests a number of participative approaches that can be used with the cooperation of employees. It is only employees, daily immersed in the culture, who are able to provide the necessary insights. He uses devices such as ‘metaphor’ (our culture is like . . . ), ‘heroes and villains’ (individuals whose styles reflect the culture of the organization), ‘stories’ (which capture the essence of the organization) and ‘rules’, amongst others. According to Seel, rules are of particular interest in understanding culture and in his work he draws on the insights from the Cambridge mathematician John Conway who, in 1970, developed the ‘Game of Life’9 or the ‘cellular automaton’. This comprised a matrix of cells forming emergent patterns based on a very simple set of mathematical rules which can live, die, multiply or reach a stable configuration depending on the initial conditions. It demonstrates that quite simple interactions can lead to complex outcomes. Conway’s rule set was that for a space that is ‘populated’, each cell with one or no neighbours dies, as if by loneliness; each cell with four or

95

96

Strategies to prevent corporate accidents more neighbours dies, as if by overpopulation; and each cell with two or three neighbours survives. For a space that is ‘empty’ or ‘unpopulated’ each cell with three neighbours becomes populated. This idea was further developed by Craig Reynolds, a computer graphics expert, who created the ‘Boids’ artificial life simulation10 in 1986 to try and explain the flocking behaviour of birds, an emergent ‘cultural’ phenomenon of the natural world. He showed that flocking behaviour can be reproduced using a computer model by applying three simple rules:8 1. Separation: steer to avoid crowding local flock mates. 2. Alignment: steer towards the average heading of local flock mates 3. Cohesion: steer to move toward the average position of local flock mates. Application of these three rules will simulate flocking behaviour in the computer model. Important to note is that the emergent behaviour takes place purely by virtue of individuals in the group interacting with each other independently of any leadership or higher plan of action. Each individual is only cognizant of the behaviour of its neighbours and has no awareness of the behaviour of the whole flock. The behaviour of the whole is emergent in much the same way that Gestalt theory would predict for an organizational culture. In theory, it may be possible to reverse engineer a culture through analysing the interactions of employees to discover the set of rules which have caused it to emerge. Perhaps some modification of the rules might then change the culture. Some work along these lines has been carried out by social scientists, but is beyond the scope of this book to explore further. The main point is to demonstrate that culture is so deeply ingrained in an organization that it is not as susceptible to change as many regulatory authorities may like to believe. To some degree this has been recognized by, for example, the US Nuclear Regulatory Commission (NRC). This is further discussed in the case study of the Davis-Besse nuclear power plant incident in Appendix 2, Case Study A2.2, and in the discussion of this incident at the end of Chapter 6.

Culture is socially maintained Organizational cultures are in a sense the ‘property’ of the group of people who are bound together by the culture, its norms, values and beliefs. At the same time, because the culture is emergent, it is self-determining and, like the corporate body, does not depend for its existence upon which individuals belong to the group, especially since individuals will leave and others join from time to time. Once established, the culture seems to be an independent entity: no individual or subgroup intentionally created the culture; rather, it emerged as described above. However, whilst the culture may have emerged, once it does exist there seems to be a natural tendency for it to solidify in order to maintain a social bond that:

• holds the members of the group together • distinguishes the group from other groups • enables individuals within the group to cope with their world and with one another. When an outsider enters a new and unfamiliar culture, time is needed to understand and adjust to the cultural norms of the group. This has no connection with the

Safety culture various forms of induction training provided for individuals starting a new job, since organizational culture is not something that can be taught, but must be absorbed through exposure to it. This cultural absorption may extend over a period of many months or even years before the culture is fully internalized and the required behavioural adjustments are made. It is internalized by a process of ‘osmosis’ rather than by formal learning. There is no guarantee that all individuals will be able to adjust to a new and unfamiliar culture. Employees unable to adjust will experience anxiety and evolve protective mechanisms for uncertainty avoidance. Eventually they may leave the organization. A modern example might be female employees entering an industry which has in the past been a predominantly male preserve, such as the fire service. Employment tribunals have been required to act upon an increasing number of such cases over the past few decades as women take on jobs previously not thought suitable. Quite often this is because the cultural norms of the existing members of the workforce have solidified to a degree that precludes adaptation to an influx of newcomers with different norms. In the employee selection process there are undoubtedly mechanisms at work which tend to select the individuals who will best fit into the prevailing organizational culture of the company. Even if those undertaking the selection cannot fully define what that culture is they have an intuitive understanding whether a job applicant is a cultural match and make their selection accordingly. Conversely, individuals attending job interviews may be sensitive enough to detect enough elements of the prevailing culture to decide not to take up any employment offered.

Implications for change The two approaches discussed above, the classical and the Gestalt, would appear to represent two opposing if not irreconcilable paradigms of organizational culture. The main implication of the difference in approach is whether it is possible to bring about change in an organizational culture by applying external measures. The more pragmatic classical approach, by attempting to measure the main features of a culture in terms of its levels and dimensions, seems to holds out more hope for bringing about cultural change. This is based on the McKinsey principle that ‘what gets measured gets managed’. The interesting but more abstruse Gestalt approach holds out a lesser hope of being able to define an organizational culture in objective or measurable terms. For this reason, most of the rest of the chapter, which is concerned with developing and changing a safety culture, is based on the classical approach. In order for a company to survive in the modern business environment it would seem important that a company culture is able to adapt to changing external conditions. In bringing about such a change, the first problem will be to identify where a mismatch occurs between the existing culture and a desired culture. It is clear that changing the artefacts or the espoused values of a culture will be insufficient to bring about the necessary degree of change; these are merely superficial aspects of the culture which do not necessarily provide an accurate picture of the true situation. It will be necessary to identify and understand the basic assumptions of the company’s culture, particularly those which are detrimental to the company’s aims.

97

98

Strategies to prevent corporate accidents The second problem will be to change those basic assumptions that are no longer appropriate to the new conditions. Changing the basic assumptions will bring about deep-down change which will be reflected in improvements to the company’s future performance. As indicated above, this is not as simple as it might seem. Assuming that the basic assumptions can be positively identified, one of the main obstacles is whether the motivation or the will exists to bring about the deep-down changes that are needed in the absence of a sudden and unexpected traumatic event to precipitate change. Such a precipitating event might be a sudden slump in the value of the company stock owing to financial problems or a major accident or catastrophe involving loss of life. Whatever its nature, it will hopefully prompt the company to correct any defects in the company culture which are the root cause. Clearly, particularly in the case of a safety culture, it is advantageous to recognize a cultural mismatch before the occurrence of such an event. However, the reality is that in the absence of such an event, it will always be easier and less disruptive to continue under the old culture. It is highly probable that the basic assumptions underlying the company’s culture will not have been recognized, let alone discussed or confronted, and management may have preferred to live in the rosy glow of espoused values. It is unfortunate that it often takes a major event to precipitate a fundamental examination of the organizational culture. It is at this point that the company may become a ‘learning organization’, one which no longer relies on major events to be the instrument of change, but sees the need for continuous improvement in order to keep ahead of events. Organizational learning is one of the strategies against corporate accidents discussed in Chapter 8. An approach to managing change is further discussed below.

Safety culture Safety culture is essentially a subculture of organizational culture as defined above. The three levels of organizational culture defined by Edgar Schein can equally be applied to safety culture. The main difference will be in the attributes of the artefacts, espoused values and basic assumptions, which will tend to be safety related. Some possible dimensions of organizational culture which could promote a good safety culture were identified in Table 4.1. It is a common belief that safety culture is generated in the rarefied atmosphere at the top of the organization. Certainly those at the top of the organization must set an example when espousing the values of the company’s safety culture, but then they must ensure that the espoused values permeate through the whole enterprise and truly reflect the basic assumptions which underpin the way people behave and operate. The artefacts of safety culture are only useful in so far as they provide visible indications and reminders that safety is a high priority within the business. In themselves, artefacts may add very little to actual safety performance. The behavioural approach to safety management described in Chapter 7 makes this abundantly clear. Whereas artefacts such as safety notices and indications of safety performance such as hours worked since a lost time accident are useful in promoting the idea of safety, there is little evidence that they influence employee attitudes.

Safety culture Occasionally the term ‘safety climate’ (or even ‘organizational climate’) has been used interchangeably with the term ‘safety culture’. However, there is an important distinction to be made which needs to be understood here. Cox and Flin11 have usefully suggested that safety climate comprises the surface topography of an underlying safety culture. If the safety culture is measured using a set of chosen dimensions, the safety climate will be those surface features which are amenable to measurement and comparison. The underlying culture, as described above, will be largely hidden from sight. Before safety culture can be understood it is necessary to produce a usable definition.

Defining safety culture Perhaps the simplest and most succinct definition of any organizational culture is ‘how we do things around here!’ This could also apply to safety culture. The Confederation of British Industry has defined safety culture as ‘the ideas and beliefs that all members of the organisation share about risk, accidents and ill health’.12 This is a brief definition which says little about how a positive safety culture may be encouraged. The UK Health and Safety Executive (HSE) sets out a more extensive definition, as follows: The safety culture of an organisation is the product of the individual and group values, attitudes, competencies and patterns of behaviour that determine the commitment to, and the style and proficiency of, an organisation’s health and safety programmes. Organisations with a positive safety culture are characterised by communications founded on mutual trust, by shared perceptions of the importance of safety, and by confidence in the efficacy of preventative measures.13 This not only defines safety culture, but suggests some of the attributes which characterize a positive safety culture; that is, one which has beneficial effects on safety within an organization. Various industries have developed the concept of safety culture to suit their own particular work environment and reflecting how this is understood within the industry. The nuclear industry has been in the forefront of defining and attempting to establish positive safety cultures across the industry, largely through the efforts of the IAEA. This new emphasis on safety culture arose following the Chernobyl nuclear accident in the former Soviet Union in 1986, the root cause of which was a failure in safety culture at the installation. This accident exacerbated the existing public perception that the risk from nuclear installations is very high and accentuated the need for the industry to demonstrate its serious concern and commitment to safety within the industry. The fact that the risk to the public from nuclear installations remains extremely low compared with other industrial and social activities has little bearing on the matter. The influence of public risk perception on corporate safety is dealt with in Chapter 5. In spite of the good overall safety record of the nuclear

99

100

Strategies to prevent corporate accidents industry, even a minor accident usually attracts wide publicity. The strong emphasis on safety culture in nuclear plants has been at least partly driven by this. A case study of a failure of safety culture within the nuclear industry can be found in Appendix 2, Case Study A2.2. A fairly simple definition of safety culture arising from the nuclear industry has been given by the IAEA: Safety culture is that assembly of characteristics and attitudes in organizations and individuals which establishes that as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance.14 This definition states that the culture is an ‘assembly of characteristics and attitudes in organizations’, without defining those characteristics. A more detailed definition emerging from the nuclear industry, originating in the UK Advisory Committee on the Safety of Nuclear Installations (ACSNI) Human Factors Study Group, is: Safety culture is the product of individual and group values, attitudes, competencies and patterns of behaviour that determine the commitment to, and the style and proficiency of an organization’s health and safety programmes. Organizations with a positive safety culture are characterized by communications founded on mutual trust, by shared perceptions of the importance of safety and by confidence in the efficacy of preventive measure.13 This is a fuller definition which attempts to define the characteristics of a good safety culture. Further investigation reveals that this definition has proved popular outside the nuclear industry. For example, it has recently been adopted as the basis for a Hospital Survey on Patient Safety Culture published by the British Medical Association.15,16 Safety culture within the healthcare industry has come to prominence in recent years and is mentioned at the end of this chapter in connection with Case Study A2.4 in Appendix 2.

Developing a safety culture The development of a safety culture within an organization often mirrors the evolution and understanding of safety and risk which has taken place over the past few decades. This is illustrated in Table 4.2

Table 4.2 Chronological evolution of safety culture and understanding Stage 1 (pre-1975)

Stage 2 (1975–1990)

Stage 3 (1990 onwards)

Prescriptive approach based on rules, regulations and procedures

Goal- or hazard-based approach founded on setting safety targets and indicators

Risk-based or proactive approach utilizing continuous improvement

Safety culture The typical stages in the development of safety culture within an organization are now discussed in terms of the evolutionary process indicated above.

Stage 1: Prescriptive approach It is unlikely that a present-day organization’s safety culture is totally founded on stage 1 principles, where the criteria for success depend upon meeting prescriptive rules and regulations and following procedures. This approach corresponds to the safety controls legislated by the Factories Act 1961 (see Chapter 6). This Act, previously an important piece of primary legislation, is now of mainly historical interest. To follow a totally prescriptive approach would mean that when an accident occurs, the first priority would be to check whether the equipment was compliant with regulations and whether the prescribed procedures had been followed. If they had, then essentially the company would be exonerated from any responsibility for the accident since they had followed all the necessary rules. There might be some investigation by the regulating body into whether the prescriptive rules were inadequate in some way, and if they were then the deficiencies might be corrected by issuing a modified set of regulations. For many years safety within the rail industry was regulated in this the way (in some respects, highly successfully), overseen by HM Railway Inspectorate (a body principally manned by retired Royal Engineers). Following the Clapham Junction rail disaster in 1987, a more goal-based approach to safety was adopted. A similar transformation took place in the UK offshore oil and gas industry following the Piper Alpha accident in the North Sea in 1988. It is possible that the safety culture of some organizations will embrace residual aspects of the prescriptive approach. For instance, where work processes are highly proceduralized, with little room for individual initiative, it may still be necessary to apply prescriptive principles. However, it is better for employees to understand fully the safety implications of work they are carrying out, rather than blindly following a strict set of rules and procedures. An organization with a safety culture based upon prescriptive rules will be mainly reactive, responding to problems as they arise. The chief role of management is that of enforcement of rules with unidirectional, downward, communications. Very little attention will be paid to the concerns of the workforce, who are regarded as merely components of the system alongside machinery and plant. There is very little understanding or awareness of the importance of the human factor in safety. The relationship between management and workforce will tend to be adversarial in nature and rewards will be based more upon compliance with rules than upon initiative. There will be very little consultation or participation by the workforce in the organizational arrangements. The workforce will respond by demonstrating a lack of flexibility in the work they are prepared to undertake and the way they carry it out. Such an approach will often result in a blame culture so that when errors are made, staff will be subject to disciplinary measures and there will be little or no investigation of why the error occurred (see Chapter 8). The prevailing cultural atmosphere will not be conducive to a safe working environment and the same sorts of accident are liable to recur since the root causes will not have been addressed.

101

102

Strategies to prevent corporate accidents

Stage 2: Goal-based approach The totally prescriptive approach of the Factories Act was superseded in the mid1970s by the Health and Safety at Work etc Act 1974 as described in Chapter 6. This is now the principal Act of Parliament relevant to corporate safety, and places a general duty on employers to provide safe places of work and to secure the health, safety and welfare of all persons at risk from the company’s activities ‘so far as is reasonably practicable’. This Act is supported by more specific regulations which address specific hazards such as those arising from construction and building operations, noise, asbestos, substances hazardous to health, explosive atmospheres, fire precautions, manual handling, ionizing radiation, lifting operations, pressure systems and the control of major hazards, to name but a few. The goal-based approach to safety culture perceives safety as a corporate goal to be achieved alongside product output, sales targets, profits, public relations, etc. At this stage, the safety culture recognizes the importance of behaviour and attitudes to safety in the workplace, although the means of enhancing this may not be present. When an accident occurs due to human error an investigation will be carried out, but the root cause at the systemic level may not be discovered. The most likely remedial measure will consist of improved training and procedures to eliminate future errors, rather than changing the faulty systems which caused the error in the first place. Some remnants of a blame culture may still exist. Elements of quality management began to emerge from the 1970s onwards in terms of measuring safety improvement. In setting targets and goals for safety, mainly in numerical terms such as hours worked since a lost time accident occurred, accident frequency rates, etc., the main aim of management is to achieve the current goal with little regard to future long-term and permanent improvement. The main emphasis is on accountability for achieving (or failing to achieve) the goals. There may be surprise and disappointment by management that early improvements in safety have levelled out in spite of efforts to maintain the impetus. There may be a feeling of ‘running hard to stay in the same place’. Communications within the organization have improved; safety suggestion schemes will encourage employees to report safety concerns back to management and safety committee meetings will be held in order to report back on progress. However, the relationship between management and workforce is still to some degree adversarial, characterized by ‘facing each other across the table’, rather than building a fully collaborative partnership. Management are likely to accuse the workforce of not following safety rules, while the workforce will respond with counter-claims that management are not providing sufficient investment or showing enough interest in safety. It is unlikely that openness will have reached a point where employees are prepared to report their own mistakes and errors; the culture is not yet blame free. There may be talk of confidential reporting schemes to try and achieve this. The organization is still largely reactive in terms of anticipation of safety problems. Understanding the risk, as a strategy to prevent corporate accidents, is unlikely to have made much progress. Techniques such as hazard and operability studies or risk assessment may well be utilized where this is required by safety

Safety culture legislation. Typical of the stage 2 approach in safety legislation was the Control of Industrial Major Accident Hazards (CIMAH) Regulations 1984 in the chemical industry to prevent or mitigate the effects of major accidents on both people and the environment. These regulations can be traced back to the Seveso accident in Italy in 1976, which led to a European directive on chemical plant safety implemented by CIMAH in the UK. CIMAH took a mainly technical approach to major hazard control, largely ignoring human factors aspects, and required chemical companies to report which hazardous substances were being stored on site. The regulations conveniently provided a list of hazardous materials, potentially removing the need for the company to risk assess major site hazards not included in the list. A safety report was submitted chiefly to convince the HSE that the emergency procedures were adequate, again a mainly reactive approach, concentrating on what happens after an accident. CIMAH was later superseded by the more stringent Control of Major Accident Hazards (COMAH) Regulations 1999,17 which extended the scope and requirements of CIMAH in line with the Seveso II Directive. COMAH sites (major accident hazard sites) must submit a safety report to allow the HSE to assess the overall safety of the site, and the regulations are more proactive, corresponding to stage 3 in the evolution of safety culture (see below). Typically, in the chemical industry, during this period of safety culture evolution, many chemical manufacturers subscribed to voluntary codes of practice such as the Chemical Industries Association (CIA) Responsible Care Scheme.18 Membership of such a scheme might be claimed as a socially responsible achievement of the organization in terms of safety improvement, although this does not necessarily have a real-world impact on the company’s operations (see Chapter 9).

Stage 3: Risk-based approach This approach is essentially one of continuous improvement. It completely overturns the limited safety culture found in stage 1 and further advances many of the improvements implemented in stage 2. Stage 2 introduced a number of the defences against corporate accidents discussed in this book, defences which would not be fully understood or implemented in stage 1. For instance, one of the main defences against corporate accidents dealt with in Chapter 7 came into prominence during the late 1980s and early 1990s. This was partly as a result of the introduction of safety case legislation directed towards the rail industry following the Clapham Junction accident in 1988 [Railways (Safety Case) Regulations 2000] and the offshore oil and gas industry in the wake of the Piper Alpha accident in the North Sea, also in 1988 [Offshore Installations (Safety Case) Regulations 1992]. Some new defences are found to arise in stage 3, such as organizational learning (Chapter 8) and corporate social responsibility (Chapter 9). These defences have only really come to the fore over the past ten to fifteen years and are still at the early stage of implementation in many companies. The development of safety culture in stage 3 must allow for the inclusion of these recent concepts. A company reaching stage 3 in safety culture development is one which anticipates safety problems before they occur and implements proactive measures. This is done by installing strategies based on a risk-based approach to safety management. The free-market ethos of the 1980s tended to reduce the burden of regulation upon

103

104

Strategies to prevent corporate accidents companies and removed many other constraints. This was to some degree put into reverse during the 1990s. Today, not only are companies more highly regulated, but they are under much greater scrutiny from governments, regulators, stakeholders, customers and the public than a decade ago. At the same time, because of the need to compete in global markets, often against overseas companies who are less highly regulated in terms of health, safety and the environment, companies face financial disincentives to spend more on safety. The risk-based approach to safety management described in Chapter 7 enables companies to invest more effectively. The legal system of the UK encourages this by allowing company investment in safety to be proportionate to the level of risk to the workforce, public and the environment. Other changes in safety culture necessarily accompany stage 3. It would not be possible to develop such a safety culture without collaboration and partnership between management and the workforce. The adversarial aspects of stages 1 and 2 must be abandoned and a realistic and genuine commitment to safety achieved. At the same time, there must be no conflict between production and safety, in spite of the fact that in a market-driven company production will often seem to demand priority. This apparent dichotomy between production and safety is resolved by the fact that productivity is actually stimulated in a work environment that places a high priority on safety. This is because the same management practices and organizational arrangements that are necessary to achieve a stage 3 safety culture are the same as those which lead to increased productivity and efficiency. There are several other aspects of a stage 3 safety culture which can be briefly mentioned here but which will be developed further in later chapters. Perhaps the most important feature is the relationship between management and workforce. The manager’s role is no longer seen as an enforcer of rules, but one where staff at all levels are collaborating in a common enterprise reaching out to achieve a set of agreed safety principles rather than mere numerical goals. Whilst safety goals in terms of numerical targets may still be set as a barometer of progress, they will not become an end in themselves, as was often the case in stage 2. The basic assumptions of the stage 3 safety culture reflect the new working relationship. If a mistake or an error is made investigations will focus not so much upon the individual making the error as upon the faulty management systems that allowed the error to happen. Employees will be encouraged to report their errors even if an accident did not happen. Extending the focus of investigations beyond accidents to include near misses is part of the proactive and anticipatory approach to safety which is now necessary. In order to achieve the new working relationship, the concept of shared leadership needs to be accepted. The reliance of managers on hierarchy, status and authority must be abandoned in pursuit of a shared responsibility for safety. Some ways of leading an organization towards the necessary changes to achieve a stage 3 safety culture are discussed later.

Measuring safety culture The dimensions of a safety culture are defined here as those characteristics which can be measured in order to establish the adequacy of the safety culture for controlling the risks generated by the organization. Quality experts maintain that it is impossible to

Safety culture control something that cannot be measured. In spite of the diffuse nature of safety culture, unless its characteristics can be assessed by a suitable set of dimensions, the culture can never be properly understood. If it cannot be understood it cannot be reviewed in the light of changing circumstances and therefore there will be a failure to recognize when change is necessary to protect against corporate accidents. Approaches to measuring the safety culture in an organization range from those used by applied psychologists, skilled at undertaking surveys of companies to establish the nature of the existing culture (such as those discussed in the Gestalt approach above), to more practical guidance from organizations such as the IAEA, described below. Applied psychologists use extensive questionnaires to establish workforce attitudes to safety in order to capture the prevailing safety climate in terms that can be compared with some ideal normative state. These questionnaires often bear a striking resemblance to personality assessment models applied to individuals in order to establish their suitability for a particular job. On reflection, this is not surprising since the similarities between ‘culture’ and ‘personality’ have already been noted and discussed above. The IAEA have been leaders in the practical application of methods to assess safety culture which companies can use internally to monitor their own progress. As already mentioned, the work by IAEA followed the Chernobyl accident in 1988, which IAEA found to be mainly due to an inadequate safety culture within the organization. In the IAEA’s introduction to Guidance for Use in the Enhancement of Safety Culture,1 the following statement is made: The establishment of a safety culture within an organization is one of the fundamental management principles necessary for the safe operation of a nuclear facility. (It should be) recognized that safety culture is both structural and attitudinal in nature and relates to the organization and its style, as well as to attitudes, approaches and commitment of individuals at all levels in the organization. This statement could be applied to any industry or organization where there are significant potential risks to the workforce, the local community and the environment arising from their operations. The purpose of measuring safety culture is to reduce its characteristics to a number of measurable dimensions or attributes. In order to make this task more manageable and systematic, it is useful to adopt the three-level breakdown of culture (artefacts, espoused values and basic assumptions) proposed by Schein and described above. For each of the three levels of safety culture within an organization it is possible to identify dimensions which are amenable to measurement. However, the problems of applying measurements to these dimensions will be different for each level. Artefacts will be quite easy to measure since they are clearly obvious upon superficial inspection, whereas espoused values will be more difficult to measure but may be ascertained by the use of questionnaires. Basic assumptions, because of their rather more obscure nature, will be the most difficult to measure. The dimensions listed in Table 4.3 are based partly on the methods described in the IAEA guidance document.1 The dimensions are mainly expressed in terms of the

105

106

Strategies to prevent corporate accidents Table 4.3 Safety culture: positive dimensions Cultural level Artefacts

Espoused values

Basic assumptions

Accident investigation Documentation and procedures Employee involvement Good housekeeping Safety performance measurement Signage and symbols Systematic approach to safety Visible leadership Written definition of roles responsibilities and accountabilities

Absence of safety versus production conflict Absence/presence of violations Adequacy of resources Balance between time pressure workload and stress Change management Collaboration and teamwork Conflict resolution Contractor involvement Dedication to continuous improvement Employee involvement Learning from past accidents Long-term perspective on business Manager/workforce relationships Motivation and job satisfaction Openness in communications Priority of safety Proactive approach Questioning attitude of employees Regulatory compliance Responsibility for safety Safety performance measurement Self-assessment Staff competence Strategic business importance of safety Superior/subordinate consultation Systematic approach to safety Technological versus human knowledge Tight/loose control of operations (re supervision) Work process awareness and interactions

Authoritarian versus participatory management Avoiding cost externalization Central/decentralization policy Collectivist versus individualist culture (or group interdependence versus independence) Dedication to continuous improvement Hierarchy, privilege and status symbols (importance of) Learning organization Long-term perspective on business Open relationship with other industries, competitors, communities, authorities and national bodies Openness in communications Responsibility for safety Superior/subordinate consultation Systems approach to problems Tight/loose control of operations (re supervision)

values which express a positive culture, rather than (as in Table 4.1) a range from positive to negative. Where dimensions are common to more than one of the cultural levels they will appear in each of those levels. For instance, some of the dimensions (e.g. ‘long-term perspective on business’) appear as both an espoused value and a

Safety culture basic assumption. It should be noted that in Table 4.3 there is no horizontal correlation between the dimensions. They are not listed in any particular order, but have been sorted alphabetically. It is quite feasible and it is recommended by IAEA to express some or all of the dimensions listed above as a question set which can be submitted to employees. This can best be done by expressing each dimension in terms of a statement, to which a subjective opinion or belief is elicited from the employee, varying, say, from ‘strongly agree’ to ‘strongly disagree’ at the extremes. For example, the dimension ‘long-term perspective on business’ may be expressed as a statement: ‘this company operates on a long-term business perspective which avoids sacrificing safety for short-term gain’. An opinion as to the truth of this statement is then sought in terms of strength of agreement. The use of statements is especially useful for eliciting opinion about espoused values and basic assumptions, which tend to be less objective than artefacts as far as their absence or presence is concerned. The use of a graduated scale of agreement enables the responses to be ranked numerically (say a score of 5 for ‘strong agreement’ or a score of 1 for ‘strong disagreement’), allowing the current state of the safety culture to be scored for comparative purposes and to indicate areas for improvement. More than one question may be needed to define the more complex dimensions in order to elicit an opinion fully. The dimensions given above which, with some additions, are based on the IAEA guidance document,1 are only indicative of the range of possibilities; they are not necessarily comprehensive and can be varied in scope and detail to suit the requirements of particular organizations. Where a company employs many contractors, for instance, dimensions relating to contractor relationships and control would need to be emphasized.

Changing the safety culture An approach to developing a safety culture was described above based on a threestage process to transform an organization from a prescriptive rule-based culture to a more modern fully risk-based culture. The characteristics of each type of culture were described. In order to make such a transformation it is necessary to implement organizational change. The subject is touched on again in Chapter 8 in the context of organizational learning. Here the subject matter is restricted to the process of implementing a desired change to the safety culture of an organization. In order to change the safety culture it is necessary to understand two important factors:

• the characteristics of the existing safety culture as determined by a set of suitable dimensions such as those suggested in the previous section • the new safety culture which it is desired to put in place, and which can be evaluated using the same dimensions.

Put simply, this means that a company needs to know where it is at in the present and where it wishes to be in the future. The use of a question set, as described above, to elicit the inadequacies of the existing culture will indicate the areas for change.

107

108

Strategies to prevent corporate accidents The title of this section, ‘Changing the safety culture’, seems to imply that the desired results can be achieved by simply adjusting certain critical parameters to conjure up a new type of culture. That is, having identified the areas for change, knobs and dials are tweaked to bring about the change, as if by magic! As discussed above, cultures are so deeply embedded in an organization that it is extremely difficult to bring about the fundamental changes to effect the necessary transformation. It may be possible to change the artefacts and the espoused values quickly and easily, but to change the basic assumptions of the culture will take much longer and involve the full collaboration of all the individuals who will be affected. Only then will the necessary transformation take place. A change management approach applicable to transforming a safety culture is suggested in the following section. It is based on an approach proposed by Sir John Harvey-Jones, a respected management guru, in his book Managing to Survive.19 It is fully compatible with the principles of a learning organization described in Chapter 8.

Three creative steps to managing change Step 1. Create dissatisfaction with the status quo The first and most important fact to be understood is that organizational cultures only change when the people in them change. But there will always be resistance to change. Harvey-Jones succinctly notes that ‘cosy people don’t accept change without a struggle’.19 This is another version of Newton’s law of motion, that a body at rest tends to stay at rest unless its inertia is overcome by some irresistible force. As discussed above, a culture is a Gestalt where the behaviour of the whole is not determined by that of its individual elements, but where the parts are themselves determined by the intrinsic nature of the whole. The Gestalt approach has shown that change is more easily facilitated if the objects of change come to recognize and accept the nature of their resistance.20 In order to change the culture, it is necessary for the people to change, and people will only change when they accept that change is necessary. It is always easier to carry on in the same way. The corollary of this is that it is only possible to change an organization which has accepted the disadvantages of operating the same way in the future as it does in the present. The overriding principle is that ‘the engine of change is dissatisfaction’.19 This may seem to conflict with the writings of other management gurus, such as Edward Deming, whose eighth principle in his fourteen principles of management21 is ‘drive out fear’. However, Deming’s approach is made in the context of making employees feel secure enough to ask questions through establishing open two-way communications. This is in fact one of the dimensions of a safety culture in Table 4.3 (openness in communications). Dissatisfaction may well involve fear in the early stages of the process of change, but by establishing trust through involvement and opening up the lines of communication, the dissatisfaction with the present will be transformed into a feel-good expectation for the future (also see step 3, below). In a learning organization (see Chapter 8) dissatisfaction with the present will become normative. People will not need to be told that something has to change. It will not be necessary to wait for a traumatic event to occur (such as an accident or a threat to the company’s survival) before action is taken. In the absence of a learning

Safety culture organization and without the trigger of a traumatic event, it will be necessary for management to tell people how bad things have become. In practice, most people are realistic and many of them may have already worked this out for themselves. In the face of company closure, for instance, there will be no need to wait for the results of poor performance to become obvious through redundancies before they find out how bad it is. In the same way, the results of unsafe working, the occurrence of near misses, poor housekeeping, maintenance running behind schedule, safety equipment unavailable, etc., will indicate how bad things have become. People will understand what is wrong from the evidence around them and, more importantly, they will then want to know what management is going to do about it. Harvey-Jones suggests that ‘Change is not ‘‘managed’’ – it is released and guided along the track you have decided. Don’t let the ‘‘genie’’ out of the bottle if you don’t have anywhere for it to go’.19 This leads to step 2.

Step 2. Create a vision (‘without vision the people perish’ – Proverbs) Changing the safety culture is not a short-term process. The period over which the benefits of change are realized is estimated to be three to five years. Any quicker than this, the change will not be long lasting. Experience shows that if the change process is too rapid it will release a short burst of involvement and enthusiasm, but the situation will then quickly return to the status quo. If the period of change exceeds five years then the initial momentum will be lost and people will have forgotten where they are coming from and where they are supposed to be going. The principle of creating a vision for the future means deciding where the safety culture is to be in three to five years’ time and then making it sufficiently attractive to lure people away from the present. In creating this vision it is important not to be too precise. Although the vision for the future is put forward by the leader of change, it is created for the people who are to be included in it. The vision has to be owned by all who are affected by it and therefore open to the creative refinement which goes with co-ownership. In addition, the vision must be expressed in a qualitative way so that people not only understand it, but can become enthusiastic or even excited about it. This is why safety goals and targets are only a means to an end and not an end in themselves. However, much management may like to express their achievements in terms of safety targets which have been met, and no matter how laudable, it is rare that numerical targets create great excitement amongst the workforce. People do not get excited by visions of ‘hours since a lost time accident’. They may, however, get excited about a vision of shared leadership in an organization in which their views and concerns about safety are taken into account and safety targets are more than just another management policy. The vision must indicate what sort of safety culture is going to evolve from the change process. It is always important to talk in concepts which people are able to understand, recognize and feel that they can join. It is necessary to be direct rather than wordy, even to the extent of describing a safety culture in idiomatic terms. Hence, the rather formal ‘management commitment’ may be translated as ‘beyond lip-service’, which

109

110

Strategies to prevent corporate accidents conveys the essence of what is required much more directly. It is better not to issue mission statements that reflect the ideology of upper management, rather than the idiom of the workplace. Few people take a mission statement seriously, except perhaps the person who wrote it. Harvey-Jones maintains that mission statements should be avoided at all costs since they are invariably too long, too worthy and almost impossible to attack.19 As in a stage 3 safety culture hierarchy, status and privilege must be replaced by collaboration, teamwork and shared leadership. The vision must be a distant but believable description of where the culture is expected to be in a few years’ time, in fact the opposite of the dissatisfaction with the present which has been created in step 1. A useful starting point is a comparison of the dimensions of a culture at stage 1 in its development compared with one at stage 3 (see above).

Step 3. Create challenge but not fear The principle of ‘drive out fear’ advanced by Deming was mentioned in step 1. It has been suggested that the biggest brake on change is unquestionably fear. When people are faced with the unknown they may feel inadequate to cope with the future. People who are being led through the labyrinth of change must know that they are trusted by those who are leading the change. This will help to overcome their self-doubt, enabling them to follow the vision of the future which is on offer. One of the principal qualities of leadership is not to ask someone to do something that one would be unwilling to do oneself. If people are to follow the vision, leadership must be exercised by leading from the front rather than sending people ahead. People must also know that if the vision does not work out as expected then they will still be treated decently and will not have to carry the blame for what went wrong. In spite of all this, fear of an unknown future may still exist. It is important that this fear is channelled in the right direction, so that the fear of not changing is greater than the fear of changing. Sometimes, the process of change will be so traumatic that people will decide to leave the company because they are not prepared to adopt new ways of working or the new skills that may be required of them. This will apply just as much to management as to the workforce and in some cases perhaps even more so. Many managers have learnt their ‘trade’ in a hierarchical and authoritative organization where status and privilege are more important than collaboration and teamwork. Often they are only able to survive in such an organization protected by the trappings of authority. Some people will decide to leave before the vision is fulfilled; in this case sensitivity is needed in order to avoid the dispiriting sight of a procession of resentful and defeated individuals leaving the company. This will not motivate an acceptance of change amongst those remaining.

Post-traumatic stress Resistance to change is a fairly normal human reaction. In the aftermath of a corporate accident other more serious reactions are encountered. The effect upon employee morale can be quite devastating and frequently comes to be dominated by two overriding feelings: guilt and fear. Assuming that the company continues in business, it is certain that it will not be business as usual, although the management

Safety culture may claim this to bolster morale. Post-traumatic stress disorder (PTSD) is now an accepted set of symptoms which can severely hamper the ability of people to lead a normal life following a traumatic event. Not everyone will develop PTSD following a corporate accident (it will depend upon the nature of the event, e.g. whether fatalities have occurred), but most people will be affected to some degree. In some people symptoms may be denied or delayed until long after the event. The symptoms are unpredictable in nature and intensity and will take various forms. These will include re-experiencing the event through intrusive thoughts and flashbacks, survivor’s guilt, fear of the future including a repetition of the event, avoidance mechanisms such as extreme busyness, detachment in relationships, repression of memories, sleep disturbance and inability to concentrate. Recovery and a return to near normality are always possible given the right support, and expert authorities are able to provide advice on these matters. Planning for the future is an important responsibility of management following such an event and it is inevitable that changes within the organization will become necessary. Later chapters, and in particular Chapter 8, provide further information on the necessary recovery process following an accident, when it will be necessary to improve the company’s defences.

Summary The three steps described above are foundational to managing change effectively. It needs to be remembered that managing organizational change is not the same as managing a project. It should be treated as a programme rather than a project. A project aims to deliver a specific set of deliverables in a relatively short timescale by budgeting and tracking the necessary effort and resources. By contrast, a programme does not have a defined set of deliverables in mind, but rather embraces a vision which may well evolve and change along a path that is not always very clearly defined. The timescales are generally much longer. However, as with a project, effective change is highly dependent on people, whose cooperation can only be gained by involving them and treating them properly. People will only change when they see a need to change and when they are actively involved in the programme for change. They need to feel secure in the process of change but still maintain the desire for change. However, at the same time people are much more inclined to accept change in incremental steps and the speed of the programme needs to reflect this. People do not always act rationally on the basis of new or novel information. In the course of instituting change apparently irrational attitudes and behaviours will occur. These need to be taken seriously and not dismissed as aberrations since they will affect the success of the change programme.

Case studies This section (which is also included at the end of each of the remaining chapters dealing with defences against corporate accidents) takes two of the case studies which are described in detail in Appendix 2 and uses them to illustrate the salient points from the chapter. The selection of case studies used to compile

111

112

Strategies to prevent corporate accidents Appendix 2 was made in such a way as to provide the reader with as wide a coverage as possible of both industry and type of accident. However, the effect of safety culture is so all pervading and influential to a company’s operations that almost any of the case studies in Appendix 2 could have been chosen for their illustrative value. Furthermore, it is probable that safety culture would be implicated in some way in any corporate accident that might have been selected as a case study for this book. The two accident case studies selected are the loss of the space shuttle Columbia and an incident involving children’s heart surgery at Bristol Royal Infirmary in the UK. The first case study illustrates the persistence of a defective safety culture within an organization. The Columbia accident followed on from the loss of the space shuttle Challenger in January 1986, some seventeen years earlier. The investigation revealed that lessons had not been learned and the safety culture within the National Space and Aeronautics Administration (NASA) was relatively unchanged. The second case study takes a slightly different angle, and whilst the safety culture of the organization (the UK National Health Service) had an influence on the events, the principal root cause lay in a professional subculture which was unable or unwilling to review its own performance objectively.

1. The loss of the space shuttle Columbia This case study is reported in detail in Appendix 2, Case Study A2.1. The twenty-eighth flight of the space shuttle Columbia began on 16 January 2003, commencing with an apparently normal countdown and launch followed by a trouble-free flight which met most of the objectives of the sixteen-day mission. Unfortunately, during launch a large piece of insulating foam became detached from the external fuel tank and struck the leading edge of Columbia’s left wing. On 1 February, as the re-entry phase began, a breach in the leading edge of the left wing caused by the foam strike allowed superheated air from the heat of re-entry to penetrate the wing cavity. This damaged the insulation protecting the leading edge support structure, melting the lightweight aluminium wing spar and destroying the interior of the wing. The Columbia orbiter broke up while passing over Texas in the early hours of 1 February, falling to earth at a speed of over 10,000 miles per hour and resulting in the loss of the space shuttle and its seven-member crew. An investigation into the accident was carried out by the Columbia Accident Investigation Board (CAIB). Apart from revealing the failure of NASA to learn lessons from the loss of the space shuttle Challenger some seventeen years earlier (see Chapter 8), the CAIB also found serious deficiencies in the safety culture of the NASA organization. Prior to the Columbia accident foam strikes had occurred over the previous twenty-two years such that it had become accepted as a normal maintenance problem rather than a safety issue. Since previous occurrences had not led to any problems, the CAIB observed that NASA had become ‘conditioned by success’. There was effectively a blind spot within the NASA organization which prevented it standing back to review its own safety culture. Safety-conscious attitudes were absent from the mindset of shuttle managers and ‘bureaucracy and process trumped thoroughness and reason’.

Safety culture One of the main problems was that the safety culture ‘failed to ask searching questions about risk’, and this was a systemic flaw which penetrated the whole of the organization. High-level safety policies existed within the NASA organization which placed a high priority on safety interests; in fact, top-level management were given sufficient authority to oversee safety with a high degree of independence. Unfortunately, this never happened in practice and safety was left to compete with the many other urgent concerns which impinged upon programme and project managers. Because of this, signals that might have indicated incipient danger never surfaced in the hazard identification process, in spite of numerous recommendations made by outside experts over nearly two decades, including the Rogers Commission following the Challenger accident.

2. Children’s heart surgery at the Bristol Royal Infirmary This case study is reported in detail in Appendix 2, Case Study A2.4. Between 1991 and 1995, thirty to thirty-five more children aged under one year died after open-heart surgery in the Bristol Royal Infirmary than was typical for similar units treating children elsewhere in England. Mortality rates for this difficult form of surgery (heart operations on small babies) had been falling gradually throughout the country over the previous two decades. Although the condition of babies with heart defects treated at Bristol was no more severe than that of those treated elsewhere, the mortality rates at Bristol Royal Infirmary remained high. Concerns about the high rate of mortality led to a series of investigations, both within and outside the National Health Service, initially involving paediatric consultants and anaesthetists at the hospital, but ultimately involving Department of Health officials and the British Medical Association. These concerns culminated in a major public inquiry led by Professor Ian Kennedy, Professor of Health Law, Ethics and Policy at the University College, London. In his report Kennedy revealed a hospital short of resources and specialist staff where paediatric cardiac care was secondary to adult services, with power concentrated in the hands of a few senior consultants. The report described a ‘club culture’ in which there was a refusal to face up to problems even when they became obvious. Knowledge was considered to be in the hands of the professionals, never to be subjected to questioning, while the needs of patients were subsumed by rivalries between professions. The inward-looking culture of the hospital was one which encouraged secrecy about doctors’ performance and important information about this was withheld since it was deemed to be the property of the doctor not to be made available for the scrutiny of outsiders. The inquiry referred to ‘old-style attitudes of paternalism and self-protection’ not conducive to patient safety. It found that ‘dissatisfied and damaged patients, frustrated by poor communication, having failed in their search for explanations, defeated by the culture of defensiveness, resort to the media or the law, or both’. In the end, it was the media that brought the problems to public attention and raised a storm of protest from worried parents of babies who had been treated at the hospital.

113

114

Strategies to prevent corporate accidents Following the public inquiry, the General Medical Council began disciplinary hearings to examine allegations against a number of doctors. When these were complete, two of the doctors were found guilty of not responding to concerns over professional standards of medical care and their names were erased from the medical register. Another doctor was banned for three years from performing heart surgery on children.

References 1. International Atomic Energy Agency (2002). Safety Culture in Nuclear Installations – Guidance for Use in the Enhancement of Safety Culture, IAEA-TECDOC-1329, Vienna: IAEA, http://www-pub.iaea.org/MTCD/publications/PDF/te_1329_web.pdf 2. Bates, D.G. and Plog, F. (1980). Cultural Anthropology, 2nd edn, New York: Alfred A. Knopf, p. 7. 3. Hofstede, G. (1996). Cultures and Organizations: Software of the Mind: Intercultural Cooperation and Its Importance for Survival, New York: McGraw-Hill. 4. Schein, E.H. (1991). Organizational Culture and Leadership, 2nd edn, San Francisco, CA: Jossey-Bass. 5. Hofstede, G., Neuijen, B., Ohayv, D.D. & Sanders, G. (1990). Measuring organizational cultures. A qualitative and quantitative study across twenty cases, Administrative Science Quarterly, 35, 286–316. 6. Seel, R. (2001). Describing Culture: From Diagnosis to Inquiry, http://www.newparadigm.co.uk 7. Wertheimer, M. (1924). Gestalt Theory, Society for Gestalt Theory and its Applications, http://gestalttheory.net/archive/wert1.html 8. Seel, R. (2000). Complexity and Culture: New Perspectives on Organisational Change, Organisations and People, 7(2), 2–9, http://www.new-paradigm.co.uk/culture-complex.htm 9. Gardner, M. (1970). Mathematical games, the fantastic combinations of John Conway’s game of life, Scientific American, 223(October), 120–123. 10. Reynolds, C.W. (1987). Flocks, herds, and schools: a distributed behavioral model, Computer Graphics, 21(4), 25–34. 11. Cox, S. and Flin, R. (1998). Safety culture: philosopher’s stone or man of straw? Work and Stress, 12, 189–201. 12. Confederation of British Industry (1991). Developing a Safety Culture, London: CBI. 13. Health and Safety Executive, Advisory Committee on the Safety of Nuclear Installations (ACSNI) (1993). Organising for Safety, Third Report, Study Group on Human Factors, Sudbury: HSE Books. 14. International Atomic Energy Agency (2002). Safety Culture in Nuclear Installations – Guidance for Use in the Enhancement of Safety Culture, IAEA-TECDOC-1329, Vienna: IAEA, http://www-ns.iaea.org/standards/documentpages/other/management-systems.htm 15. US Agency for Health Care Policy and Research, Hospital Survey on Patient Safety Culture, http://www.ahrq.gov/qual/hospculture/hospcult1.htm 16. Nieva, V.F. and Sorra, J. (2003). Safety Culture Assessment: A Tool for Improving Patient Safety in Healthcare Organizations, Quality and Safety in Health Care, http://qhc. bmjjournals.com/cgi/content/full/12/suppl_2/ii17

Safety culture 17. Statutory Instrument 1999 No. 743, The Control of Major Accident Hazards Regulations 1999, http://www.opsi.gov.uk/si/si1999/19990743.htm 18. Chemical Industries Association, Responsible Care Scheme, London: CIA, http:// www.cia.org.uk/newsite/responsible_care/care.htm 19. Harvey-Jones, J. (1993). Managing to Survive: A Guide to Management Throughout the Nineties, London: William Heinemann. 20. Nevis, E. (1987). Organizational Consulting: A Gestalt Approach, Cleveland: Gestalt Institute of Cleveland Press. 21. Deming, E. (1982). Out of the Crisis, rev. 1986, Cambridge, MA: MIT Center for Advanced Engineering Study.

115

5

Understand the risk We believe that risk management should be about practical steps to protect people from real harm and suffering – not bureaucratic back covering. If you believe some of the stories you hear, health and safety is all about stopping any activity that might possibly lead to harm. This is not our vision of sensible health and safety – we want to save lives, not stop them. Our approach is to seek a balance between the unachievable aim of absolute safety and the kind of poor management of risk that damages lives and the economy. Statement by Bill Callaghan, Chair of the UK Health and Safety Commission, http://www. hse.gov.uk/risk/principles.htm

Introduction Corporate accidents when they occur often involve an element of surprise. This element of surprise indicates that there has been a lack of preparedness at senior management and director level, often stemming from a failure to comprehend fully the risks generated by the organization. This chapter deals mainly with the identification of hazards and the assessment of risk so that management understand the magnitude of the risks arising from the organization’s operations and activities. A clear distinction is made between the terms hazard and risk, which are sometimes used interchangeably. Since it is the hazards which give rise to the risks, the hazards must be identified before the risks can be properly understood. The chapter explores expressions of risk including individual risk in the workplace, in the home and, for comparison, during leisure pursuits, as well as the wider societal risks which arise when major accidents cause multiple fatalities. The methods of calculating risk are described, enabling risks to be compared with each other and compared with risk criteria set corporately or by a regulator. It also is important to investigate risks in the context of the activities that cause them, for instance, whether the activities are voluntary or involuntary. This explains why some risks are unacceptable unless reduced to low levels, whereas others, such as from leisure pursuits, are much higher yet deemed acceptable by the individuals involved.

Understand the risk Risk assessment is a legal requirement of the UK regulator for most industrial activities where there are workplace hazards. There are many approaches to risk assessment, varying from a simple qualitative workplace assessment to a quantified risk assessment (QRA) of major hazards with the potential for multiple fatalities. The important principle is that the amount of effort expended in the assessment and the level of detail produced should be proportionate to the potential risk. A full description of QRA methodology is beyond the scope of this book, but a standard risk assessment method using a risk matrix is described. This is generally applicable for a simple assessment of workplace risk as well as for a screening analysis of major accident hazards. Finally, the important concept of risk perception is examined in an attempt to explain why risks which may seem tolerable on the basis of acceptance criteria can be perceived as unacceptable by individuals or groups who are affected. It is essential that companies understand risk perception and how it occurs if they are to communicate effectively their safety and risk policies to those affected by their activities. The setting of risk criteria by the regulator and how compliance is measured are dealt with in Chapter 6.

What is risk? Risk may be simply defined as the converse of safety, so that an activity or a process which is unsafe is therefore, by definition, risky. No activity, however, is completely safe and the goal of absolute safety or zero risk can never be achieved. Nevertheless, everybody is aware that most activities can be brought to a condition of being sufficiently safe, so that they can continue to be carried out. As will be shown later, the condition of ‘sufficiently safe’ exists subjectively in the mind of the person(s) affected by the activity. Since individuals will differ in their perception of the risk from the same activity, it is important that ‘sufficiently safe’ is measured so that the various viewpoints about what is acceptable can be reconciled. Defining the level of risk therefore makes it possible to reach agreement about what is and what is not acceptable to individuals and society. The condition of sufficiently safe exists as a theoretical point on a continuous spectrum ranging between safe and unsafe. This point can be identified by measuring the risk and placing it on the risk spectrum. Risk is defined by the UK Health and Safety Executive (HSE) as ‘an expression of the likelihood that harm from a particular hazard will occur and the possible extent of the harm’. Risk and hazard are not interchangeable terms, since each has its own very specific meaning and definition. Some definitions taken from various sources related to risk and hazard are:

• Risk: the combination or product of the frequency or probability (likelihood) of a hazard occurring and the consequences of the hazard if it does occur. • Hazard: ‘a physical condition with the potential to cause harm’ (HSE) • Hazardous event: ‘an occurrence that creates a hazard’ (MIL STD 882B)

117

118

Strategies to prevent corporate accidents

• Hazard consequence: ‘the undesirable outcome of a hazard expressed in terms of level of harm from a specified hazard’ (Institution of Chemical Engineers) • Hazard frequency: the frequency that a specified hazard will be realized. • Accident: ‘an unplanned event resulting in death, injury or illness to personnel, or loss of equipment or property’ (MIL STD 882B).

Examples of hazards are falling from a height, fire, explosion, water, radiation, electricity, slipping or tripping, etc. Each hazard has its own particular consequence or outcome, such that falling from a height is likely to result in bodily injuries, fire will result in burns, water may result in drowning, electricity in electrocution and so on. This may all seem rather obvious, but it is important to make a distinction between a hazard and its ‘frequency and consequence’ in order to define or calculate the risk. Risk is therefore defined in mathematical terms as follows: Risk = [The likelihood a hazard is realized]  [The consequences of the hazard] (1) Likelihood is expressed as either frequency or probability of occurrence. The implication of equation (1) is that a hazard can exist without being realized; for instance, a tank of gasoline poses a potential fire hazard, but the hazard is not realized unless the containment is breached and the gasoline reaches a source of ignition. The concept of risk is therefore most frequently used to predict the risk of an activity or a process, allowing decisions to be made as to whether it is sufficiently safe to be carried out or whether further risk reduction measures are necessary. Risk reduction measures may be developed to reduce either the likelihood or the consequence of the hazard; in either case they will reduce the risk. However, it is often better to reduce the likelihood than the consequence: it is preferable that the accident does not occur (or occurs less often) than to reduce its consequences when it does occur. Measures to reduce both likelihood and consequence are best of all. Once risk reduction measures have been implemented, the new level of risk can be checked to see whether the activity or process is sufficiently safe. This can be determined by comparing the risk with risk criteria or risk targets to be achieved, possibly set by a regulator (see Chapter 6). The relationship between likelihood and consequence is most aptly demonstrated by the ‘Farmer curve’. This curve shows the relationship between frequency (years) and consequence (number of fatalities) based on historical accidents. The curve was developed in 1967 by Dr F.R. Farmer OBE, FRS (1914–2001), a prominent nuclear scientist, and an indicative straight-line version of his ‘curve’ is shown in Figure 5.1. The curve expresses something which is rather obvious and which most people intuitively realize, but at the same time is the basis for many important risk decisions. It expresses the serendipitous fact that the accidents which have the highest consequence also tend to have the lowest frequency. In other words, more serious accidents occur less frequently. Conversely, accidents which are very frequent tend to have a

Understand the risk y = Frequency of fatalities (x) per year (once per year) 1

High risk

(once per 10 years) 10–1

(once per 100 years) 10–2

Low risk

(once per 1000 years) 10–3

(once per 10,000 years) 10–4 1 10 100 1000 10,000 100,000 x – Consequence or severity of accident (fatalities)

Figure 5.1 Indicative ‘Farmer curve’.

low consequence. Thus, we can see from the curve that accidents causing about fifty fatalities have (say in the UK alone) a frequency of about five to ten years. If the frequency were less than this or the fatalities more, then the risk would be higher. However, accidents causing 10,000 fatalities, say a serious nuclear accident, might be expected to have a frequency of around 200 years. Such a curve can be used to set risk criteria; any accidents lying above the curve are said to present an unacceptable risk. Please note that the curve shown is indicative only, and that both axes have logarithmic scales. The practical implications of the Farmer curve are summed up in Table 5.1. This is mainly intended to show the distinction between commonplace accidents with low consequence and major accidents with severe consequence, and the typical ways in which these are controlled. Prior to Farmer’s groundbreaking paper,1 published in 1967, safety and risk were usually considered qualitatively, with the assurance of sufficiently safe being based on engineering judgement and the use of standard or previous practice. The advent of nuclear power, with its potential for catastrophic accident, as well as the building of larger, more complex chemical plants, made a more quantitative approach essential. Such an approach made possible the use of risk comparisons between different engineering solutions to complex safety issues and between predicted risk from a dangerous facility and risk targets set by a regulator. Farmer argued that no dangerous facility could ever be entirely risk free, but by the predictive study of how major accidents developed, it was possible to identify the combinations of precursor, yet

119

120

Strategies to prevent corporate accidents Table 5.1 Accident frequency versus consequence Frequency

Severity or consequence

Type of accident

Method of control to reduce frequency and/or consequence

High (1–5 years)

Low: injury or fatality

Workplace accidents, road accidents, accidents in the home

Health and safety management, road safety campaigns, design of equipment, etc.

Low (5–100 years)

High: many fatalities

Major accidents from dangerous facilities, natural catastrophes, terrorist attack, train crashes

Multiple layers of defence, high reliability equipment, evacuation planning, security measures, etc.

often minor, events which together led to the hazard being realized. Good engineering design could then ensure that the major hazards with the greatest consequence were brought under control and limited to an acceptably low frequency in line with risk targets.

Expressions of risk In order to understand fully the risk arising from an activity and, where necessary, make valid comparisons with risks from other activities or with risk criteria, it is necessary to choose the most suitable expression (or unit) of risk. There are two broad categories considered here, individual risk and societal risk. Individual risk measures the risk to an individual from participating in an activity. This may be the risk of death or injury arising from an accident involving the activity, but could be ill-health or loss of life expectancy due to delayed effects such as exposure to ionizing radiation or toxic substances. Deaths resulting from an activity may occur singly, as in motor vehicle accidents or serious workplace accidents, or may be multiple fatalities in the case of a major accident such as a refinery explosion or a train crash. Individual risk can be calculated whether the deaths occur singly (one at a time) or as multiple fatalities. Where multiple fatalities occur, it is sometimes beneficial to express the risk in terms of societal risk. Societal risk takes account of the fact that there is greater public aversion to multiple-fatality accidents than to accidents where fatalities occur one at a time. This is a consequence of the perceived greater harm to society which results from multiple-fatality accidents, often reflected in the greater publicity, as well as an increased desire to take preventive measures against future accidents. Each expression of risk is discussed in more detail below.

Understand the risk

Individual risk Calculation of individual risk Equation (1) calculates risk from the combination of the likelihood of a hazard being realized and the consequence of the hazard. The calculation of annual individual risk requires the equation to be slightly modified to: Individual risk ¼ Frequency of hazard ðper yearÞ  Consequence ðfatalities arising from the hazardÞ Number of persons at risk ¼ Number of fatalities per year=Number of persons at risk ¼ Chance or probability of death per year to an individual exposed to the hazard Thus, annual individual risk is the number of fatalities due to the hazard each year divided by the number of people at risk. The result is the annual probability (or chance) of death to any individual exposed to the hazard. It may be calculated for a particular activity, say a job, part of a job or leisure activity.

Worker individual risk The annual fatality statistics produced by the HSE are expressed in terms of individual risk. Statistics for the year 2005/06 are summarized in Table 5.2. There are 29.8 million workers employed in the UK, based on estimates compiled by HSE2 from quarterly figures collected by the Office for National Statistics (ONS). During the year from April 2005 to April 2006, there were 212 industrial fatalities recorded by HSE3 as reported to all enforcing authorities. Thus average individual risk for all workers is given by: Individual risk ðall UK workers 2005=06Þ ¼ 212=29:8E þ 6 ¼ 7:1E6 per year Note that for clarity, the exponential method of expressing very small or very large numbers is adopted here. In this convention, 29.8Eþ6 is equivalent to 29.8  106 or 29.8  1,000,000 or 29.8 million. Similarly, 7.1E–6 is equivalent to 7.1  10–6 or 7.1/1,000,000. This individual risk of 7.1E–6 per year is in effect an average risk spread over all workers in the UK. Clearly, this annual overall UK worker risk is a statistical average and there will be variations in individual risk across industries. Everyone knows the story of the statistician who drowned in an average depth of water of 5 cm! The risk is calculated by the HSE across industries varying from the service industries, employing many clerical and shop workers, where the risk is low (2.9E–06 or a chance of about 3 in a million each year), to construction (3.0E–5 or about 3 in 100,000 each year). The risk to a construction worker is therefore about ten times more than the

121

122

Strategies to prevent corporate accidents Table 5.2 Workplace fatalities in the UK, 2005/062 Year 2005/06

Standard Industrial Classification (SIC 92) Agriculture, hunting, forestry and fishing

Extractive and utility supply industries

Manufacturing industries

Construction

Service industries

All

No. of fatalities

33

6

45

59

69

212

No. of workers employed

408,907

165,644

3,246,508

1,997,660

23,962,625

29,781,344

Individual risk

8.1E–05

3.6E–05

1.4E–05

3.0E–05

2.9E–06

7.1E–06

risk to a service worker owing to the nature of the work and exposure to more serious hazards. Another way of saying this is that a construction worker has a ten times greater chance of being killed at work than a service worker. It is immediately apparent from Table 5.2 that the contribution of the agriculture, hunting, forestry and fishing industries (which happens to include the offshore oil and gas extraction industry) makes a disproportionate contribution to the overall average. The service industry sector contributes sixty-nine of the 212 fatalities, but these are spread over nearly 24 million workers, whereas the agriculture, hunting, forestry and fishing industries contribute just less than half the deaths of the service industries for only 1.7 per cent of the workforce. This result is reflected in the individual risk calculation. Because of these gross disparities of risk, it is usual when calculating individual risk from a particular hazard to try and identify the most exposed group. At a workplace such as a factory where toxic chemicals are handled, this might mean eliminating groups of clerical and administrative workers in an office (rarely exposed to the toxic hazard risk) in order to calculate the risk to staff actually working with the chemicals, such as process operatives, transportation and warehouse staff. The risk to this most exposed group is then calculated as above and compared with risk acceptance criteria. Comparison of risks with risk acceptance criteria is described in Chapter 6.

Transportation risk The units of chance of death per year used in the above calculations are the standard means of expression of individual risk for deaths occurring in the workplace. It is, however, common to use alternative units, whereby more valid comparisons are obtained. A good example of the use of alternative risk units occurs in the transportation industries. Instead of expressing the risk as the chance of death per year, a unit of deaths per billion passenger kilometres travelled is adopted in preference. Table 5.3 expresses the UK transportation risk to passengers for a number of different modes of transport.

Understand the risk Table 5.3 UK passenger fatality rates by mode of transport (average for ten years, 1995–2004)4 Mode of transport

Air a

Railb

Water c

Bus or coach

Car d

Vand

Motor cycled

Pedal cycle

Pedestrian

Fatalities per billion passenger kilometrese

<0.05

0.4

0.3

0.3

2.8

0.9

113

38

49

Fatalities per passenger kilometre

<5E–11

4E–10

3E–10

3E–10

2.8E–9

9E–10

1.13E–7

3.8E–8

4.9E–8

Based on Transport Statistics Great Britain (2005).4 a UK-registered airlines in UK airspace. b Train accidents and accidents through movement of railway vehicles (excluding suicides and trespass on railway lines). c Passenger casualties on UK-registered merchant vessels. d Driver and passenger casualties. e 1 billion = 1000 million.

This expression of individual risk is calculated from: Passenger risk ¼ Number of fatalities per year=Passengers at risk  billion kilometres travelled per year ¼ Fatalities per billion passenger kilometres Passenger fatality rates given in Table 5.3 can be interpreted as the risk of being killed while travelling a billion kilometres. This enables the relative safety of the various modes of transport to be compared in a more meaningful way. It can be seen immediately that air travel is by far the safest mode when compared with the main alternatives of rail, bus and water travel on the same basis. Similarly, car travel carries a ten-fold greater risk of death when compared with public transport (rail and bus), but compares favourably with the risk of motor cycle, pedal cycle and pedestrian travel modes. It should be noted that any method of expressing risk carries the danger of producing distorted comparisons. The risk of air travel when expressed on a distance travelled basis is extremely low because each journey stage is very long when compared with the other modes, especially where international travel is concerned. In addition, nearly all the risk from air travel occurs during takeoff and landing. Once in the air, the risk if being killed in an aircraft accident is extremely small, so the distance travelled becomes almost irrelevant. It is likely that the risk of dying from a deep vein thrombosis due to immobility on a long-haul flight is much greater than the risk of dying in an air crash. It is therefore possible that a passenger might be more interested in the risk of being killed during the course of a journey rather than on the basis of distance travelled. In that case, air travel would be found to be much less safe and would be more comparable to the risk from a rail or bus journey. Conversely, the risk of car, motor cycle, pedal cycle and pedestrian travel on a per-journey basis would be

123

124

Strategies to prevent corporate accidents reduced when compared with public transport (but would still be much greater). The reason for these apparent differences in risk is that expressing the risk on a perjourney basis better takes into account the amount of time that a traveller is exposed to the hazards of that particular mode of travel. It is intuitive that the time of exposure must influence the risk from a hazard, neglecting that as the speed of travel increases the consequences of the hazard may also increase. It should also be noted that when making risk comparisons of this type, it is better to take an average risk over a period of years (as in Table 5.3) to eliminate spikes in fatalities during a year when multiple-fatality accidents occurred. This type of accident will skew the figures for that year. This would apply to industry comparisons as much as to comparisons of transport risks. It is sometimes necessary with transportation risk, as with worker risk, to take account of persons who are members of the most exposed group out of the total population of travellers. Such a group may comprise regular daily commuters using a transport facility, thus excluding occasional travellers. This approach is especially useful when the risk is being calculated for a single transport facility posing a different set of hazards to normal travel modes. Such a situation may occur in the case of an underground railway or a road or rail tunnel, for instance, where users are exposed to the additional hazards of flooding, entrapment, fire and smoke, etc. It may be necessary, before receiving permission to construct such a facility, to demonstrate to a regulator not only that the individual risk to all users is acceptably low, but that the risk to a member of the most exposed group of users of the facility does not exceed set criteria.

Risk comparison example A hypothetical transnational rail tunnel is used as an example of comparing individual risk with risk acceptance criteria set perhaps by a regulator. It may seem reasonable to insist that the risk to the most exposed user of the tunnel should not exceed the risk to which that user would be exposed if travelling the same distance using a conventional surface railway. Based on the ten-year average risk for rail passengers in Table 5.2, this maximum risk would be 4E–10 per passenger kilometre. If, for instance, the tunnel length was 30 km and the most exposed user was a weekly commuter making 50 outward and 50 return trips per year, then the allowable risk exposure would be: Allowable individual risk ¼ 4:0E1030250 ¼ 1:2E6 per year ¼ 1:2 in a million chance of death per year for the most exposed user The designer and/or operator of the facility would then have to show that the individual risk to this hypothetical user would not exceed 1.2E–6 per year and would preferably be much less than this. This could be done by using quantitative risk assessment methods. It would be necessary to identify the main hazards, their

Understand the risk frequency and consequence, and summate the risk arising from each of them. It will be shown in Chapter 6 that a risk of 1.2E–6 to a member of the public is in the tolerable region as set by HSE guidelines, but may require improvement. It also needs to be remembered that the risk of using the tunnel is an additional risk to the total risk of the whole commuting journey and must therefore be assessed within this wider context (see below). The above example shows that for risks involving relatively short travel and time exposure, such as occur in a tunnel or on a short journey, it is more helpful to express individual risk in the conventional units of the chance per year of being killed. This is in order to enable more valid comparisons with risk acceptance criteria both for other modes of travel and indeed for other activities not necessarily involving travel. It is then possible to place the risk from the rail tunnel in perspective relative to similar risks. For instance, in the above example, assume that the same weekly commuter needs to use a car to travel to the outward rail boarding point and again at the destination to reach the place of work. Assume that each car journey length was 30 km and there were, as with the rail journey, 50 outward and 50 return journeys per year. Each outward journey involves 60 km of car travel, as does each return journey. Then, the additional risk due to car travel on the weekly commute can be calculated from the risk given in Table 5.3 of 2.8E–9 per passenger kilometre: Additional individual risk ðcar travelÞ ¼ 2:8E960250 ¼ 1:68E5 per year Then the total travel risk ¼ 1:25E6 þ 1:68E5 ¼ 1:8E5 chance of death per year due to the weekly commute It can be seen that the portions of the journey through the tunnel attracts a risk of only 7 per cent of the total for the whole journey. That is, the portion of the journey undertaken by car carries a collective risk about thirteen times greater than the risk due to travelling through the rail tunnel. Car travel for an average user is generally assigned an individual risk of about 1E–4 per year or a chance of death of about once every 10,000 years (here the risk is a sixth of this since the commute is only a fraction of average car use). It may be argued that because the risk of car travel far outweighs the risk from the tunnel transit, the latter is of minor significance and need not be reduced further. However, such an argument would be spurious since (as it will be seen later) the two types of risk (train versus car) differ in the nature of their acceptance by the risk taker. Drivers will tend to rank the risk of car travel as lower than the risk of rail travel because they perceive that they have greater personal control when driving their own car. Risk perception is dealt with in a later section.

Other risks Table 5.4 concludes this section by presenting some examples of more general individual risks of activities unrelated to the workplace or travel. The risks are

125

126

Strategies to prevent corporate accidents Table 5.4 Examples of non-work-related individual risks Causes

Activity

Natural

All causes (mainly illnesses) Cancer

Self-inflicted

Smoking (20 cigarettes a day): All effects All cancers Lung cancers

Fatality risk per year 1.2E–2 2.8E–3

Approx. chance of death per year 1 in 83 1 in 300

5E–3 2E–3 1E–3

1 in 200 1 in 500 1 in 1000

Drinking alcohol (average): All effects Alcoholism (diseases)

3.8E–4 1.2E–4

1 in 2600 1 in 9000

Violent

Road accidents Accidents at home Fire Drowning Excessive cold Gas incident Lightning strike

1E–4 9.3E–5 1.5E–5 6E–6 8E–6 1.8E–6 1E–7

1 in 1 in 1 in 1 in 1 in 1 in 1 in

Leisure

Rock climbing (200 hours per year) Canoeing (200 hours per year) Hang gliding Swimming Rugby football

10,000 11,000 70,000 170,000 125,000 560,000 10 million

8E–3

1 in 125

2E–3

1 in 500

1.5E–3 5E–5 3E–5

1 in 700 1 in 20,000 1 in 33,000

Figures compiled from various sources.

grouped together in categories so that within each group, and across groups, comparisons can be made. The risks are ranked in order of magnitude.

Societal risk The measurement of individual risk can in most circumstances provide the basis for deciding whether a risk is acceptable when compared with similar risks or with risk criteria. However, an assurance that a single individual is not exposed to excessive risk may be insufficient if the activity concerned involves the possibility of multiple fatalities arising from a single incident. As mentioned earlier, multiple-fatality accidents attract much greater public aversion than if the resulting deaths had occurred singly. This is reflected in the much greater publicity given to such accidents. In very serious cases, society may demand that future accidents be prevented and a public inquiry may be held to determine the causes and the responsibility for the accident. There is a strong desire to hold someone accountable. The risk from these very serious accidents, to which society has an aversion, is sometimes referred to as societal risk.

Understand the risk

FN curves The Farmer curve (on p. 119) is an obvious candidate method of expressing societal risk since it shows the relationship between the consequence and the frequency of a multiple-fatality accident. It is more usual, however, to adapt the Farmer curve to show consequence as cumulative fatalities N, and frequency as F of the event leading to those fatalities, where F equals the frequency per year (year–1) of N or more fatalities. This type of expression is generally referred to as an FN curve. Such a curve can be drawn using historical data from multiple-fatality accidents or, where these data are not available, using a risk prediction approach. Clearly, for new or recent developments historical data on large-scale accidents will not be available and even in long-established industries there may, fortunately, not be a history of major accidents. Nevertheless, where such accidents are possible, there can be a regulatory requirement to demonstrate that the societal risk is not excessive compared with set criteria. Some indicative FN curves for various industries or types of accident are shown in Figure 5.2. The curves are drawn from various sources and are indicative rather than definitive of the particular type of accident. The activities considered in the example FN curves are those which can potentially lead to multiple fatalities. Grouped together at the top of the chart are aircraft (1), railway accidents (2) and fires and explosions (3) (all in the UK), expressed not

Frequency with which number of fatalities is equal to or greater than N (year–1)

1

1

2

10–1

3

10–2

6

5

10–3 10–4

7

4

10–5 10–6 10–7 10–8 10–9 10–10 1

10

102

103

104

105

Number of fatalities (N ) or more

Figure 5.2 Societal risk curves. 1: Aircraft accidents; 2: railway accidents; 3: fires and explosions (UK); 4: five pressurized water reactors; 5: Three Mile Island accident; 6: Chernobyl accident; 7: Canvey Island, London (after improvements).

127

128

Strategies to prevent corporate accidents in terms of individual risk, as considered above, but in terms of N or more fatalities plotted against the annual frequency. It should be appreciated that, as with the Farmer curve in Figure 5.1, the axes are calibrated logarithmically. Also shown is a line produced from a nuclear reactor safety study presenting the calculated risk from five pressurized water reactors in the UK (4), including delayed fatalities (from radiation exposure). Two other single points represent the Three Mile Island nuclear accident (5) in the USA in 1979, and the Chernobyl accident (6) in the former USSR in 1986. The Canvey Island curve (7) is indicative of the risks, after improvements, from industrial facilities at Canvey Island in the River Thames, near London in the 1970s. This risk study5 is referred to in Chapter 6 in the context of societal risk criteria.

Constructing FN curves There are two approaches to obtaining data to construct FN curves such as shown in Figure 5.2, using historical or predictive data. Historical data Abstraction of information from historical accidents, in particular the frequency of different levels of consequence in terms of number of fatalities, can be used to prepare an FN curve. This can then be used for risk comparisons of proposed hazardous facilities or activities. A regulator may well require a demonstration that a proposed facility or activity (where there is potential for multiple fatalities) shows a risk reduction compared with historical data, taking advantage of technological improvements. Proposed facilities can be assessed using the second approach. Predictive data Quantified risk assessment (QRA) uses predictive techniques such as hazard analysis, failure mode and effects analysis, fault tree analysis and event tree analysis to generate simulated accident data. Event tree analysis is particularly useful since it can be used to represent the frequency of initiation of different accident sequences, showing the consequences of each outcome in terms of fatalities. The number of predicted fatalities for each outcome (N) can then be plotted cumulatively against the frequency (F) of the accident sequence causing the fatalities to generate the FN curve. These techniques are beyond the scope of this book to explore in detail. The criteria set by the regulator for societal risk are discussed in Chapter 6.

Risk assessment UK regulatory requirement The process of risk assessment is essential in understanding the risks generated by a facility, operation or company, and enables a comparison of the risk to be made with acceptable risk criteria or targets, either set internally or externally. It also enables the risk from a particular hazard to be compared before and after improvement measures

Understand the risk are taken to reduce the risk. The setting of risk targets in accordance with the principle of ALARP (as low as reasonably practicable) is described in detail in Chapter 6. Risk assessment per se is also a requirement of UK regulations, in particular the Management of Health and Safety at Work (MHSW) Regulations 19926 and other regulations which were issued to comply with an EU Framework Safety Directive7 (see also Chapter 6, the six-pack regulations). The MHSW Regulations are important to understand because they ‘permeate all other workplace health and safety legislation including the general duties in the Health and Safety at Work etc Act 1974’.8 The MHSW Regulations require that every employer shall make ‘a suitable and sufficient risk assessment of:

• risks to the health and safety of his employees to which they are exposed whilst they are at work • risks to the heath and safety of persons not in his employment arising out of or in connection with the conduct by him of his undertaking

for the purpose of identifying the measures he needs to take to comply with the relevant statutory provisions.’ The phrase ‘persons not in his employment’ refers to members of the public exposed to the generated risks, whether these are customers choosing to use the company’s services or products or people inadvertently exposed. The purpose of the risk assessment is to help the employer determine what measures should be taken to comply with the employer’s duties under the relevant statutory provision. The relevant statutory provision is defined as:

• general duties under the Health and Safety at Work etc Act 1974 • specific duties in various acts and regulations associated with the Health and Safety at Work etc Act 1974.

The measures in each workplace will derive from compliance with the duties above. The MHSW defines the basic characteristics of a suitable and sufficient risk assessment. It should involve identifying the hazards present in any undertaking and then evaluating the extent of the risks involved, taking into account whatever precautions are already being taken. In particular, a risk assessment should ensure that all relevant risks or hazards are addressed, focusing on what actually happens during the work activity (as opposed to what may be set out in procedures). It must ensure that all affected groups are considered, but should identify groups particularly at risk. It should take account of existing preventive or precautionary measures. Finally, the level of detail of the risk assessment should be proportionate to the risk. A suitable and sufficient risk assessment should identify the significant risks arising out of work, enable the employer to identify and prioritize the measures that need to be taken, and be appropriate to the nature of the work and such that it remains valid for a reasonable period. The significant findings of the risk assessment should include the significant hazards identified in the risk assessment, the existing control measures in place and the extent to which they control risks. It should also include the population affected by the significant risks or hazards (groups of employees or others especially at risk). All significant findings of the risk assessment should be recorded

129

130

Strategies to prevent corporate accidents as part of the employer’s overall approach to health and safety as indicated in related documents such as the safety policy. They should be reported in sufficient detail to demonstrate that a suitable and sufficient risk assessment has been undertaken.6 These general principles apply irrespective of the size of the workplace or the nature of the hazards presented, whether the business be large and spread out over numerous sites or indeed whether it be a one-person business. The statement by the HSE that ‘the level of detail of the risk assessment should be proportionate to the risk’6 is important. The risk arising from a slippery floor hazard must be taken seriously, but there is no need to spend an enormous amount of effort on assessing it, only to note that the hazard has been identified and recording that measures are in place to control it (warning signs, use of less slippery flooring, etc.). However, if the hazard is one of fire with the risk of serious injury, such as might arise in a plant handling flammable materials, the level of detail of the assessment will need to be proportionately greater. If possible, risk assessments at this level should be undertaken in house by persons such as supervisors who are familiar with the workplace and the activities carried out. If the risk involves explosive decomposition of highly reactive chemicals in a large factory located near a residential area, with the possibility of domino effects and multiple fatalities, then it will probably be necessary to quantify the risk in more detail using more advanced methods such as QRA and possibly requiring the services of safety specialists familiar with these techniques.

Methodology There are numerous ways in which a risk assessment can be undertaken. The UK HSE, for instance, has published a guide, Five Steps to Risk Assessment,9 which, although not compulsory, sets out good practice in assessing risk in the workplace. An alternative simple five-stage risk assessment method is described below.

Stage 1: Hazard identification The first step is to make a list of each identified activity which is to be assessed for risk. It may be beneficial, especially for complex activities, to carry out a task analysis which breaks an activity down into a number of subroutines. This can be done from observation of the activity or by using a written procedure which governs how the activity is carried out. The identification is carried out in three stages. For each identified activity: (a) Prepare a hazard inventory: this involves preparing a list of the main hazards to be assessed for risk. A common approach to identification is to use a checklist of typical hazards and subhazards such as that suggested in Table 5.5. This helps to ensure that the inventory is comprehensive and acts as an aid to memory. While checklists are useful it is also essential to think outside the list in case hazards peculiar to the activity have been omitted. (b) Identify hazardous events: once the hazard inventory is complete, the hazardous events leading to each main hazard need to be identified.

Understand the risk Table 5.5 Hazard checklist Main hazard

Subhazards

Fire and explosion Physical impact Manual handling injuries Machinery

Burns, smoke and toxic gas inhalation, physical injuries Collision, falling or moving object Lifting, repetitive strain Entanglement, friction/abrasion, cutting, shearing/slicing, stabbing/ puncturing, impact, crushing/trapping Slips, trips, obstructions or projections From ladders, platforms, roofs, windows, moving vehicles Working near/above water, rivers, lakes, reservoirs, tanks, flumes Confined space, breathing constriction, oxygen depletion Inhalation, ingestion, absorption, skin contact, sensitizing, allergic response Inhalation, ingestion, abrasion of skin or eye High-voltage equipment, wiring, electrostatic charge Thermal, ionizing, microwave Viral infection, bacterial infection, food poisoning, water contamination Rain, snow, ice, fog, wind, electrical storm, etc. Lone working, violence, stress

Tripping/slipping Falling Drowning Asphyxiation Chemicals: corrosive, toxic, carcinogenic Particles and dust Electrocution Radiation Biological Extreme weather Organizational

(c) Identify the type of accident: the types of accident that could cause the hazardous event need to be defined so that when the risk assessment is complete, improvement measures to reduce the risk can be identified more easily. For instance, a type of accident leading to a manual handling injury may be the use of an improper lifting technique while lifting a heavy item. An obvious measure to reduce the risk of these injuries could be better staff training.

Stage 2: Risk assessment There are two possible approaches to undertaking the risk assessment stage. In each case, the risk from a specific hazard or hazardous event is assessed as the combination of the frequency and consequence as described above

• Qualitative (or semi-quantified) risk assessment: in this approach, the frequency

•

and consequence of the hazard are ranked within a range of values, and the level of risk is estimated using a matrix. The risk is then placed within a category ranging, say, from low through medium to high and very high. The level of risk determines whether further risk-reduction measures are necessary. This method is suitable for assessing occupational health and safety risks in the workplace. It can also be used as a method of screening the risks from a set of major hazards in order to identify which hazards need to be subjected to a fully quantified analysis, as below. Quantified risk assessment: in the purely numerical or quantified approach, the numerical frequency and consequence of the hazard are estimated and the risk is calculated from their product in terms of fatalities per year. This method is particularly suitable for major hazards involving serious injuries and/or

131

132

Strategies to prevent corporate accidents fatalities. It can be used to compare the risks with internal or external risk targets or criteria. Where the risk arises from a complex sequence of activities, event tree modelling may be used to represent the sequence. The product of the frequency and consequence of each outcome from the sequence is summated to give the total risk. In either of the above cases, the following process is carried out. Estimation of frequency A suggested frequency ranking for each type of accident causing the hazardous event is shown in Table 5.6. In the case of high-frequency events (ranks 4–6) the local historical frequency may be used, if this has been recorded. For low-frequency events (ranks 1–3) the frequency may need to be estimated by expert judgement. This would use knowledge of local factors influencing the occurrence of the event, such as preventive measures in place and conditions conducive to the event. Estimation of consequence The consequence of each type of accident causing the hazardous event is obtained by selecting from the six ranking levels A–F shown in Table 5.7. Table 5.7 also allows for the assessment to include consequences other than those purely associated with health and safety of people. The other consequences shown are environmental damage, asset loss and damage to corporate reputation. Suggested damage-intensity levels are included to enable these additional consequences to be ranked. For the purposes of QRA where the outcomes of different accident scenarios may include varying numbers of injuries and fatalities, it is possible to express the overall consequence in terms of the equivalent fatalities, using the formula: Equivalent fatalities ðEÞ ¼ Fatalities ðFÞ þ ðMajor injuries ðMÞ=10Þ þ ðMinor=Trivial injuries ðTÞ=100Þ This particular formula assumes that ten major injuries or 100 minor or trivial injuries are each equivalent to one fatality. There is no particular consensus on the equivalence factors used to convert injuries to fatalities, and each situation needs to be assessed in the light of the particular hazards. It should be remembered that the term Table 5.6 Frequency ranking Rank

Description

Frequency (years)

1 2 3 4 5 6

Highly improbable Possible but unlikely during the life of facility Occasional during the life of facility but rare Several during life of facility Regular occurrence Common occurrence

100 to 1000 years 1 in 100 years 1 in 20 years 1 in 5 years Annual Weekly

Understand the risk Table 5.7 Consequence ranking Rank

Type of consequence Health and safety risks

Environmental damage10

Asset damage

Damage to reputation

A

Trivial injuries: first aid required locally

Negligible: insignificant or very slight with swift recovery or very low prevention or recovery costs

Negligible: superficial damage only, no disruption to operation

Negligible impact: immediate recovery

B

Minor injury: ambulance called, visit to hospital but not detained, lost time not exceeding 1 week

Slight: impact that does not affect the system’s stability, short-term recovery

Slight: costs less than £5000, no disruption to operation

Slight impact: recovery within weeks, no long-term effect

C

Major injury to one person: ambulance called requiring hospitalization for some days or weeks, lost time amounting to more than 1 week

Appreciable: change is marked, but restricted to a relatively limited area. Slight regional impact; short-term recovery simple and cheap, up to 1 year

Minor: costs between £5000 and £10,000, brief disruption to operation

Minor impact: local publicity, recovery within months

D

Several major injuries: as above for any individual

Severe: very marked regional or very extensive change. Recovery in the short or medium term through costly mitigation measures, 1–7 years

Localized: £10,000 to £100,000, shutdown for a few days

Moderate impact: national publicity and loss of market share but recoverable

E

Single fatalities: immediate or delayed

Very severe: very extensive, and harmful regional consequences, partial or slight recovery at a very high cost in the medium and long term, reduced options for future use for 7–20 years

Major: £100,000 to £1m, shutdown for several weeks or months for major repairs

Major impact: international publicity with long-term damage and loss of overseas market share and stock value

F

Multiple fatalities: immediate or delayed.

Catastrophic: the system cannot recover, destruction is total. Natural recovery can take place in the very long term, more than 20 years

Extensive: in excess of £1m with major rebuild of assets

Massive impact: as above with permanent loss of market share, serious threat to future trading

133

Strategies to prevent corporate accidents ‘injury’ includes adverse health effects as well as actual physical injuries. For occupational health and safety hazards, the predicted consequence ranking is usually estimated based on historical experience or judgement. For major hazards it may be necessary to carry out consequence modelling such as fire and smoke transport models, in the case of fire hazards, for instance. Assessment of risk from each hazardous event Risk is assessed by combining the frequency and the consequences for the hazardous event as derived from the risk assessment process. Figure 5.3 illustrates such a matrix, which could be used either for workplace hazards or as a screening tool for major hazard risk assessments. The matrix shows the two parameters which make up the risk, the frequency or time between events in years and the consequence in injuries and fatalities (or other criteria) as derived from Tables 5.6 and 5.7. The parameters are assessed for each type of accident leading to a hazardous event, and the level of risk, varying from low (L) through medium (M) to high (H) and very high (V), is determined using the matrix and recorded. The solid lines divide the matrix into three areas, loosely corresponding to ‘unacceptable’ (H1–V1), ‘ALARP’ (M1–M2 and H2–H3) and ‘generally acceptable’ (L1–L3). The test of ‘reasonable practicability’ is applied to ALARP risks which lie between the ‘unacceptable’ and ‘generally acceptable’ regions. There is a requirement to reduce these risks to ALARP. The ALARP principle is described in more detail in Chapter 6. Risks in the H1–V1 region must be reduced irrespective of the cost. The matrix in Figure 5.3 is just one of many versions of similar matrices which have been produced and which can be located in various sources. The one shown is not necessarily authoritative. It should be noted that the risk assessment takes into account any risk control measures that are already

Consequence

Hazard B

C

D

E

F

1

L3

L2

L1

M2

M1

H3

2

L2

L1

M2

M1

H3

H2

3

L1

M2

M1

H3

H2

H1

4

M2

M1

H3

H2

H1

V3

5

M1

H3

H2

H1

V3

V2

6

H3

H2

H1

V3

V2

V1

L

A

R

P

A

A

Frequency

134

Figure 5.3 Risk assessment matrix.

Understand the risk in place, with the objective of identifying further measures that are needed as described in the next step.

Stage 3: Assessment of control measures When the existing level of risk has been assessed the level of acceptability needs to be tested in order to determine whether further risk reduction measures are necessary. The level of risk assessed from the matrix determines the action to be taken, as suggested in Table 5.8.

Stage 4: Reporting The risk matrix in Figure 5.3 or similar is used to address all identified hazards and will enable low-risk hazards to be screened out of the assessment. This leaves hazards contributing medium (M1–M2) and high (H2–H3) risk to be assessed on the basis of reasonable practicality of risk reduction measures. Hazards, hazardous events and accidents leading to these events, which have been identified, are recorded on a risk assessment pro forma. This can also be used to record the categories of frequency and consequence and hence the level of risk. For each identified hazard of medium or high consequence the current risk control measures are identified and their adequacy assessed. If they are considered to be inadequate or improvements are possible these will also be recorded. It is important (and a requirement of health and safety legislation) that the results of all risk assessments and any recommendations arising from these, together with calculations and arguments for risk reduction measures, are recorded. A systematic approach is beneficial to ensure that all hazards and risks are assessed using the same basic approach, so that the results across an organization are comparable. A standard approach to reporting should therefore be enforced throughout the company. Consistency in undertaking and reporting risk assessments will enable resources to be allocated on a rational basis, taking into account the relative contribution of the Table 5.8 Risk control measures Assessed risk level

Risk control measure

Low (L2–L3)

Risk is so low that no further action is required

Low (L1)

Risk is acceptable so long as all reasonably practicable control measures have been implemented. Excessive cost is not justified

Medium (M1–M2)

Review existing control measures for improvements to reduce the risk to as low as reasonably practicable (ALARP), balancing the risk reduction against the cost of the measure

High (H2–H3)

Consider additional control measures to reduce the risk to as low as reasonably practicable (ALARP), balancing the risk reduction against the cost of the measure

High (H1)

Risk is intolerable; additional and effective risk control measures must be introduced irrespective of cost

Very high (V1–V3)

Risk is unacceptably high and the activity must cease until additional and effective risk control measures have been introduced irrespective of cost

135

136

Strategies to prevent corporate accidents identified hazards to the total risk (i.e. a risk-based approach). Any hazards that are assessed as very high risks, which are deemed to constitute a major threat to the health and safety of the public and workforce, can, where appropriate, be subject to a further quantified analysis using a calculation spreadsheet to calculate the individual risk of specific activities and compare this with risk acceptance criteria. For major hazards posing societal risk and the possibility of multiple-fatality accidents, such as may exist at facilities seeking to meet the Control of Major Accident Hazards (COMAH) Regulations (see Chapter 6), a more sophisticated approach may need to be used. In this case the risk will probably have to be quantified by calculating the probability or frequency of each accident sequence and its consequences in terms of number of fatalities, using QRA. However, the overall process of identification of hazards and those at risk, followed by evaluation of the level of risk and specification of risk control measures, is essentially the same for a facility presenting major hazards as for the small workplace. The level of effort will, however, be that much greater for major hazards since it needs to be proportionate to the level of risk. In addition, the greater the potential risk the greater the degree of rigour which the regulator will require in assessing the risk and demonstrating it to be acceptable (see Chapter 6).

The precautionary principle The precautionary principle is a technical interpretation of the proverbial ‘better safe than sorry’. The assessment of risk can never be an exact science. It is quite possible, for instance, that the identification of hazards is incomplete and hazards exist that have not been foreseen. The estimation of the frequency and consequence of a hazard is also fraught with uncertainty. For this reason, the precautionary principle must be applied where there is a lack of scientific certainty about the risk. The principle also rules out this lack of certainty as a reason for not taking action to control the risk. There is no standard definition of the precautionary principle, but the UK HSE adopts the statement from the 1992 Rio Declaration on Environment and Development: ‘Where there are threats of serious or irreversible environmental damage, lack of full scientific certainty shall not be used as a reason for postponing cost effective measures to prevent environmental degradation’.11 This refers to environmental risk, but the principle is the same for health and safety risk. The precautionary principle enables risk decisions to be taken irrespective of the degree of uncertainty. HSE suggests that the principle should be invoked when: 1. There is good reason based on empirical evidence or plausible causal hypothesis to believe that serious harm might occur, even if the likelihood is remote; and 2. The scientific information gathered at this stage of consequence and likelihood reveals such uncertainty that it is impossible to evaluate the conjectured outcomes with sufficient confidence to move to the next stages of the risk assessment process.12 A distinction should be made between the precautionary principle and other drivers of perceived risk (see next section). This could include a desire to be

Understand the risk deliberately over-cautious because, for instance, of wishing to overestimate the risk for ‘political’ reasons, e.g. to justify disproportionately expensive risk reduction measures. The Interdepartmental Liaison Group on Risk Assessment (ILGRA) outlines policy guidelines on the precautionary principle and concludes that ‘action in response to the precautionary principle should accord with the principles of good regulation, i.e. be proportionate, consistent, targeted, transparent and accountable’13 (see also Chapter 6 on these principles). From a practical point of view, uncertainty can be overcome to some degree by imaginative use of credible scenarios of the different ways in which hazards may be realized, then making assumptions about the frequency and consequence. Imagined worst case scenarios may be selected varying from the ‘most likely case’ to the ‘worst case possible’ in order to explore the range of uncertainty. This is quite acceptable so long as the uncertainty is recorded and the assumptions are listed as such.

Risk perception Everybody is a risk ‘expert’. Life confronts us with a huge variety of risky activities, some of which are avoidable, but in which we still choose to indulge; there are other risks which cannot be avoided if we wish to engage fully with the demands of modern life. For many of these activities our depth of experience enables us to accept the risk intuitively, such as carrying out necessary DIY jobs in the home, often working at heights, using electrical equipment or driving a car to our place of work. We are prepared to accept these risks because of the benefits which they bring, and we may use personal strategies to mitigate the risks, such as using protective goggles while using a drill or driving at a safe speed for the prevailing road conditions. There are other risks, such as travelling by train or aircraft, where we rely upon the skill of others to protect us from harm. We may feel less comfortable about accepting this sort of risk since it is requires us to relinquish a degree of control. For many familiar risks we are adept at carrying out a quick mental risk assessment to help us to make a decision about whether the risk is acceptable given the precautions we have decided to take, the trust we have placed in others and the benefits likely to accrue to us. The level of risk relating to a particular activity, and which we assess for ourselves using our own or others’ experience to guide us, is often referred to as perceived risk. There used to be an untested assumption that this perceived or subjective risk, which we assess for ourselves, could be compared with an objective risk, assessed for us by ‘risk experts’. If there is a difference between the two levels of risk, which is inevitably the case, the assumption goes on to state that the objective risk assessment should prevail. The experience of numerous public inquiries into risky developments (such as new nuclear facilities) has proved that this apparent distinction between ‘true risk’ and ‘perceived risk’ is not helpful, since in most cases it has been found very difficult to reconcile the two diverging views. The reason for this is that the ‘objective’ risk based on the views of experts is not necessarily objective. In all risk assessments, no matter how professionally made, there is a high level of uncertainty and bias implicit in the results and therefore in the judgements which

137

138

Strategies to prevent corporate accidents arise from it. This renders it little more objective than the risk perceived by the public at large, although experts may not always be ready to admit to this. It is therefore useful to examine some of the factors that come into play when the risks to which we are exposed are assessed by ‘non-experts’.

Amplification–attenuation model of risk perception One of the most widely accepted models of perceived risk is the amplification– attenuation model.14 This model starts from the premise that for a given activity there is a true or objective value of the risk which arises from carrying out the activity. This risk is then amplified or attenuated depending upon a number of factors such as how it is reported (terminology and images) and how it comes to be viewed through the lens of prevailing cultural, social and individual expectations. One way of viewing this is that an ‘accident’ is like a signal,15 the ripples from which extend outwards as from a stone dropped in a pool. Sometimes a relatively small accident with low consequences can produce large ripples which seem disproportionate to the original signal, which has now become amplified. The Three Mile Island nuclear power plant accident, near Middletown, Pennsylvania, in 1979 is a good example of this. Not a single person died in this accident, there were no serious injuries or delayed cancer effects, yet the public reaction was characterized by widespread hysteria resulting in a virtual moratorium on future nuclear power plant construction. It is clear that public perception was influenced by factors other than those arising from the accident itself. It has been found that when risk is subjectively assessed it is often the attributes of the hazard, that is, the consequence, which are assessed, rather than the risk itself (i.e. the combination of frequency and consequence). The consolation that a serious accident is a rare event is cancelled out by the concern that its rarity in no way precludes its occurring tomorrow. Some of the more common factors that seem to affect our perception of a given risk can be divided into three main categories: the degree to which acceptance of the hazard is voluntary or involuntary, the so-called ‘dread’ factor and the degree to which the hazards are unfamiliar or unknown. Each category is discussed briefly below.

• Voluntary or involuntary. This factor is closely associated with the benefits we

may or may not receive from the activity. We are more apt to perceive a risk as unacceptably high where we are exposed to it without our express permission and receive no direct benefit. An example of an involuntary risk with no direct benefit is the construction of new industrial facilities, such as an incineration plant or a nuclear storage bunker, located close to our place of residence. The calculated risks from such a facility may be extremely low compared with the voluntarily accepted, yet much higher, risk from pursuits such as driving, swimming or sailing, but from which we obtain a benefit. The argument that we should accept an involuntary risk because of the benefit to society usually carries little weight. We are more interested in personal and immediate benefit than diffuse societal benefits. Lack of control over an activity associated with involuntary

Understand the risk

•

•

hazards also amplifies our perception of the risk. We are much more prepared to accept the risk of undertaking a journey by driving a car than travelling by train or flying in an aircraft, although the risk of car travel is much greater than travel by public transport, as shown in an earlier section. Our perception of security or safety is amplified by a feeling of personal control, whether or not this is justified in practice. Even when driving our own vehicle, we cannot eliminate the risk from other drivers or unforeseen events, no matter how carefully we drive. The element of chance is always with us. The ‘dread’ factor. This factor includes characteristics of the hazard such as: – Uncontrollability, one aspect of which is how the hazard is regulated by government. The dread factor for avian influenza is very high because of the perception that the spread of the disease to humans cannot be controlled by government, thus leaving populations unprotected. – Catastrophe, such that the consequences are too dreadful to contemplate, threatening not just individual lives but perhaps the life of society itself. The risks from nuclear power plant accidents, such as Three Mile Island mentioned above, are probably amplified so much because of the inevitable association with nuclear weapons and the potential for mass destruction and the breakdown of society. This category also encompasses the ‘fate worse than death’ consequences, such as permanent brain damage, spinal injury or protracted terminal cancer. – Inequitable risks, where the consequences are not evenly spread across society, but may threaten more vulnerable members, such as children, are more feared than ‘equitable’ risks. The collapse of a tip of coal waste slurry onto the village of Aberfan in South Wales in October 1966, which resulted in the deaths of 144 people, 116 of them children, is an example of such an event. Inequality in exposure to risk may also be perceived where the benefits of a risk go to others and yet we have to bear the immediate consequences, such as threat to human health or loss of property value. Unknown or unfamiliar risks, where the consequences have not been experienced, are hard to imagine or the benefits are not highly visible. This may include hazard characteristics such as: – Risk to future generations or delayed effects due, for instance, to the effects of genetic exposure to radiation. Radiation is invisible and cannot be directly experienced, and detailed knowledge of its effects lies with specialists, adding to its unfamiliarity and possibly dread. The effects of global warming and its potential impact on future generations are gradually becoming known, but are probably less feared than nuclear power because the worst consequences of climate change are largely unimaginable and are a long way off. This risk is probably low down on most people’s list of unknown or dreaded events. – Risks unknown to science, such as those from genetically engineered organisms and foods. Numerous variations of living species have been engineered by taking genetic material from one organism and inserting it into the genetic code of another. Examples are potatoes with bacteria genes, pigs with human growth genes, fish with cattle growth genes and many other

139

140

Strategies to prevent corporate accidents modified organisms. It is estimated that up to 45 per cent of US corn is now genetically engineered, yet scientific knowledge of any long-term risks from these practices is either extremely scanty or unknown. Such fears may persist because genetic modification has a generally negative image based, perhaps, on popular culture where genetically modified individuals in science fiction films turn out to be villains rather than heroes. In fact, genetic modification in the form of selective breeding has been practised for centuries. Another ‘unknown’ risk seems to have arisen from out-of-control nanotechnology and the indefinable hazard of runaway nanobots or biosphere-eating ‘grey goo’.16 The perception of many modern-day risks can be influenced by any combination of the above factors. The way these factors interact to amplify or attenuate ‘actual’ risk is complex and largely unpredictable, although some social scientists have claimed that a degree of prediction is possible using psychometric testing techniques to evaluate perceptions of risk.15 The important conclusion is that companies attempting to ‘sell’ new developments, even where the risk has been shown to be acceptable against regulatory criteria such as those described in Chapter 6, must be aware of the risk perceived by those affected. This perceived risk may be disproportionately greater than the assessed risk. Understanding the factors which influence this perception is a key element of planning future developments. Perceived risk also impacts on how public policy makers communicate risk decisions, including regulators, when there is a mismatch between ‘reality’ and ‘perception’.

Risk homeostasis The phenomenon of risk homeostasis (also known as risk compensation) and the way it is claimed to affect human behaviour is important to understand. This theory, first promulgated by Gerald J.S. Wilde,17 holds that every individual has an inbuilt level of acceptable risk with which they are comfortable, but which varies between individuals. Individuals will modify their behaviour to allow the risk from an activity to increase to the acceptable level wherever a benefit arises from the changed behaviour. The phenomenon has been studied mainly in the context of road safety. Thus, for example, a local road transport authority may decide to improve the safety of a curve in a road where the camber is unfavourable and where there has been a high number of accidents. The effect of risk homeostasis is that, following the improvements, drivers are tempted to take the bend at an increased speed, thus shortening their journey time but tending to cancel out the safety benefit of the road improvements. The theory was tested by a study of Munich taxi drivers. One half of the fleet of taxi cabs was fitted with improved ABS brakes, the remainder of the cabs having conventional braking. It was found that the accident rates for both groups remained the same, since the drivers with ABS brakes took advantage of the improved braking efficiency by taking more risks. The behaviour of the drivers with the non-ABS brakes remained the same and they drove more carefully. A non-driving example is the introduction of childproof medicine containers for children’s medicines, which failed to reduce the number of accidental poisoning cases because the

Understand the risk parents, realizing the safety benefits of the new containers, became less cautious in the handling of medicines.17 The theory also suggests that where the risk is reduced in one activity owing to some safety improvement, the beneficiary will adjust their behaviour in other activities to compensate, bringing the overall risk level to the same as before. Taken to its extremes, the theory would seem to negate the benefits of almost any safety improvement owing to this apparently perverse aspect of human behaviour. The theory suggests that for safety improvements to show a benefit, there needs to be an additional motivation for safe behaviour over and above the safety benefit. It has to be said that many psychologists do not subscribe to the risk homeostasis theory and it would certainly receive short shrift in an argument to a regulator against safety improvements or expenditure. It does, however, need to be borne in mind that when implementing safety improvements the subsequent behaviour of the beneficiaries of the improvements may need to be monitored.

Case studies Two of the case studies in Appendix 2 illustrate failures on the part of management to understand the risks arising from their operations and act accordingly.

1. Fire and explosion at the Conoco-Phillips oil refinery The case study of the fire and explosion at the Conoco-Phillips oil refinery at Killingholme in the UK in 2001 (Appendix 2, Case Study A2.3) describes how an early plant modification, a water injection point, was installed soon after the plant was commissioned. The point in the process where the water was injected into a flammable hydrocarbon stream under pressure turned out to be unsuitable as, over a number of years, erosion and corrosion of the main pipework took place, unknown to the plant operators. At the time the modification was made, and over the following years, there was a lack of understanding of the risks posed by this modification. When the pipe failed in 2001, there was a large escape of flammable gases, causing a fireball and explosion which destroyed much of the plant, causing damage to property in the adjoining village. Fortunately, nobody was killed since the explosion occurred on a bank holiday, a day when many employees were on leave. The subsequent investigation into the accident by the HSE revealed the direct cause of the explosion to be the corrosion, thinning and failure of the pipe wall, the thickness of which had been reduced to about 0.3 cm from the original 8 cm. The main line of defence against such a failure was the pipework inspection regime. Although such a regime was in place it did not include the water injection point as it had been added later and was therefore not highlighted for inspection. Continual failures to include this injection point in the inspection regime had occurred at various times. The root cause of the accident was the absence of a management of change procedure at the time of the modification, which would have ensured that a proper hazard identification and risk assessment took place whenever there was a change of design to the process. Although these are principally failures of safety management (dealt with at

141

142

Strategies to prevent corporate accidents the end of Chapter 7) they stem from the fact that management did not have a full appreciation of the risks arising from unchecked plant modifications.

2. The Tokai-Mura criticality accident The case study of the accident at the nuclear fuel processing facilities of the Japan Nuclear Fuel Conversion Company (JCO) in Tokai-Mura, Japan, in 1999 is described in Appendix 2, Case Study A2.5. The use of an unauthorized procedure, with the full knowledge of management, to add a highly enriched fissionable material, uranium-235, to a processing tank, led to a criticality excursion in the plant, which continued to pulse for 20 hours, emitting highly dangerous gamma and neutron radiation. It was the only such accident on record to have resulted in a radiation dose to members of the public. There were two fatalities among the workers in the affected building, and 150 residents within a 350 m radius of the factory were evacuated; some 310,000 people living within 10 km of the site were advised to stay indoors for about 18 hours as a precautionary measure. Following the subsequent investigation by the national regulator, the Japanese Nuclear Safety Commission, a number of deficiencies were identified, including failures in safety culture, safety management and regulation. In addition, there was a failure by management to understand the risks of introducing a modified and unauthorized procedure for the processing routine. The modified procedure had not been submitted by the management of the company to the regulator as required because the company knew that the regulator would not approve it. While the direct cause of the accident was the addition of an excessive quantity of fissile material to a tank, for which its geometrical shape was not designed, the root cause lay with the management of the factory for allowing the dangerous procedure to be introduced without fully understanding the potential risk.

References 1. Farmer, F.R. (1967). Reactor safety and siting: a proposed risk criterion, Nuclear Safety, 8(6), 539–548. 2. Health and Safety Executive (2007). Employment by Main Industry Sector for Workers in Great Britain During the Period 1996/97–2005/06, Sudbury: HSE Books, http://www.hse. gov.uk/statistics/employment/latest-ld1.htm 3. Health and Safety Executive (2006). Statistics of Fatal Injuries, 2005/06, Sudbury: HSE Books, http://www.hse.gov.uk/statistics/overall/fatl0506.pdf 4. Department for Transport (2005). Transport Statistics Great Britain, 2005 edn, Wetherby: DfT Publication Sales Centre, http://www.dft.gov.uk/stellent/groups/dft_transstats/ documents/divisionhomepage/031571.hcsp 5. Health and Safety Executive (1981). Canvey: A Second Report, London: HSE. 6. Health and Safety Executive (1999). Management of Health and Safety at Work Regulations 1999, Approved Code of Practice and Guidance, http://www.hsedirect.com/

Understand the risk 7. Council Directive 89/391 of 12 June 1989 on the Introduction of Measures to Encourage Improvements in the Safety and Health of Workers at Work (OJ [1989] L183/1), http:// osha.europa.eu/data/legislation/1 8. Health and Safety at Work etc. Act 1974, http://www.hse.gov.uk/legislation/hswa.pdf 9. Health and Safety Executive (2006). Five Steps to Risk Assessment, Leaflet INDG163(rev2), Sudbury: HSE Books, http://www.hse.gov.uk/pubns/indg163.pdf 10. United Nations/Economic Commission for Latin America and the Caribbean (2003). Handbook for Estimating the Socio-Economic and Environmental Effects of Disasters, UN/Eclac, http://www.eclac.org/publicaciones/xml/4/12774/lcmexg5i_VOLUME_IVb. pdf 11. Rio Declaration on Environment and Development, UNCED 1992, http://www.unep.org/ Documents/Default.asp?DocumentID=78&ArticleID=1163 12. Health and Safety Executive (2001). Reducing Risks, Protecting People (R2P2), p. 37, http://www.hse.gov.uk/risk/theory/r2p2.pdf 13. Interdepartmental Liaison Group on Risk Assessment (2002). The Precautionary Principle: Policy and Application, http://www.hse.gov.uk/aboutus/meetings/ilgra/pppa.pdf 14. Kasperson, R.E., Renn, O., Slovic, P., et al. (1988). The social amplification of risk: a conceptual framework, Risk Analysis, 8(2), 177–187. 15. Slovic, P. (1987). Perception of risk, Science, 236, 280–285, http://communityrisks.cornell. edu/BackgroundMaterials/Slovic-Science1987.pdf 16. Grey Goo is a Small Issue, Briefing Document, Center for Responsible Nanotechnology, December 2003, http://www.crnano.org/BD-Goo.htm 17. Wilde, G.J.S. (1998). Risk Homeostasis Theory: An Overview, London: BMJ Publishing Group, http://ip.bmj.com/cgi/content/full/4/2/89

143

6

Safety regulation Regulations are for the obedience of fools and for the guidance of wise men. RAF Motto

Introduction Regulation is not exactly a strategy that can be adopted against corporate accidents since compliance has to be maintained in order to stay within the law. Yet for those potentially at risk from a company’s operations external regulation is an important means of providing confidence that they will not be harmed. In Chapter 2 it was shown how government regulation became necessary to counter the worst excesses of laissez-faire capitalism. From the earliest days of the Industrial Revolution up until the present day, regulation has prevented companies from externalizing their costs to increase profits and share price. Cost externalization operates by transferring the risks of business activity (including risks to health, safety and the environment) from the company, where they originate, on to third parties such as the workforce, the general public and possibly the customer without their agreement. Externalization is a natural tendency of a system that depends on profit for its existence and therefore has to be regulated. Regulation also provides benefits for companies since it provides a ‘level playing field’ for commerce, so that business is conducted under the same conditions and competitors cannot gain an advantage by saving on the costs of protecting health, safety and the environment. However, it was also pointed out in Chapter 2 how the ‘dead hand’ of regulation, when taken to excess by imposing onerous, complex and often conflicting rules, can inhibit the entrepreneurial process and stand in the way of technological progress. It is essential to maintain a balance between protecting people on the one hand and imposition of unnecessary cost, bureaucratic interference, loss of innovation and competitiveness on the other. This chapter describes how the earliest forms of safety regulations were highly prescriptive; the Factories Acts in the UK and similar protection in other

Safety regulation industrializing countries are the most obvious example. These early forms of regulation were imposed in response to the more obvious hazards of the working environment, such as the dusty atmosphere of coal mines and the mechanical dangers of unprotected machinery. Sometimes regulations were formulated as a direct result of a serious accident; the Boiler regulations came about largely as a result of boiler explosions and in the railway industry the Rule Book was historically compiled to prevent the recurrence of past accidents. (Taking an example from the British Railways Rule Book, 1950: ‘Every Guard MUST, after using a stove in a [guard’s] van, take care that the fire is extinguished before leaving the van . . . ’, it is fairly easy to work back to the accident that prescribed this rule!) The process of systematically assessing and predicting risk in advance of accidents, which we take for granted today, was largely unknown in industry up until the 1970s. As the volume and complexity of prescriptive regulation proliferated and industrial hazards became more subtle and their effects more widespread, it was realized that a different approach was required. This led to the publication of the Robens Report and the introduction of the first goal-setting regulations where the onus for identifying and controlling the risks became the responsibility of those creating the risks. Organizations were now required to investigate, understand and control the risks for which they were responsible, rather than rely on the regulator to prescribe the safety measures needed. Today, it is a matter for the corporate body to demonstrate to the regulator that all the necessary steps have been taken to limit the risks to an acceptable level. What comprises acceptable risk is decided by the regulator in consultation with industry, while at the same time maintaining public confidence and trust in the regulatory process to reduce risks and protect people. The subject of risk criteria set by the safety regulator, enabling valid comparisons of actual risks to be made, is addressed in this chapter including the concept of ALARP (as low as reasonably practicable). The ALARP principle is especially important in the UK since it underpins the whole structure of safety regulation, although at the time of writing it is coming under challenge from the European Union (EU). The technique of cost–benefit analysis (CBA) is also described since this is used to demonstrate that further expenditure on safety will be disproportionate to the benefits achieved, thus demonstrating that a risk is ALARP. Finally, an examination is made of the burden which can be placed on industry owing to over-zealous regulation and how this may be countered to achieve a balance between safety and excessive bureaucracy.

Historical background The earliest safety legislation to be introduced in the UK was the Health and Morals of Apprentices Act 1802, which attempted to improve the conditions and hours of work of male and female apprentices in the textile industry. It also had a social aim since it specified that each ‘apprentice shall be instructed, in some part of every working day, for the first 4 years at least of his or her apprenticeship . . . in the usual hours of work, in reading, writing, and arithmetic’. The earliest health and safety

145

146

Strategies to prevent corporate accidents legislation addressed the working conditions of women and children, mainly limiting their working hours and setting a minimum working age in factories, but eventually male workers were also brought under the protection of the law. In 1833 the first factory inspectors were appointed. Safety regulation was gradually extended from the mid-nineteenth century onwards to wider aspects of safety, health and welfare, mainly covering factories, mines and railways. For example, The Mines and Collieries Act of 1842 prohibited women and children from working underground; the Factories Acts 1844–1856 made safety improvements in factories for children, young persons and women; the Factory and Workshop Act 1901 extended earlier legislation to larger factories; the Coal Mines Act 1911 further improved safety measures underground; the Factories Act 1937 introduced safety codes for factories; the Factories Acts 1948, 1959 and 1961 introduced safe systems of work and procedures; and the Offices, Shops and Railway Premises Act 1963 extended safety beyond factories into other workplaces which had up until this time been largely unregulated. The Employers’ Liability (Compulsory) Insurance Act 1969 placed obligations on employers to insure against liability for injury to employees; and the Fire Precautions Act 1971 established fire certification of premises and promoted general fire safety. Regulation of the railways in the UK began in the 1840s, and the first railway inspectors were appointed under an Act of 1840. It was at first stipulated that inspectors should be recruited from the Royal Engineers so that they had no connection with the railway industry. In the mid-nineteenth century measures were also introduced to control atmospheric pollution, in particular the Alkali Act 1863 to limit the emission of hydrochloric acid during alkali manufacturing. Later, the legislation expanded to include other ‘noxious or offensive gases’ in 1906, and smoke emissions in 1956 and 1968. Currently, this legislation is subsumed under the Control of Pollution Act 1974. Safety regulation in the UK was transformed in 1975 by the introduction of the Health and Safety at Work etc Act 1974 (HSW Act), the first piece of goal-setting legislation covering virtually all occupational health and safety matters and overriding or supplanting much pre-existing prescriptive legislation. This legislation arose from the recommendations of the Robens Report.

The Robens Report The increasing volume of highly detailed and prescriptive safety regulation which had come into being by the 1970s prompted the government of the day to commission Lord Robens, who had been Chairman of the National Coal Board at the time of the Aberfan mining disaster in South Wales in 1966, to undertake a review of current health and safety regulation and make recommendations about future legislation. The Robens Report on Safety and Health at Work1 was published in June 1972 and became the foundation of modern health and safety legislation in the UK. The Robens Report recommended that UK legislation should be radically modernized, citing in particular that the volume of law needed to be reduced and simplified and that the balance between prescriptive regulation, setting out the requirements in detail, should be shifted towards a goal-setting approach. It was no longer possible, it was concluded, for health and safety to be satisfactorily controlled

Safety regulation by an ever-increasing number of regulations and enforcement inspectors. In fact, the main responsibility for ensuring health and safety should lie not with the regulator, but with those who were responsible for creating the risks in the first place. Future legislation should not prescribe in detail what is required, but merely set out general principles and duties, backed up only where necessary with more detailed regulations. It recommended a multi-tiered framework of regulation using an overall enabling Act (which came into being as the HSW Act) supported by more detailed Regulations, Codes of Practice and Guidance where necessary. It recommended the introduction of a ‘single authoritative body to facilitate and promote health and safety within the workplace with autonomy, its own budget, executive powers and functions’.1 In the event, two separate Crown Bodies were formed; the Health and Safety Commission (HSC) and the Health and Safety Executive (HSE). The HSC has highlevel authority over occupational health and safety regulation in the UK, its executive arm being the HSE. The HSC comprises a chairman and nine members and currently reports to the Department of Work and Pensions (DWP).

Safety regulation in the UK The UK regulator The responsibility for health and safety regulation in the UK lies with the HSC, which was set up in the 1970s as a result of the work of the Robens Commission (see above). The enforcement arm of the HSC is the HSE and local government agencies which work in support of the Commission. Local authorities are generally responsible to HSC for enforcement of health and safety in offices, shops and other parts of the services sector. The HSC protects people’s health and safety in general by ensuring a proper control of risks in the workplace, taking account of changes in technology, working conditions and the concerns of society at large as channelled through their representatives in parliament. The HSC is concerned with health and safety in most industrial premises including nuclear installations, mines, factories, farms, hospitals, schools, offshore gas and oil installations, and other aspects of public safety such as the movement of dangerous goods and substances. The work of the HSC comes under the DWP and the organization is ultimately accountable, at the time of writing, to the Parliamentary Under Secretary for Work and Pensions.

Health and safety legislation The primary legislation for health and safety in the UK comprises the Acts of Parliament, including the HSW Act. Below this sits the secondary legislation which includes Statutory Instruments or Regulations owned and enforced by HSE. Finally, there is a number of approved codes of practice and guidance notes with which employers need to be familiar to ensure that they are compliant. The HSW Act is described below in some detail since it is the principal or umbrella legislation for the UK. Other legislation or regulations are only briefly described since they are

147

148

Strategies to prevent corporate accidents subject to continual update. For the latest enforcement situation reference should be made to the relevant website of the HSE2 or other up-to-date sources. Professional advice may need to be taken on their current application in order to be compliant with the law.

The Health and Safety at Work etc Act 1974 The HSW Act3 came into force in 1975 and is the primary umbrella legislation governing occupational health and safety in the UK. It literally applies to everybody, including employers, employees, the self-employed and the general public. The Act itself is in four parts. Part 1 covers general duties, the creation of the HSC and HSE, the power to make Regulations and Codes of Practice, enforcement and penalties, Part 2 establishes the Employment Medical Advisory Service, Part 3 relates to Building Regulations and Part 4 refers to various amendments and other general issues. Part 1 is the principal instrument. Section 2 of Part 1 places a general duty on employers ‘so far as is reasonably practicable’ to protect the health, safety and welfare at work of all employees. Section 2 is important, requiring employers to provide:

• safe plant and systems of work • safe methods for the use, handling, storage and transport of articles and substances • necessary information, instruction, training and supervision • a safe and well-maintained workplace, including safe access and egress • a safe working environment with adequate welfare facilities. It requires employers to prepare, and keep up-to-date, a safety policy showing the organizational arrangements put in place to ensure that the general policy is carried out. The employer must ensure that all employees are aware of the policy and any revision. There is also a requirement to create safety representatives and consult with these, involving them in making arrangements for health and safety at work; it includes the requirement to establish safety committees under certain circumstances. Section 3 places a duty upon employers (and the self-employed) to ensure that people not employed by them, such as the general public, contractors and their staff are not placed at risk by the employer’s actions. Sections 4 and 5 place duties on people in control of premises to avoid risks arising, while section 6 relates to the designers, manufacturers, importers and suppliers of articles for use at work. Section 7 refers to the duties of employees to take reasonable care of their own health and safety, and that of anyone who could be adversely affected by their ‘acts or omissions at work’. Section 8 forms a general prohibition against interference with or misuse of ‘anything provided in the interests of health, safety or welfare’. Section 9 disallows employers from charging employees for anything needed to comply with the Act. Sections 10–14 establish the HSC and the HSE as discussed above, while sections 15 and 16 deal with the making of regulations and the approval of Codes of Practice. Sections 18–26 are concerned with enforcement and provide for the appointment of inspectors by the HSE and local authorities. Inspectors can issue an Improvement Notice where they believe that the law is being breached and stipulate a period within which improvements must be made. Where there is believed to be a risk of serious

Safety regulation personal injury arising from activities, a Prohibition Notice may be issued requiring immediate cessation of the activity even if the law is not being breached. Sections 27–32 cover a variety of other enforcement issues, including the powers of the enforcing authorities to obtain information and the systems for enforcing agricultural health and safety. Sections 33–42 concern the provisions for penalties and prosecution in enforcing health and safety law, while section 48 deals with Crown immunity issues. Section 37 of the HSW Act, Offences by bodies corporate, is important in the context of corporate liability under the Act and was referred to in Chapter 2 in connection with directors’ duties in regard to health and safety. Section 37 is in two parts, which are again reproduced below: 1. Where an offence under any of the relevant statutory provisions committed by a body corporate is proved to have been committed with the consent or connivance of, or to have been attributable to any neglect on the part of, any director, manager, secretary or other similar officer of the body corporate or a person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and shall be liable to be proceeded against and punished accordingly. 2. Where the affairs of a body corporate are managed by its members, the preceding subsection shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate. The difficulties in placing positive legal responsibility for health and safety on directors under these clauses was discussed in Chapter 2 and it was concluded that so long as a director was able to distance himself from any illegality (that is, he is unaware of it) he could not easily be prosecuted. It was shown how directors of small companies are ‘disadvantaged’ in this respect since they often have hands-on responsibility for workplace activities and cannot so easily claim lack of awareness of health and safety breaches.

Statutory Instruments Secondary legislation also exists and this comprises what are known as Statutory Instruments, often referred to as Regulations. These are enforced by HSE regionally and nationally and by local authorities working with HSE on a local basis, but using common objectives and standards. An up-to-date list of secondary regulation can be found on the relevant HSE website.4

Regulatory guidance and best practice HSE also issues a series of Guidance Notes which show good practice on subjects as varied as chemical safety, environmental hygiene, plant and machinery. There are also Approved Codes of Practice (ACOPs) which show what must be done to comply with the law and, at a lower level, Information Sheets which give practical advice. Whereas failure to comply with a Regulation is a criminal offence whether or not an

149

150

Strategies to prevent corporate accidents accident has occurred, failure to follow published guidance or an ACOP is not in itself an offence. However, if an accident does occur and it is shown that a failure to follow guidance or the standards laid down in an ACOP contributed to the accident then they may be used as evidence in a court to form the basis of a prosecution. An up-to-date list of legal publications to help companies comply with the law and referring to the above can be found on the relevant HSE website.5

European Directives A set of six additional regulations was introduced into the UK in 1992 to implement the requirements of European Community Health and Safety Directives, and have been subsequently updated and amended. These regulations focus on a basic requirement to carry out risk assessments of workplace activities and sit under a Framework Directive.6 They became colloquially known as the ‘six-pack’ regulations; the intention was to create a level playing field across Europe to prevent unfair competition by the adoption of common health and safety standards in member states. They cover such subjects as the management of health and safety at work, manual handling operations, the use of display screen equipment, workplace health, safety and welfare, the use of work equipment and personal protective equipment. Copies of the regulations can be purchased from HSE books,7 but advice needs to be taken on their present application.

The safety case Historical basis The safety case is principally a tool for assessing and systematically documenting major hazards and risks, as opposed to everyday workplace health and safety risks as addressed by the six-pack and a host of other detailed regulations. The development of the safety case as a means of demonstrating acceptable risk began in the nuclear industry and from the 1990s onwards spread across many other major hazard industries, such as the railways, offshore oil and gas facilities, and the chemical industry. The safety case approach requires the operator of hazardous facilities to identify systematically and transparently all associated hazards, assess the risks arising and develop suitable control measures to limit them to an acceptable level. The resulting safety case is then documented, and the documentation used to obtain acceptance or certification from a regulator. The safety case also sets a benchmark against which compliance can be audited. It is based on the premise of all modern health and safety legislation that safety is best managed proactively by anticipating hazards and controlling the risk, rather than merely complying with rules and regulations. In recent years problems with the preparation of safety cases have arisen leading to amendments to regulations in various industries. In the early years there was a tendency to place too much emphasis on quantification of risk, which led to an unnecessary amount of complexity and a loss of transparency. This led to a danger of the safety case becoming a ‘paper exercise’ which was not a true representation of reality. This section outlines the current situation in the UK, followed by a brief summary of the role of the safety case in general terms.

Safety regulation

Regulatory requirements The preparation and submission of a successful safety case is a regulatory requirement in the UK for certain operations and developments in a number of specific industries, in particular, the offshore oil and gas, railway, nuclear and defence industries, and major hazard installations. The safety case is particularly relevant to industries where societal risk and the potential for accidents with multiple fatalities are of concern. Historically, many of the requirements set out by the regulator for submission of a safety case for a particular type of industrial operation arose following a major accident in the industry, as the following sections will show.

Corporate advantages The safety case approach, whether or not required by a regulator, provides a structured approach to safety assurance which can beneficially be used to satisfy corporate and other stakeholders. Moreover, in the area of contracting and supply, the early phase preparation of an outline safety case can be a useful part of the bidding process, providing assurance to clients that project and operational risks have been fully taken into account. Later, the developed safety case can provide the client with a useful management tool to inform decision making on operational risks.

Safety case industries Offshore oil and gas The Piper Alpha accident in July 1988, which killed 167 offshore workers, was caused by multiple failures in safety management of the rig rooted in the culture of the organization, its management systems and working procedures. Following the Cullen Inquiry into the accident, recommendations were made which led to a requirement for a safety case to be prepared for all offshore oil and gas installations. This resulted in the Offshore Installations (Safety Case) Regulations 1992, superseded by the Offshore Installations (Safety Case) Regulations 2005,8 which came into force from April 2006. Associated with the endemic safety case problems mentioned above, the reason for revising the regulations was to remove unnecessary bureaucracy and ‘burdens on duty holders and the HSE, to enhance the safety case’s value to the duty holder and to provide a greater stimulus for continuous improvement. As a minimum, HSE wants to redeploy a significant proportion of resources currently devoted to safety case assessment to increasing related inspection and verification, with expected greater benefits for safety’.9 Under the revised regulations a review of the safety case is required every five years and there is a new requirement to ensure that anyone engaged as an installation operator ‘is capable of carrying out effectively the operator’s legal responsibilities for health and safety’. Account is taken of the greater contractor involvement in the industry since 1992 and to ensure that owners and operators cannot escape their safety responsibilities by attempting to delegate them to others. Railways Safety case regulations in the railway industry stemmed from the Hidden Inquiry into a major rail accident at Clapham Junction in December 1988. This involved two

151

152

Strategies to prevent corporate accidents collisions between three commuter trains, causing thirty-five fatalities and over 100 injuries. The result was that major changes were recommended to the way safety was managed in the industry. Out of the Hidden Inquiry came a requirement for a railway safety case to be prepared as a condition of operation, setting out the health and safety arrangements for new railways or where major modifications to an existing railway were to be made. The safety case was also a means of ensuring that health and safety standards on the railways were maintained post-privatization from 1995 onwards. The regime was formalized in the Railways (Safety Case) Regulations introduced in 1994. The original regulations were largely modelled on the regime introduced in the offshore oil and gas industry, but were subsequently amended in 2000, 2001 and 2003,10 following recommendations by Lord Cullen in his Ladbroke Grove Rail Accident Inquiry Report. In April 2006 railway safety in the UK was brought under the UK Office of Rail Regulation, this being given effect in the Railways Act 2005. In order to implement an EU Rail Safety Directive, the Railway Safety Case Regulations were officially phased out from October 2006, to be replaced by the Railways and Other Guided Transport Systems (Safety) Regulations. Comprehensive safety cases were prepared and submitted for a number of new railway developments using novel technology, for example, the Channel Tunnel and the London Underground Jubilee Line Extension. Nuclear The nuclear industry, by virtue of its special hazards and the public perception of the risk, has historically required safety cases to be submitted to a nuclear regulator almost since the inception of the industry. The responsibilities of employers in the nuclear industry under the HSW Act are still reinforced by the Nuclear Installations Act 1965. This stipulates that a nuclear site must be granted a site licence by the Nuclear Safety Directorate (NSD) on behalf of the HSE, before it is allowed to operate. A requirement for a site licence is the submission and acceptance by the licensee of a safety case to demonstrate that the risk is ALARP over the lifetime of the plant from construction through to decommissioning. The licensee is required to comply with the conditions set out in the safety case and this is reinforced by periodic inspections by HM Nuclear Installations Inspectorate. Guidance for licensees is provided in the form of a set of Safety Assessment Principles11 (SAPs) which are available for public scrutiny. The SAPs represent best practice in conformance with International Atomic Energy Agency standards. Defence Safety cases in the defence industry are mandated by quite recent developments in Defence Standards, in particular, Issue 3 of Defence Standard 00-56 (MOD 2004),12 issued in January 2005. Defence Standards have historically been prepared in the UK by the Ministry of Defence (MoD), where its needs, particularly in respect of the integrity and reliability of equipment, cannot be met by civilian standards. Defence standards are unlike safety regulations in that they apply not so much to the duty holder (the MoD) but to the ministry’s suppliers. Defence Standard 00-56 is unique in moving away from what was previously a rather prescriptive approach to engineering

Safety regulation safety and integrity into defence equipment, to one of goal setting, as implemented in health and safety in other industries after the Robens Report. The approach requires suppliers of equipment to justify their designs by making explicit arguments in a safety case based on compelling evidence. The change came about because it had been found that engineering solutions that were forced to comply with prescriptive standards could be wasteful and inefficient and would not necessarily deliver the optimum approach to delivering safety and reliability. There is no longer a mandated requirement to set safety integrity levels as prescribed by previous standards. The freedom from prescriptive requirements set by MoD enables designers and suppliers to choose and apply the most effective solutions, with the safety case being used as justification that the system can be deployed safely and effectively, but also forming an integral part of the process of design through to operation and decommissioning. Major hazard installations (COMAH Regulations) The Control of Major Accident Hazards Regulations 1999 (COMAH),13 which came into force on 1 April 1999, were amended by the Control of Major Accident Hazards (Amendment) Regulations 2005,14 applicable from 30 June 2005. These regulations implemented Council Directive 96/82/EC, also known as the Seveso II Directive. The EU Seveso II Directive aimed to improve upon an earlier directive (Seveso 1), emphasizing management factors rather than merely addressing technical safety aspects. This arose from studies which showed that most major hazards were realized as a result of management rather than technical failures. The COMAH regulations are mainly applicable to the chemical industry, but are generally applied to any industries where threshold quantities of dangerous substances identified in the Regulations are stored or used, as well as being applicable to some explosives and nuclear sites. The main output required by COMAH is a safety report which fully addresses all potential major hazards arising from storage or processing activities. It must state the main principles by which identified hazards have been eliminated, mitigated or controlled, taking account of management and organizational factors, and must be submitted to the regulatory authority (HSE in the UK). It must describe the Safety Management System and must submit a Major Accident Prevention Plan (MAPP), together with Emergency Plans which are able to mitigate the effects of an accident should one occur, with provisions for testing the plan periodically. The safety report must also consider the impact on neighbouring premises and installations, taking ‘domino’ effects into consideration, with information to be provided for local authorities and emergency services as well as instructions to the public concerning emergency response. Major hazards sites are divided into upper and lower tier; for lower tier sites, notification to the HSE of activities and quantities of materials is necessary together with a MAPP, while for upper tier sites a full safety report must be submitted.

Safety case preparation The objective of a safety case is to present a structured argument for the safety and integrity of a system or service adopting a risk-based approach to safety, rather than the traditional prescriptive or rule-based approach. The safety case should be capable of communicating in a clear, comprehensive and defensible way, an argument that a

153

154

Strategies to prevent corporate accidents system or service is acceptably safe to operate in a given context. Communication and presentation are all important in the preparation of a safety case, which should be succinct and clear, referring as necessary to separate documents detailing the results of technical studies, such as quantified risk assessment, carried out in support of the case. Safety cases are often presented in four parts: 1. A description of the system setting the boundaries and scope of the safety case. 2. Information about the design integrity of the system and its development, highlighting any novel technical aspects differing from traditional facilities. 3. A description of the operating arrangements including aspects such as operator training, maintenance, safety systems and their integrity, safety culture and safety management systems, details of risk assessments carried out with results presenting arguments with supporting studies that the risk has been reduced to ALARP, maintenance of the safety case, etc. 4. A description of how the system or facility has been designed for decommissioning and how it will be decommissioned at the end of its useful lifetime. The structure of an actual safety case may well vary from the above depending upon the industry and whether there are particular regulatory requirements to be met. It needs to be ensured that the safety case does not become a ‘lost’ document gathering dust, prepared solely to meet regulatory requirements and then forgotten, but is a ‘living’ and integral part of the safety management process, being updated to take account of process and organizational changes. This gives confidence in the safety and integrity of the process when new systems are introduced or old systems replaced or modified, and becomes a way of managing change as part of the safety management system.

Risk acceptance criteria Setting or advising on criteria for the acceptability of risk is clearly an important aspect of regulation. Criteria defining the limits of risk for any activity, but mostly industrial activities, in the UK are set by the HSE. However, there is no reason why companies should not set their own risk criteria given that justification is provided, in a safety case for example, which would satisfy a regulator. For large projects, especially those involving new technology, the regulator may well require the designers to define the risk criteria at the outset so that the design will be capable of controlling the risk to within acceptable limits. In setting risk criteria, account must be taken of who is at risk, whether they are single individuals or groups, whether those at risk are members of the public, advertently or inadvertently exposed to the activity, or whether they are workers engaged in an industrial activity. A member of the public would include, for example, passengers on public transport (advertent exposure) or passers-by close to a building site (inadvertent exposure). In general, the limits of risk set for members of the public are more onerous than for workers on the principle that the latter have some degree of choice over the type of work in which they are engaged and also because they receive a benefit from the risky activity. Two types of risk criteria will be considered in this section: individual

Safety regulation risk, where single fatalities are considered, and societal risk, where there is the potential for multiple fatalities. According to the HSE there are three types of criteria against which risk can be measured:

• Equity-based: operates on the assumption that, since all individuals have a basic • •

right to protection against hazards, standards can be set which are applicable and acceptable to everybody. This forms the basis for individual risk criteria, which are described below. Utility-based: measures the incremental benefits of risk improvements in terms of reduced death or injury against the cost of providing those improvements. This is the basis of the ALARP criterion described below. It is also used to derive societal risk criteria, where the public aversion against multiple-fatality accidents can be used to justify much greater expenditure than to prevent single-fatality accidents. Technology-based: derives from the principle that the use of ‘high-fidelity’ risk reduction measures based on technological, managerial or organizational improvements are able to achieve an acceptable level of risk whatever the circumstances. This is sometimes referred to as the deterministic approach to controlling the risk.

Individual risk criteria Individual risk criteria are usually expressed on an annual basis in units of the chance of death per year, as discussed in Chapter 5. They are often represented graphically on the ALARP diagram, which shows the limits of intolerable and acceptable risk. This diagram is reproduced in Figure 6.1. The principles of achieving ALARP and how it is demonstrated are described in more detail in the next section.

• Some risks and the outcome of some accidents are so unacceptable that they are • •

intolerable and cannot be justified under any circumstances. Individual risks of this scale are those in excess of 1E–3 (one in 1000) for workers and 1E–5 (one in 100,000) for members of the general public. Such risks require immediate action to be taken to reduce them. Some risks and the outcome of some accidents are so small that they are considered to be broadly acceptable and no further risk reduction measures need be taken. Risks of this scale are those less than 1E–6 for workers and 1E–8 for members of the public. Negligible risks are assessed as being those much smaller than the broadly acceptable risk. In the region lying between the broadly acceptable region at the lower part of the diagram and the unacceptable region at the upper part of the diagram, risk needs to be reduced to the lowest level which is practicable (ALARP), bearing in mind the costs of achieving this in relation to the benefits of the activity (see the ALARP principle, below).

Referring to Table 5.2, statistics of workplace fatalities, in Chapter 5, it can be seen that the highest risk to a group of industrial workers, 8.1E–5 per year (i.e. nearly 1E–4 per year)

155

156

Strategies to prevent corporate accidents Unacceptable region Worker risk

Risk reduction regardless of cost

Public risk 1E-5

1E-3 Limit of intolerability Increasing cost

1E-4

Tolerable ALARP region 1E-5

1E-6

1E-7 Decreasing cost

1E-6

Limit of acceptability

1E-8

Broadly acceptable region No need for expenditure

Negligible risk

Figure 6.1 ALARP diagram (based on Figure 3 in Tolerability of Risk from Nuclear Power Stations15).

for the agriculture, hunting, forestry and fishing industries lies at the upper part of the ALARP region. That is, the risk is not unacceptable, but at the same time may require expenditure in order to reduce it. On the other hand, the average annual risk in the service industries of 2.1E–6 per year is at the lower limit of acceptability and it may be difficult to justify expenditure to reduce it further. However, this does not mean that the ALARP diagram can be used to justify average industrial risks since the actual risks making up the average will vary from situation to situation and each case will need to be considered individually on its merits. Referring to Table 5.4 in Chapter 5, examples of individual risks outside the workplace, very few of the leisure pursuits shown fall within the acceptable region of the chart; some of these are as high as 8E–3 per year (rock climbing), falling well into the unacceptable region. However, since most of the risks from these activities are accepted voluntarily with benefits to those undertaking them (no pun intended), they have to be seen as special cases. This does not mean that efforts should not be made to reduce the risks of such activities, and the interest and oversight of the regulator do extend into these voluntary leisure areas.

Example of a ‘voluntary’ risk The risks of canoeing, at 2E–3 per year, shown under leisure pursuits in Table 5.4 in Chapter 5, are very high indeed, and any person supervising such an activity would

Safety regulation need to take account of these risks especially in relation to the experience of those exposed. A canoeing accident at Lyme Bay in March 1993 cost the lives of three teenagers. A group of canoes was allowed to drift away from the coast into a gradually increasing wave height until one by one they became swamped. Nine individuals ended up in the sea and were not rescued by emergency services until much later owing to a failure to raise the alarm. The teacher and an instructor were rescued by the inshore lifeboat and the rest of the group was picked up by rescue helicopter later in the day. The accident was subject to an investigation by the HSE and the root cause was found to be the failure of the centre which organized the canoeing trip to supervise the activity properly, to employ suitable staff and to have prepared safety procedures in place for when difficulties arose. Interestingly, it took a whistleblower, Joy Cawthorne, to help secure a conviction for corporate manslaughter by her evidence in court. She had previously been an instructor at the centre but had resigned months before the tragedy after warning the company that a disaster was imminent. The company and its managers were charged and brought to trial under the HSW Act. The managing director of the Lyme Bay activity centre was convicted of manslaughter and received a sentence of three years, reduced to two years by the Appeal Court. The subject of whistleblowing is discussed in Chapter 8. Following the Lyme Bay accident, the Adventure Activities Licensing Scheme was introduced in 1996. This is a government-sponsored scheme designed to ensure that companies providing adventure activities for young people (under 18 years) will need a licence to operate issued on the basis of having satisfactory safety management systems in place. The HSE has overall responsibility for regulation of the scheme under the Adventure Activities Licensing Regulations 200416 using the Adventure Activities Licensing Service (TQS Ltd) under contract to operate the scheme on its behalf.

Societal risk criteria Figure 5.2 from Chapter 5, the societal risk chart, is reproduced here as Figure 6.2 with upper and lower risk criteria lines (shown dotted) superimposed indicating the limits of tolerability and acceptability in a similar way to Figure 6.1 These lines have been derived from HSE guidance set out originally in a study of transport of dangerous goods in 1991 and since set out in a number of other publications. They are presented here as a basis of comparison with the actual societal risks of the activities shown. Clearly, multiple-fatality accidents lead to a great deal of public aversion. This dislike of large accidents is sometimes referred to as differential risk aversion and needs to be taken into account when methods of reducing risk, and the associated costs and benefits, are being considered. The suggested upper and lower risk criteria lines take this aversion into account. Clearly, major aircraft, rail and fire/explosion accidents causing multiple fatalities as represented by the respective FN curves fall into the intolerable region lying above the upper line. Whilst great improvements have been made in aircraft and rail safety and in the major hazard industries, this is not fully reflected in the FN curves partly because they are historical, representing accidents which have occurred over a period of decades from the 1970s. Because

157

Strategies to prevent corporate accidents 1

Frequency with which number of fatalities is equal to or greater than N (year–1)

158

1

2

10–1

3

10–2

6

5

10–3

Int

ole

10–4

4

rab

le

7

10–5

AL A reg RP ion

10–6 10–7

Bro

ad

10

Ne

gli

10–9

ly a

cce

–8

pta

gib

le

ble

10–10 1

10

102

103

104

105

Number of fatalities (N ) or more

Figure 6.2 Societal risk criteria. 1: Aircraft accidents; 2: railway accidents; 3: fires and explosions (UK); 4: five pressurized water reactors; 5: Three Mile Island accident; 6: Chernobyl accident; 7: Canvey Island, London (after improvements).

multiple-fatality accidents are fortunately so infrequent, it is necessary to base the curves on statistics collected over long periods, unlike individual risk data which can be compiled annually. Societal risk is of particular importance when new large-scale facilities are being planned, where major hazards exist putting large numbers of people at risk of death or serious injury. It may then be necessary to demonstrate through calculation and estimation of potential risk that the overall societal risk from that particular facility falls in the broadly acceptable region. The area lying between the upper and lower boundary lines is called the ALARP region and is described in the following section.

The ALARP principle Definition of ALARP The original definition of ALARP (as low as reasonably practicable) was formulated by the Court of Appeal in its judgement in Edwards v National Coal Board.17 The case concerned the collapse of an unsupported section of travelling road in a coal mine which occurred because only part of its length was properly supported. Mr Edwards was unfortunately killed as a result. In the appeal court the National Coal

Safety regulation Board argued that the cost of supporting all roads in every mine was excessive when compared to the reduction of risk. However, the court decided that the shoring up of all roads in every mine was not the point at issue; only the road which actually gave way was relevant to the case and this should have been made safe. The cost of carrying out the work on the section of road which collapsed was not excessive when compared to the risk of injury or loss of life if it were not carried out. As a result Mr Justice Asquith defined what was to become the ALARP concept: ‘Reasonably practicable’ is a narrower term than ‘physically possible’ . . . a computation must be made by the owner in which the quantum of risk is placed on one scale and the sacrifice involved in the measures necessary for averting the risk (whether in money, time or trouble) is placed in the other, and that, if it be shown that there is a gross disproportion between them–the risk being insignificant in relation to the sacrifice – the defendants discharge the onus on them’. The ALARP concept subsequently came to underpin UK safety law and was enshrined in the HSW Act. The Act requires employers to ensure ‘so far as is reasonably practicable’ that employees (section 2) and non-employees (section 3) are not exposed to risks to their health and safety from the employer’s business.

Gross disproportion For a risk reduction measure to be deemed reasonably practicable, it must meet what has been termed the test of gross disproportion. This means that the sacrifice in money, time or trouble (but usually expressed in monetary terms) to reduce the risk (over and above that already applied) need not be grossly disproportionate to the benefits (usually expressed in lives saved or an equivalent value) thereby achieved. Conversely, a proposed risk reduction or control measure must be implemented if the costs are not grossly disproportionate to the benefits in terms of risk reduction achieved by the measure. Various forms of CBA may be used to determine the degree of disproportion (if any) for particular circumstances. CBA is discussed in a later section. Cost–benefit analysis may not always be necessary and basic common sense rules may apply; the HSE18 provides a simple example of this. If it was found that £1 million needed to be spent to prevent five staff suffering bruised knees then the cost is obviously grossly disproportionate. If £1 million needed to be spent to prevent a major explosion capable of killing 150 people, then the cost is obviously proportionate.

Assessment of ALARP The inverted triangle in Figure 6.1 represents the cost versus risk relationship. At the higher levels of risk, the degree of disproportion will be greater than at the lower levels. The actual degree of disproportion can be estimated by comparing the cost of preventing a fatality (CPF) with the value of preventing a fatality (VPF). The CPF is calculated by dividing the final cost of a risk reduction measure by the number of

159

160

Strategies to prevent corporate accidents fatalities prevented by implementing the measure. In the UK, VPF is often taken to be of the order of £1 million, except in the case of preventing a fatality from cancer where a value of £2 million is suggested.19 In the USA it is understood that VPF is sometimes taken to be of the order of $6 million.20 No estimate of VPF should be regarded as fixed since the actual value to be used in a calculation will vary depending upon the circumstances of the fatalities, including aspects such as the following. Public aversion The degree of public aversion is influenced by factors such as the number of deaths occurring simultaneously (see societal risk below); and the manner of death (often referred to as the ‘dread factor’), including aspects such as immediacy, violent death, latency (delayed fatalities, cancer, etc.) and reduction in life expectancy. It is also important to consider who is at risk: the death of vulnerable groups, such as children, for instance, will attract a greater degree of aversion. Moral concern A significant shift in moral concern following a recent major accident may affect how much society is prepared to pay to prevent a future accident. A spate of rail accidents in the UK in the late 1990s due to signals passed at danger hastened the adoption of a form of automatic train protection on a network-wide basis. Voluntary acceptance Another important determinant is the degree of voluntary acceptance of risk and any benefits accruing from the activity. Already mentioned is the fact that the risk criteria adopted for members of the public and workers differ owing to the higher degree of voluntary acceptance and the benefits obtained by the latter. Sometimes the industry for which the risk calculations are being made is taken into account, including the ‘ability to pay’. As an example, an industry adopting older technologies where risk reduction measures are much more expensive may be expected to pay less than a more modern industrial facility. However, this should be treated with caution since it would depend upon the level of risk and it is possible that some expenditure at least may be justified. Societal wealth also determines the ability to pay. This means that grossly poorer nations may attract a lower VPF (discounting whether or not this is morally right). The value of CPF/VPF is often referred to as the proportion factor (PF). Thus, when the PF is unity or less, risk reduction measures need to be implemented even if the risks lie at the upper part of the ALARP diagram in the broadly acceptable region. As the risks approach the lower part of the ALARP triangle, HSE21 suggests that the PF may rise to as high as 10 at the boundary of acceptability, so that an expenditure to save a life of ten times the VPF may be justified.

ALARP for societal risk The ALARP demonstration for societal risk is somewhat more complex than for individual risk. The FN curve as a method for representing societal risk is useful but

Safety regulation also has a number of drawbacks, the most significant being the difficulty in making comparisons between curves of markedly different shapes that may weave in and out of the ALARP region of the graph. The main principle in the case of societal risk is that greater weight will be attached to the consequences (multiple fatalities) when compared with individual risk. Severe detriment arising from explosions in built-up areas will understandably place a higher onus on the owners to prevent such accidents than for, say, similar explosions occurring on offshore oil and gas platforms, where only workers are at risk (but not to diminish the legal and moral imperative to protect the latter). The ALARP region for societal risk is shown in Figure 6.2, the upper bound of intolerability being shown by a line of slope –1 drawn from 10–1 frequency on the y-axis. Above this lies the unacceptable region. The lower bound of acceptability is marked by a line two orders of magnitude below and parallel to the upper line. The APARP region lies between the two. These lines were developed by the HSE following a study22 of the risks arising from the industrial facilities on Canvey Island in the River Thames, which is in close proximity to local populations. Following an assessment of potential major accidents at Canvey, proposals were made to reduce the risk to a level which was later deemed to be acceptable (after the improvements) by the British Parliament. The new limits were later endorsed by a study by the HSE of the transport of dangerous goods and have subsequently been adopted as a measure of the safety of other dangerous installations. They should be regarded, however, as only really applicable to fixed major industrial facilities and not necessarily applicable to risks of a different nature, such as public transportation risks. In any event, the adoption of societal risk criteria will involve many other factors (beyond the scope of this book) than a predicted single FN curve arising from a quantified risk assessment of a facility. Further information can be obtained from publications and websites of the UK regulator.21

ALARP and the European Union The Commission of the EU has been in dispute with the UK Government over a period of ten years about whether the UK will be allowed to retain its ‘so far as reasonably practicable’ criterion as the basis of health and safety law. The EU considers that the criterion is inconsistent with the EU framework directive 89/ 391/EEC.23 The EU argues that by using the ALARP argument, UK employers can evade liability if they demonstrate that everything practicable has been done in order to avoid risk. In other words, if safety measures are proved too ‘troublesome’ then they can be avoided. It considers that under the framework directive, strict liability should be imposed by member states on employers for any risk to the health and safety of their workers. Only force majeure considerations should be allowed to override this liability, such as ‘unusual or unforeseeable circumstances, beyond the employers’ control, or to exceptional events, the consequences of which could not have been avoided despite the exercise of all due care’.23 So far (at the time of writing), the Advocate General24 has delivered an opinion which is in favour of the UK retaining this approach pending a final ruling by the EU Court of Justice.

161

162

Strategies to prevent corporate accidents

Conclusion The whole concept of ALARP is useful in fulfilling the principle enshrined in UK health and safety regulation that ‘those responsible for the hazards should ensure that adequate measures are taken to protect people from the harmful consequences that may arise from such hazards.16 This allows the safety regulator to adopt a more ‘hands-off’ or non-prescriptive approach in setting general goals for companies, rather than attempting to specify exactly what they must do in every circumstance. These principles are discussed further below. The advantage of the ALARP principle is that it is effective both for very small individual risks at the level of a company employing just a few people, and for much larger concerns involving major accident risks threatening the lives of many people. The attention, time and effort spent on evaluating the risks and examining risk reduction measures and disproportion depend on the scale of the hazard and the extent of the risk. Major accident hazards may require the preparation of a detailed safety case involving many person-hours of work in order to demonstrate that all reasonable risk control measures are being taken.

Cost–benefit analysis Comparing the relative costs and benefits of a decision using CBA is not a particularly new technique and has been applied as a decision-making aid over many years. It can also be used as part of an ALARP demonstration, although the HSE maintains that by itself it cannot ‘form the sole argument of an ALARP decision nor can it be used to undermine existing standards and good practice’.25 In its basic form it is a slightly more sophisticated calculation of the PF, which has already been described above. When using CBA it is normal to express both costs and benefits in common units (usually national currency) so that valid comparisons can be made. For the PF, the comparison was the simple ratio of the CPF with the VPF, taking account of any disproportion arising between the two costs. It is used essentially to determine whether a risk is tolerable and if so to what degree. The distinction between tolerability and acceptability as defined by the UK HSE is worth describing here. A tolerable risk is not necessarily an acceptable risk. Tolerability refers to ‘a willingness by society as a whole to live with a risk so as to secure certain benefits and in the confidence that the risk is one worth talking and that it is being properly controlled. However, it does not imply that the risk will be acceptable to everyone’.19 The main difference between a CBA and the calculation of a PF is the more detailed and transparent way in which the elements of the costs and benefits are calculated and presented.

Costs The costs of implementing a measure to reduce the risk from a facility or activity can include:

• the annualized capital costs of installing new or modified equipment discounted as necessary to give net present value • any shutdown costs and costs of lost production during installation or modifications

Safety regulation

• any additional costs of operation due solely to the measure • additional maintenance, inspection, etc. costs incurred as a result of the measure • any productivity losses arising from the measure • any other costs solely attributable to the measure. All these costs are expressed on an annualized basis for valid comparison with the annual benefits. Any savings associated with implementing the measures need to be subtracted from the total cost to provide a net annual cost. These savings might include efficiency and productivity improvements, reduced losses to property, fewer incidences of ill-health, etc., due to a lower accident frequency or mitigated consequences. It is not considered appropriate to include gains from enhanced company reputation, reduced insurance premiums or civil damages.19 The UK regulator will not take into account the ability of a company to pay for the improvements and the effect on viability so long as the risk is considered intolerable. Various options for risk reduction can, however, be explored, costed and measured against the resulting benefits in order to inform a decision on the most cost-effective measure.

Benefits Assessment of the benefits of the improvements in monetary terms to be compared with the costs is not always easy. However, it must be remembered that the benefits in the context of ALARP are principally health and safety benefits. Any other monetary benefits resulting should be subtracted from the costs as discussed above. Health and safety benefits could, however, include ‘the avoidance of actions that would be taken after an incident such as evacuation, food bans, land use restrictions, etc.’25 The VPF has already been mentioned with a notional value of £1 million per statistical life saved being apportioned. However, as discussed, this value will vary depending upon the circumstances, societal concerns, etc. Apart from reducing loss of life, it may be necessary to value reductions in injuries, improvements to long-term health or gains in life expectancy, and in these cases suitable adjustments to the VPF will need to be made.

Comparison Annualization of costs and benefits allows the average annual cost and savings to be calculated. All the discounted costs and benefits are summated over an appraisal period, say ten years, and then divided by the number of years. This allows for the fact that the costs and benefits are not necessarily constant over time. Costs in particular are likely to be higher in the first year, while benefits usually remain fairly constant. For general guidance on undertaking CBA (not just health and safety), in addition to the various HSE documents referenced at the end of this chapter, the UK Government’s Green Book, Appraisal and Evaluation in Central Government26 is a useful source of information. When the various costs and benefits have been evaluated it is necessary to make a comparison by calculating the PF as described above and then assessing whether the costs are disproportionate to the benefits for the particular scheme being proposed. There is no set formula for deciding the amount of disproportion between costs and

163

164

Strategies to prevent corporate accidents benefits for different situations or levels of tolerability. The HSE provides a rule of thumb which suggests ‘a factor of up to three (i.e. costs three times larger than benefits) would apply for risks to workers; for low risks to members of the public a factor of two, for high risks a factor of ten’.19 The amount of effort and the level of detail which is appropriate for a CBA (or whether a CBA is justified at all) will depend upon the degree of risk which is being averted and the nature of the risk as discussed earlier. For a CBA on new developments or changes in technology, perhaps as part of a formal safety case comparing different risk reduction options, it will be necessary to perform sensitivity analyses to take account of the uncertainties which invariably arise when estimating the risk. In general, any assumptions that are made in estimating the risk should always err on the side of caution, taking a pessimistic rather than an optimistic viewpoint. This allows the company (and the regulator) to assess the robustness of the results of the CBA and in turn its suitability for underpinning ALARP decisions.

Reducing the regulatory burden The point has already been made that whilst regulation is an important means to limit the incidence of corporate accidents, its overuse can place unacceptable cost burdens upon industry as well as inhibiting the entrepreneurial spirit and preventing technological progress. For this reason, a short review of a number of recent studies directed towards reducing the burden of regulation upon industry is presented here. These studies include The Hampton review – Reducing Administrative Burdens: Reducing Inspection and Enforcement (Philip Hampton), Regulation – Less is More: Reducing Burdens, Improving Outcomes (Better Regulation Task Force) and Regulatory Justice: Sanctioning in a Post-Hampton World (Cabinet Office, Better Regulation Executive). The studies are wide ranging and do not just cover health and safety regulation. In January 2007, they culminated in the passing of the Legislative and Regulatory Reform Act 2006.

The Hampton review The Hampton review – Reducing Administrative Burdens: Reducing Inspection and Enforcement27 was set up under Philip Hampton, Chairman of J Sainsbury plc in 2004, principally to consider the scope for reducing administrative burdens on industry by promoting more efficient approaches to regulatory inspection and enforcement while at the same time not compromising regulatory standards or outcomes.

Costs of regulation It has been estimated that the total cost of all regulation in the UK amounts to around £100 billion,28 around 5 per cent of GDP, divided into two types of cost:

• policy costs: the cost to industry of meeting regulatory requirements, such as modifying or installing new equipment in order to meet health and safety regulations

Safety regulation

• administrative costs: the costs that are incurred in regulation, such as information gathering, checking on compliance, form-filling and spending time with an inspector.

Administrative costs are strictly a bureaucratic overhead and the review recommended they could be reduced to the minimum level needed to ensure effective enforcement of regulations. Policy costs, by contrast, are an outcome of regulation and depend upon the regulatory objectives set by politicians. It was not the remit of the review to consider ways of reducing policy costs. Research carried out in the USA indicates that as a proportion, administrative costs comprise about 30 per cent of total regulatory costs. In the case of health and safety regulation the cost must be offset by the significant, although probably unquantifiable, social benefits which are gained. The actual benefit to industry of improved health and better performance of the workforce also needs to be taken into account when assessing the total net cost of health and safety regulation in particular.

Problems of regulation The Hampton review undertook an industrial survey which revealed a high level of concern about an accumulating burden of regulation which represented a major challenge to business. Perceived problems related to multiple inspections, overlapping information requirements, inconsistencies in regulatory practice and decision making, and excessive form filling, especially for small businesses. The review was convinced that the costs of these and other problems are greater than necessary for an effective regulatory system. Without delving too deeply into the intricacies of the administrative problems of regulation, it is worth mentioning two particular problems highlighted by the review.

Risk-based inspection The review found that the use of risk assessment by the regulator was both patchy and inconsistent. The Hampton report suggested that ‘risk assessment is an essential means of directing regulatory resources where they can have the maximum impact on outcomes’.27 A greater adherence to a risk-based inspection policy could reduce the number of regulatory inspections by a significant amount, thereby reducing the cost burden on industry and diverting more resources to the provision of advice. This is in addition to improving the overall effectiveness of regulation by concentrating the enforcement efforts where they are most needed, by targeting the businesses which are posing the greatest risk. Clearly, over-inspection of businesses that are compliant must be at the expense of under-inspection of those that are risky. This is exactly the same principle that a regulator should impose upon those being regulated, by targeting the areas of greatest risk to ensure that resources are deployed to obtain the greatest benefit. The report recommends that risk assessment should be open to scrutiny, consider both past performance and potential future risk, use high-quality

165

166

Strategies to prevent corporate accidents data, be implemented uniformly and impartially, and always include a small element of random inspection.

Penalty regimes It is important that the sanctions against companies in breach of regulations are proportionate to the severity of the offence and take account of any financial gain which may have accrued from the illegal activity. This will prevent companies that are externalizing their costs by operating outside the law from gaining any competitive advantage. Numerous examples are given in the report of fines levied upon companies which fall far short of the commercial value to the company of the regulatory breach. If the fines are insufficient to recoup the gains made by the illegal activity then companies will tend to treat these penalties as just another corporate overhead and provide an incentive to continue breaching the regulations. When regulatory inspection is too thinly spread owing to either insufficient resources or resources being misdirected, then ‘rogue’ companies are more likely to take advantage. In addition, the deterrent effect of the penalty regime is increased by imposing proportionate sanctions. One of the causes of the problem is that most prosecutions take place in magistrates courts, which rarely see regulatory offences brought before them. On average, a magistrate will be presented with a health and safety offence only once every 14 years. This can lead to inconsistent court judgements and fines that do not reflect the business gain from an illegal activity. One recommendation of the Hampton report is the greater use of ‘administrative penalties’ for health and safety offences which do not involve bringing a case to court. Only the most serious cases should be prosecuted and this partly so that the stigma may serve as a deterrent to a repeat offender. Some UK regulators are already empowered to apply administrative penalties in the form of fines imposed upon non-compliant companies, examples being the Office of Fair Trading and the Financial Services Authority. The advantage is that these forms of penalty are quicker to apply, releasing more time for the regulator to spend on preventive activities, and will probably be applied more consistently and proportionately. The Hampton report goes on to describe in detail other mainly administrative problems arising from the current UK regulatory regime. The main recommendations of the review concerned the incorporation of risk assessment throughout the regulatory system, ensuring that inspection activity is better focused, eliminating unnecessary inspections, making greater use of advice, reducing the need for form filling, and ensuring that regulators take more account of the needs and views of business. A final recommendation was that 31 national regulatory bodies should be consolidated into seven, to cover environment, health and safety, food standards, consumer and trading standards, animal health, agricultural inspections, and rural and countryside issues. These recommendations can be achieved by adhering to a set of core regulatory principles for effective inspection, which are reproduced in Table 6.1.

Safety regulation Table 6.1 Principles of inspection and reinforcement Regulators, and the regulatory system as a whole, should use comprehensive risk assessment to concentrate resources on the areas that need them most Regulators should be accountable for the efficiency and effectiveness of their activities, while remaining independent in the decisions they take All regulations should be written so that they are easily understood, easily implemented and easily enforced, and all interested parties should be consulted when they are being drafted No inspection should take place without a reason Businesses should not have to give unnecessary information, or give the same piece of information twice The few businesses that persistently break regulations should be identified quickly and face proportionate and meaningful sanctions Regulators should provide authoritative, accessible advice easily and cheaply When new policies are being developed, explicit consideration should be given to how they can be enforced using existing systems and data to minimize the administrative burden imposed Regulations should be of the right size and scope, and no new regulation should be created where an existing one can do the work Regulators should recognize that a key element of their activity will be to allow, or even encourage, economic progress and only to intervene when there is a clear case for protection Based on Hampton (2005).27

Less is More: Reducing Burdens, Improving Outcomes This Regulation Task Force study28 was set up by the UK government to run in tandem with the Hampton review, was complementary to it and reported at the same time, in March 2005. The study was asked to report on the way the Dutch government had set a target reduction in regulatory burden of 25 per cent over four years and then proceeded to implement this on the basis of ‘what is measured gets done’. In the Netherlands, departments proposing new regulations are required to submit these to an independent public body, including the cost of the administrative burden that will result. The study also looked at the suggestion that the UK government adopt a ‘one in, one out’ approach to regulation to bring a halt to the proliferation of new regulations which has occurred over the past few decades. The principle is that every time a new regulation is introduced, an unnecessary regulation should be removed or at least simplified. The report points out that about 50 per cent of new regulation in the UK arises from implementing EU Directives and Regulations in national law. It is difficult for nation states unilaterally to stem the flow of these additional burdens of regulation on industry. It is suggested that there is reform of the domestic application of Directives at the level of nation states to allow governments to limit the growth in administrative burdens and simplify their regulatory regimes. Simplification of regulations is considered to take place in three ways:

167

168

Strategies to prevent corporate accidents

• deregulation: complete removal of regulations from the statute book • consolidation: bringing different regulations together to make their application more manageable • rationalization: resolving overlapping or inconsistent regulations to avoid duplication of effort.

One of the problems that is driving the need for simplification is the imposition of new EU legislation on top of what already exists at national level, rather than changing existing regulations to incorporate what is required by the EU. More details of the way in which these recommendations may be implemented can be found in the original document, available on the internet.28

Regulatory Justice: Sanctioning in a Post-Hampton World This review29 of regulatory penalties by the Cabinet Office – Better Regulation Task Force (BRTF) was instituted following the Hampton report to address some of the key issues identified (see above) concerning sanctions against companies in breach of the law. Its terms of reference were ‘to advise government on action to ensure that regulation and its enforcement are transparent, accountable, proportionate, consistent and targeted’,29 listing the five principles of good regulation set out by the BRTF. The objective of the BRTF in this study was to achieve regulatory justice by aligning the penalty system with the risk-based, proportionate model of regulation recommended by Hampton.27 This would increase public confidence as well as demonstrating consistency to industry, facilitating compliance by the willing while pursuing the guilty and unwilling. At the present time, the sanctions available to regulators vary from persuasion through warning letters to enforcement notices and ultimately criminal penalties and licence revocation where applicable. Criminal penalties remain the primary sanction once the less formal means have been exhausted, and the report questions whether this ‘one size fits all’ approach is appropriate. On top of this are the current problems of criminal sanctions revealed by Hampton such as inconsistency in sentencing by magistrates owing to inexperience or lack of specialist knowledge, often leading to low fines with insufficient deterrent effect. In addition, the court system incurs long delays and excessive costs in bringing cases of non-compliance to trial. Furthermore, criminal sanctions attach moral stigma and a criminal record to all those guilty of regulatory breaches, even where there was no intention or recklessness involved. This arises from the heavy reliance placed by regulators on strict liability offences. (Some statutes are constructed with the aim of excluding criminal intent and these do not require the existence of mens rea. They are known as ‘strict liability’ offences. In this case the accused may be found guilty even if they had no intention to commit a crime or indeed have any knowledge that their act was criminal. Under ‘strict liability’, an accused person can be held responsible for their actions and the consequences of them regardless of whether they are at fault, or have intention or mens rea. However, what is required is that the act is committed voluntarily, because involuntary acts cannot be criminal.) The conclusion is that criminal proceedings are

Safety regulation in many cases disproportionate to the offence and may not be the best way to promote future compliance. It is arguable that they should be reserved only for the most serious breaches. The report proceeds therefore to explore a number of alternative solutions to help resolve these problems of sanctioning. Alternative approaches suggested in the report include:

• Categorizing regulatory offences to enable less serious offences to be dealt with by more proportionate measures • Decriminalizing some lesser regulatory offences by removing them completely •

from the remit of the criminal law and replacing them with lesser sanctions such as civil or administrative penalties The use of administrative penalties as described above, including fixed penalties which are automatic, and non-discretionary monetary penalties, usually for small amounts and applied to the more technical breaches of regulations where there is an absence of intent or negligence. These would be similar to existing fixed penalty notices for road traffic offences. The penalties would be imposed by the regulator with no reference to the courts. Those receiving the penalties would, however, have the right of appeal to a court. The penalties could be coupled with improvement notices and other less formal sanctions.

The only penalty available for imposition on a company in breach of the law is a fine, although in rare cases conviction may result in the imprisonment of an individual. The report recommends that any fine should commence at the level of financial gain of the non-compliance (where this can be calculated) to enhance its deterrent effect. Full details of the recommendations of the review can be studied in the original document, which is available on the internet.30

UK regulatory reform As a result of the deliberations of these and other bodies reviewing current regulatory burdens, the Legislative and Regulatory Reform Act 2006 (LRRA)31 came into force on 8 January 2007, replacing the Regulatory Reform Act 2001. It includes two ordermaking powers which a minister may use to amend primary legislation:

• Power to remove or reduce burdens: allowing a minister to make an order for the •

purpose of removing or reducing burdens, these being defined as financial cost, administrative inconvenience, an obstacle to efficiency, productivity or profitability or a sanction, criminal or otherwise, which affects the carrying on of any lawful activity. Power to promote regulatory principles: allowing a minister by order to ensure that regulatory functions are exercised so as to comply with the five Principles of good regulation set out by the BRTF that regulatory activities should be transparent, accountable, proportionate, consistent and targeted only at cases in which action is needed. It includes the power to delegate or transfer regulatory functions as well as amending, creating or abolishing regulatory bodies as necessary to achieve this.

169

170

Strategies to prevent corporate accidents A number of amendments were made to the Bill in its passage through Parliament, which were designed to strengthen existing safeguards against abuse, so that the Bill will deliver a better regulation agenda and nothing else, and will protect the scrutiny role of Parliament by giving a statutory veto on the powers of ministers to the relevant parliamentary committees. As a baseline for future reduction of regulatory burdens, a nationwide survey will be conducted to establish how much time and money businesses currently expend to demonstrate compliance, and to identify which regulations impose the greatest burdens. The aim is then to achieve a 25 per cent reduction in the administrative cost of regulation spread over a period of five years. The Better Regulation Commission (BRC) was established in 2005 to provide independent advice to government, from business and other external stakeholders, about new regulatory proposals and about the government’s overall regulatory performance. The remit of the BRC has now been extended to include vetting of departmental plans for simplification and administrative burden reduction.

Case studies Two case studies from Appendix 2 are used to illustrate how a failure of regulation, at least in part, led to a corporate accident. As it happens, both case studies describe accidents that occurred in the nuclear power industry, where a failure in regulation may be least expected since this industry is the most highly regulated in the world owing to its perceived inherent hazards. In both cases the failure in regulation was not a root cause of the accident in the strict definition of the term, but nevertheless an important contributory cause. On its own a failure in regulation is unlikely to be the root cause since this will invariably lie in a failure of safety culture and management.

1. The Tokai-Mura criticality accident The case study of the accident at the nuclear fuel processing facilities of the Japan Nuclear Fuel Conversion Company (JCO) in Tokai-Mura, Japan, in 1999 has already been described briefly in Chapter 5 and is described in more detail in Appendix 2, Case Study A2.5. This was by far the worst nuclear accident to occur to date involving a criticality hazard (which is explained in A2.5), since not only were three workers killed as a result of receiving a high dose of radiation, but also 200 members of the public living outside the facility were exposed to significant doses. In this sense it was also the worst nuclear accident since the catastrophe at Chernobyl in the former Soviet Union in 1986 and certainly the consequences for public health were much worse than the accident at Three Mile Island in the USA. The unauthorized procedure by which a highly enriched fissionable material, uranium-235, was added to a processing tank with the full knowledge of management has already been described. The subsequent criticality excursion in the plant continued to pulsate for twenty hours after the incident, emitting highly dangerous gamma and neutron radiation before it was finally shut down by the intervention of emergency staff. Chapter 5 describes how one of the root causes of the accident

Safety regulation was a failure in safety management such that the operators of the plant did not fully understand the risk involved in allowing an unauthorized processing routine to take place. The investigation by the Japanese authorities and a review of the accident by the US nuclear regulatory commission also revealed another important root cause, this being a failure in regulatory oversight by the Japanese Nuclear Safety Commission (NSC). An earlier licensing review by the NSC had concluded incorrectly that there was ‘no possibility of criticality accident occurrence due to malfunction and other failures’.30 This conclusion principally arose from the use of regulatory controls that were vulnerable to human error, but it was a misapprehension which had a major influence on the cause of the accident and the recovery process following the accident. As a result of this incorrect assumption no criticality alarms were installed at the JCO facility and therefore the facility was not included in the ‘National Plan for the Prevention of Nuclear Disasters’, leading to ‘a significant delay in development and communication of emergency protection measures for the public’.30 This failure by the regulator caused a great deal of confusion following the accident concerning whether a criticality incident had in fact occurred, and this complicated the subsequent emergency response. As a result of the confusion, three emergency workers involved in the shutdown process were unnecessarily exposed to high levels of radiation. There was further uncertainty as to whether, assuming a criticality incident had occurred, the system was still in a critical state. Behind these failures lay the fact that no routine inspections of the facility had taken place since 1992 on the basis that no reportable incidents had occurred. Clearly, inspections should have been carried out to confirm that the facility was being operated satisfactorily and safely even in the absence of evidence to the contrary. This prevented the regulator from detecting any adverse trends in the culture and management of the factory which might have been an early indication of emerging problems. A riskbased approach by the regulator, as described above, might have discovered the ongoing problems at the facility that led to the accident, but only if the regulator was actually aware of the risk of a criticality accident, which it appears they were not.

2. The Davis-Besse nuclear power plant incident The Davis-Besse nuclear power plant is a pressurized water reactor (PWR) located on Lake Erie at Oak Harbor, Ohio, USA, and operated by a company called FirstEnergy. In 2002, a serious defect was discovered at the plant which could have led to a major release of radioactive steam into the containment building and possibly a release to atmosphere which could have affected public safety. In the USA it was considered to be the most serious incident that had occurred in a nuclear power plant since the Three Mile Island disaster of 1979. The case study of the accident is described in more detail in Appendix 2, Case Study A2.2. Here, the implications of an admitted failure by the regulator, the US Nuclear Regulatory Commission (NRC), are explored. Removal of corrosion deposits from the pressure vessel head (PVH) of the nuclear reactor had revealed severe wastage of the metal and the presence of a hole estimated

171

172

Strategies to prevent corporate accidents to be the size of a pineapple. The remaining metal was so thin that the stainless steel cladding on the inside surface of the PVH was showing through and had bulged and cracked under the internal pressure of 2000 psi during operation. This distorted and weakened cladding layer was all that remained to prevent the release of radioactive steam into the containment building. The corrosion of the PVH occurs as a result of leakages of borated water from cracked PVH nozzles. Borated water is used in PWR plants as a reactivity control agent; the escaping liquid flashes to steam and leaves behind a concentration of impurities, including boric acid, which under certain conditions can corrode carbon steel components. This had been happening on US and other PWR plants for more than 30 years (for about 15 years owing to nozzle leakage), so the phenomenon was not particularly new. In September 2001, the NRC had instructed FirstEnergy to close down the plant by the end of the year in order to undertake an inspection of the penetration nozzles in the PVH. FirstEnergy, however, had requested NRC to allow them to operate the reactor until the next planned maintenance shutdown in February 2002. The NRC had concurred with this request based on FirstEnergy’s safety submissions. Following the discovery of the penetrative corrosion of the PVH an independent ‘lessons-learned’ task force32 was set up by NRC to investigate any failures of regulation which had allowed such a serious situation to have developed. The failures were listed as follows: 1. Over a period of many years, the NRC and the industry had been unable to reach any sort of consensus about how the corrosion problems of the PVH (which had occurred on many other PWRs) should best be resolved. The continuing problems therefore had been dealt with on a piecemeal basis rather than by a consistent regulatory policy. 2. Whilst the NRC and the industry agreed that boric acid deposits on the PVH needed attention, they did not regard it as a significant safety concern because when the water flashed to steam they expected that solid boric acid crystals would form and not cause significant corrosion of the PVH. In this the NRC was proved wrong; their technical understanding of the issue was therefore flawed, another criticism of the regulatory approach. 3. The policy that was developed for dealing with the issue of nozzle leakage was rule based in nature. So long as any leakage of primary coolant from a nozzle was less than 1 gallon per minute (gpm), the operator of the plant was not required to identify and correct the leakage (see case study and references for more details). The leakage rates at Davis-Besse were less than this rather arbitrary limit and were therefore not viewed as being a significant safety concern, yet still led to severe corrosion. Prescriptive rules such as this may be convenient for both operator and regulator (everybody knows where they stand), but may not be flexible enough to handle all situations that may occur. A risk-based approach, as suggested in the UK by the Hampton report, but preferably based on a full knowledge of the facts, is clearly better able to take account of the vagaries of local conditions. An epilogue to this catalogue of regulatory failures was delivered by the US General Accounting Office (GAO),33 with the title NRC Needs to More Aggressively and Comprehensively Resolve Issues Related to the Davis-Besse Nuclear Power

Safety regulation Plant’s Shutdown. The report disagreed with two of the five findings set out in the NRC’s own report32 into the incident. In particular, it criticized NRC’s process for deciding whether Davis-Besse could delay its shutdown to inspect for nozzle cracking. The process lacked credibility because the guidance used was not intended for that type of decision. The GAO also expressed concern that ‘NRC’s oversight will continue to be reactive rather than proactive. NRC’s oversight can result in NRC making a determination that a licensee’s performance is good one day, yet the next day NRC discovers the performance to be unacceptably risky to public health and safety. Such a situation does not occur overnight’.33 Although safety culture is addressed in Chapter 4 in the context of other case studies, the approach of the nuclear regulator, US NRC, to safety culture is of interest. The GAO report noted that NRC’s inspections and performance indicators do not directly assess safety culture. Although NRC recognizes the importance of safety culture to safe operation, it does not attempt to regulate the safety culture of its licensees, nor has it any performance indicators that are routinely applied at installations to assess safety culture. NRC regards assessment and maintenance of an adequate safety culture as a matter for local management and not a matter for the regulator. This was borne out in an address by the chairman of US NRC in 2001 to a conference in Atlanta, Georgia, when he stated that: the NRC does not purport to regulate safety culture directly. There is no NRC regulation that articulates an unambiguous direction to licensees to maintain an appropriate safety culture, although certainly aspects of safety culture are regulated . . .. It is apparent that many of the elements of safety culture are inseparable from the management of the licensee’s organization. It might be seen as over-reaching for the NRC to evaluate decisions as to management structure and philosophy that are otherwise relegated to the private sector in our society. Indeed, it is hardly clear that the NRC could perform such an evaluation fairly and thoroughly. And there is the danger that any such intrusion by the NRC into management structure and processes would undermine the fundamental principle that the licensee is responsible for safety; NRC involvement in management activities has the potential to dilute a licensee’s responsibility and, in effect, might make the NRC the de facto co-manager of the facility. The recognition that licensees are ultimately responsible for safety implies that they must be allowed some flexibility to achieve safety in their own way.34 This is an interesting reflection on the role of the regulator, which is further discussed in the conclusion to Appendix 2, Case Study A2.2.

References 1. The Report of the Robens Committee, Safety and Health at Work, June 1972, Cmnd 5034, London: HMSO. 2. Health and Safety Executive, Legislation Home, http://www.hse.gov.uk/legislation/index.htm

173

174

Strategies to prevent corporate accidents 3. Health and Safety at Work etc Act 1974, http://www.hse.gov.uk/legislation/hswa.pdf 4. Health and Safety Executive, Statutory Instruments, http://www.hse.gov.uk/legislation/ statinstruments.htm 5. Health and Safety Executive, Legal Publications, http://www.hse.gov.uk/legislation/ legalpublications.htm 6. Council Directive 89/391 of 12 June 1989 on the Introduction of Measures to Encourage Improvements in the Safety and Health of Workers at Work (OJ [1989] L183/1), http:// osha.europa.eu/data/legislation/1 7. Health and Safety Executive, HSE Bookfinder, http://www.hsebooks.com/books/static/ whatsnew.htm#SixPack 8. Health and Safety Executive (2006).Offshore Installations (Safety Case) Regulations 2005 L30, 3rd edn, Sudbury: HSE Books. 9. Health and Safety Executive (2006). Explanatory Memorandum to The Offshore Installations (Safety Case) Regulations 2005, http://www.opsi.gov.uk/SI/em2005/uksiem_ 20053117_en.pdf 10. Health and Safety Executive (2003). Railways (Safety Case) Regulations 2000 Including 2001 and 2003 Amendments (HSE Ref. L52), Sudbury: HSE Books, http:// www.hsebooks.com 11. HM Nuclear Installations Inspectorate, Directorate (2006). Safety Assessment Principles 2006, 1st edn, http://www.hse.gov.uk/nuclear/saps/saps2006.pdf 12. Ministry of Defence (2004). Interim Defence Standard 00-56, Issue 3, Publication Date 17 December 2004, http://www.dstan.mod.uk/data/00/056/01000300.pdf 13. The Control of Major Accident Hazards Regulations 1999, Statutory Instrument 1999 No. 743, http://www.opsi.gov.uk/si/si1999/19990743.htm 14. The Control of Major Accident Hazards (Amendment) Regulations 2005, Statutory Instrument 2005 No. 1088, http://www.opsi.gov.uk/si/si2005/20051088.htm 15. Health and Safety Executive (1992). The Tolerability of Risk from Nuclear Power Stations, http://www.hse.gov.uk/nuclear/tolerability.pdf 16. The Adventure Activities Licensing Regulations 2004, http://www.aala.org/documents/ AALR2004StatutoryInstruments.doc 17. Asquith, Lord Justice (1949). In Edwards v National Coal Board, 1 KB 704; 1949 1 All ER 743 p712 and p747, a case on the interpretation of S 102 (8) of the Coal Mines Act 1911. 18. Health and Safety Executive (2006). ALARP ‘At a Glance’, http://www.hse.gov.uk/risk/ theory/alarpglance.htm 19. Health and Safety Executive (2001). Reducing Risks, Protecting People (R2P2), http:// www.hse.gov.uk/risk/theory/r2p2.pdf 20. Sunstein, C. (2002). Risk and Reason, Cambridge: Cambridge University Press. 21. Health and Safety Executive (2006). Guidance on ALARP Decisions in Control of Major Accident Hazards (COMAH), http://www.hse.gov.uk/comah/circular/perm12.htm 22. Health and Safety Executive (1981). Canvey: A Second Report, London: HSE. 23. Council Directive 89/391/EEC of 12 June 1989 on the Introduction of Measures to Encourage Improvements in the Safety and Health of Workers at Work, http://eur-lex. europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&num doc=31989L0391&model=guichett

Safety regulation 24. Opinion of Advocate General Mengozzi, delivered on 18 January 2007, Case C-127/05, Commission of the European Communities v United Kingdom of Great Britain and Northern Ireland, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX: 62005C0127:EN: HTML 25. Health and Safety Executive (2006). HSE Principles for Cost Benefit Analysis (CBA) in Support of ALARP Decisions, http://www.hse.gov.uk/risk/theory/alarpcba.htm 26. UK Government (2004). Green Book, Appraisal and Evaluation in Central Government, 3rd edn, reprinted November 2004, http://www.hm-treasury.gov.uk/media/3/F/green_ book_260907.pdf 27. Hampton, P. (2005). Reducing Administrative Burdens: Reducing Inspection and Enforcement, http://www.hm-treasury.gov.uk/media/A63/EF/bud05hamptonv1.pdf 28. Better Regulation Task Force (2005). Regulation – Less is More: Reducing Burdens, Improving Outcomes, http://www.brc.gov.uk/downloads/pdf/lessismore.pdf 29. Cabinet Office, Better Regulation Executive (2005). Regulatory Justice: Sanctioning in a Post-Hampton World, http://www.cabinetoffice.gov.uk/regulation/documents/pdf/penaties. pdf 30. Division of Fuel Cycle Safety and Safeguards Office of Nuclear Material Safety and Safeguards, US Nuclear Regulatory Commission (2000). NRC Review of the TokaiMura Criticality Accident, http://www.nrc.gov/reading-rm/doc-collections/commission/ secys/2000/secy2000-0085/attachment1.pdf 31. Legislative and Regulatory Reform Act 2006, http://www.opsi.gov.uk/acts/acts2006/ ukpga_20060051_en.pdf 32. US Nuclear Regulatory Commission (2002). NRC Task Force to Assess Lessons Learned from Davis-Besse Reactor Vessel Head Degradation, http://www.nrc.gov/reading-rm/doccollections/news/2002/02-060.html 33. US General Accounting Office (2004). NRC Needs to More Aggressively and Comprehensively Resolve Issues Related to the Davis-Besse Nuclear Power Plant’s Shutdown, Highlights of GAO-04-415, a Report to Congressional Requesters, http://www.gao.gov/ new.items/d04415.pdf 34. Meserve, R.A. (2002). Safety Culture: An NRC Perspective, 2002 INPO CEO Conference, Atlanta, Georgia, 8 November 2002, http://www.nrc.gov/reading-rm/doc-collections/ commission/speeches/2002/s-02-033.html

175

7

Safety management

There is a story about four people named Someone, Anyone, Everyone, and No one. There was an important job that had to be done – Someone should have done it, Anyone could have done it, and Everyone thought that Someone would do it. In the end, No one did it. At the beginning, the responsibility was not assigned. Maintaining the Safety Management Perspective for Licensee’s Contractors, Remarks of Nils J. Diaz, Chairman, US Nuclear Regulatory Commission, http://www.nrc.gov/reading-rm/doc-collections/ commission/speeches/2004/s-04-011.html

Introduction The statement that ‘everyone here is responsible for safety’ is a common euphemism that the author has heard repeated many times, always intended to inspire confidence in the listener. In fact the statement is an unsupportable proposition. In practice, if everyone is responsible then no-one is responsible since when things go wrong the ‘someone’ who was supposed to be responsible cannot be found. The main premise of this chapter is that management are always responsible for safety and this responsibility can only be exercised when management exerts the proper control over corporate activities. There can be no effective responsibility without control. Inquiries into corporate accidents have revealed poor or non-existent management controls or defective management systems as the most common root cause. The previous two chapters described two fundamental strategies to limit corporate accidents, namely, the need for senior management to understand the risk of corporate activities and compliance with regulatory requirements concerning them. Underpinning these strategies is the need for senior managers to have full and proper control over those activities to assure themselves not only that the corporate body remains within the law, but also that the risk of an accident is as low as reasonably practicable. Maintaining

Safety management a level of personal awareness about what is happening lower down in the company lies at the root of successful safety management. The underlying rationale is quite simple: whilst the facility or equipment is the property of the company, senior managers are charged with its care, custody and control and are held accountable because of the power and discretion they are given, as part of their day-to-day responsibilities, to manage the organizational resources. The senior management of an organization is legally accountable for the safe performance of its operations. It is of course a truism that no senior manager can maintain continuous personal awareness of the operations for the safety of which he is ultimately responsible. It is also unlikely that he will be involved in all the day-to-day technical and managerial decisions which can influence safety; most of these will rightly be taken at delegated local or supervisory level. Yet at the same time he remains ultimately responsible and personally accountable when things go wrong. He must therefore obtain a sufficient level of assurance that they are being operated in a safe manner by retaining some form of control, even if this is not direct hands-on control. This is the purpose of management systems. They are set up to control work and in so doing bridge the gap between management and corporate activities by providing the required assurance. When the activities are safety critical (determined by an understanding of the risks) the systems will be called safety management systems (SMSs). It is also important to note that effective SMSs represent the day-to-day implementation of safety culture. Thus, SMSs will be ineffective unless driven by the requisite safety cultural regime as described in Chapter 4. SMSs are one of the main expressions of safety culture in organizational terms and thus a useful indicator of safety culture. They must, however, be much more than a ‘paper’ system. Although tangibly they comprise policies, objectives and management control procedures, they also require continuous monitoring, audit and improvement. They need to be examined periodically to ensure that they are still effective and are appropriate to the current risk. In this respect both safety culture and SMSs must be based on up-to-date knowledge of the risks and types of accident they are designed to prevent. At this point it is worth asking the pertinent question: can safety be managed? Safety has already been defined by implication as the absence of risk (or risk is the absence of safety; see Chapter 5). It is rather difficult to control the absence of something! Without getting deeper into semantics, this book proposes that safety per se cannot be managed; only work (or strictly work activities) can be managed. This is the prime purpose of management. Where work is safety critical, SMSs must be developed whereby the manager is able to delegate and empower staff to work within predetermined safe limits. Following from this, a definition of an SMS can be defined for the purposes of this book as: A system which provides management assurance that all significant hazards arising from work activities have been identified and are being appropriately controlled, dependent on the risk, by formally defined and documented methods.

177

178

Strategies to prevent corporate accidents This is not to deny that there are many other definitions and approaches to SMS found throughout the voluminous literature on the subject. For example, the term SMS has been used to signify a system which carries out a periodic safety audit and determines the current safety achievement by means of a points scoring system. Whilst safety audit is an important part of any SMS, it is only a part and alone it does not incorporate all the elements necessary to exert management control as described above. This chapter will review the field of SMS, summarizing the various definitions, approaches and methods of developing an SMS, including guidance provided by regulators (although it has to be admitted the latter can vary considerably from industry to industry). It will, however, recommend a systematic approach to SMS developed along the lines outlined above.

Regulatory and standard setting approaches to safety management In order to understand the basic requirements against which a company’s SMS may be judged, it is pertinent to begin with some regulatory or standard-setting approaches to safety management.

Health and Safety Executive Booklet HS(G)65 Research was undertaken by the Health and Safety Executive (HSE) nearly twenty years ago to identify the characteristics of safety management developed by companies which had acquired a successful reputation in this field. The results of this research were published by HSE in 1991 as Successful Health and Safety Management, HSE Booklet HS(G)65.1 The main findings were that successful companies had a risk-based approach to safety management, evaluating the risks and responding accordingly, ahead of an accident. This was in contrast to the more traditional event-based approach, which essentially relied on responding to events (or in the worst case accidents) as they happened. The risk-based approach is defined by a structured or hierarchical model of safety management which comprises six essential elements linked together by information and control loops. The overall model is shown in Figure 7.1. Each of the six main elements is described briefly, as follows.

Policy To have such a policy is a legal requirement. It sets out in writing the health and safety objectives and standards the organization is required to achieve, ensuring that there is no conflict between these and other business objectives. The health and safety policy expresses the culture, values and beliefs of the highest level of management and directorship in the company who visibly identify with and champion the policy. The policy is committed to continuous improvement of the SMS and needs to be reviewed and updated periodically.

Safety management

Policy

Organizing

Planning and implementation

Measuring performance

Reviewing performance

Auditing

Information link

Figure 7.1 HS(G)65 model of safety management.

Control link 1

Organizing This involves formalizing the organizational network of responsibilities and interrelationships by which safety critical work is controlled. The HSE identifies four activities which are necessary for an effective organization for health and safety (known in the UK as the ‘four Cs’):

• Control: securing the commitment of employees to the objectives set out in the • •

•

safety policy; defining the responsibilities of management for controlling safety critical work in such a way that ill-health, injury and loss are avoided. Cooperation: securing the involvement and participation of employees to encourage the ‘ownership’ of the health and safety policies of the company; employees become identified with the policy so that health and safety are widely disseminated. Communication: ensuring that information about the company’s health and safety policies are communicated to employees at all levels demonstrating the commitment of senior management to its implementation; ensuring that new information coming into the organization flows through the right channels, downwards to influence positively work activities and upwards to those responsible for policy, planning, setting standards, auditing, etc. Competence: ensuring that employees are fully competent to undertake their allocated tasks safely, working in compliance with health and safety standards; includes assessment of tasks to determine competence requirements, assessment of fitness, aptitudes and abilities of staff in relation to these requirements and provision of training and instruction to ensure competence requirements are met.

179

180

Strategies to prevent corporate accidents

Planning and implementing This involves setting objectives and targets for the achievement of health and safety; setting and documenting performance standards for management, enabling a positive safety culture to be achieved in the area of the four Cs mentioned above. Standards also need to be set for the control of risks based on hazard identification and risk assessment; the standards will inform management action to either eliminate risks or reduce risks to as low as reasonably practicable by the implementation of control measures.

Measuring performance Two aspects of measuring performance are considered, active and reactive. Active systems monitor performance achievement prior to an accident or near miss occurring; in particular they monitor the achievement of the planning and implementing process and the degree of compliance with standards. High-risk activities are monitored more rigorously. Reactive measurement systems monitor accidents, losses and near misses which have occurred, ensuring that these are recognized and reported; in both cases corrective action follows in ‘Reviewing performance’, below, for active systems to correct non-compliance and for reactive systems to prevent future occurrences.

Reviewing performance This involves strategic thinking about the results of measuring performance in order to define remedial action. It also involves periodic review of the continuing validity of the whole SMS from policy level downwards to take account of changes which may occur. The information to support and document the review is obtained by means of internal auditing against the standards and by benchmarking company performance against other organizations or industry criteria.

Auditing This ensures that any deterioration or obsolescence of the SMS is detected before it causes a problem. It involves an audit of performance standards, comprising an independent assessment of the operation of the management planning and control systems at the core of the SMS. It is applied to all of the previous five elements described above. It does not take away the responsibility of managers to monitor their own systems of control in order to provide themselves with assurance of safe operation. The information from the audit does, however, provide managers with an external and sometimes more detailed overview of the implementation and effectiveness of their SMSs. The guidance set out in HS(G)65 closely mirrors the principles of total quality management (TQM) with its philosophy of perpetual improvement based on the International Organization for Standardization Quality Standard ISO 9000. The SMS defined by HS(G)65 is described in sufficiently general terms that it allows a wide diversity of management systems to sit comfortably within the guidance. The underlying basis of HS(G)65 is the active involvement and commitment of both management and employees in the policy, planning, implementation and review

Safety management processes which define the guidance. It emphasizes that the risks must be maintained under management control at all times and that the SMS is not static but must be kept under review to take account of change. It is highly likely that in the event of a serious accident involving fatalities, the management system of the company would be measured against the model described in HS(G)65.

Other guidance British Standard BS 8800:2004 In the wake of publication of the Management of Health and Safety at Work Regulations 1992 (see Chapter 6) a need arose for a guide on best practice in occupational health and safety management. The result was the publication by the British Standards Institution (BSI) of BS 8800:1996, Guidance on Occupational Health and Safety Management Systems. More recently, the standard has been reissued as BS 8800:2004,2 ‘Occupational Health and Safety Management Systems Guide’, revised, and now based mainly on the model set out in HS(G)65. The Standard reflects changes in the law since the original publication and it now provides information pertinent to small and medium-sized businesses. The revised British Standard also takes account of national and international occupational health and safety (OH&S) issues which have arisen since the earlier publication. It gives guidance on:

• the design and implementation of OH&S management systems • the evaluation of effective OH&S management with a view to continual improvement • the relationship of an OH&S management system to other management systems standards and how to integrate these.

It provides information about how to minimize risk to employees and others, and how to improve business performance, and advises organizations on how to establish a responsible image within the marketplace. BS 8800:2004 has a number of extremely useful annexes which provide detailed guidance on the content of a management system. The annexes are:

• Annex A (informative): Comparison with other management system standards • • • • • •

including BS EN ISO 9001, BS EN ISO 14001, OHSAS 18001 and ILO-OS&H 2001 Annex B (normative): Guidance on organizing Annex C (normative): Promoting an effective OH&S management system Annex D (normative): Guidance on planning and implementing Annex E (normative): Guidance on risk assessment and control Annex F (normative): Measuring performance and audit Annex G (normative): Hazardous event investigation.

It is claimed that BS 8800 will ‘help organizations to achieve compliance with their occupational health and safety policies and objectives’.2

181

182

Strategies to prevent corporate accidents

International Standard OHSAS 18001 OHSAS 180003 is an international OH&S management system specification comprising two parts, 18001 and 18002, and embraces BS 8800 and a number of other publications. OHSAS 18001 was developed by a number of the world’s leading national standards and certification bodies together with experts in the field. It was produced to meet a need by commercial organizations for a specification against which they could be audited to obtain third party certification. The management model used in OHSAS 18001 is based on the BS EN ISO 14001 environmental model that was used in BS 8800:1996. To obtain certification there must be in place:

• a safety policy which lists the company safety objectives and declares a high-level commitment to performance improvement coming from top management • planning systems to include hazard identification, risk assessment, risk control, safety objectives, etc. • a safety management programme to define the way in which the company sets up and maintains systems and procedures for achieving its objectives • implementation and operation to include the organizational structure with respon• •

sibilities, arrangements for training, awareness raising, competence assessment, communication, staff consultation and documentation and data control, operational control and emergency preparedness and response checking and corrective action including performance measurement and monitoring, reporting of accidents, incidents, non-conformances and corrective and preventive action, records and record management and audit high-level corporate review of the management system at fixed intervals to ensure its continuing suitability, adequacy and effectiveness.

Organizations which are already accredited under BS EN ISO 9001 (Quality) and BS EN ISO 14001 (Environment) may find the adoption of OHSAS 18001 useful as part of an integrated approach since it was designed with compatibility with these standards in mind.

International Standard: ILO-OS&H 2001 Guidelines Since its foundation in 1919, the International Labour Organization (ILO, Geneva) has elaborated and adopted a large number of international conventions concerned with OS&H representing a wide body of opinion and including definitions, principles, obligations, duties and rights, as well as technical guidance. One of the ILO’s more recent publications is the ILO-OSH 2001 Guidelines.4 The document states that ‘the Guidelines were prepared on the basis of a broad-based approach involving the ILO and its tripartite constituents and other stakeholders. They have also been shaped by internationally agreed occupational safety and health principles as defined in relevant international labour standards’. They are intended, at national level, to establish a framework for OS&H which is backed up by national laws and regulations, and at organizational level to provide guidance on integrating OS&H management system elements into the company’s general policy and management arrangements. The components of the SMS are similar to those of HS(G)65, built into a continual cycle of improvement as shown in Figure 7.2. The components are defined as follows.

Safety management nt

v

ro

Policy

a

nu

ti on

p l im

e em

C

Organizing Action for improvement

Audit

Planning and implementation Evaluation

Figure 7.2 International Labour Organization cycle of improvement.

Policy This should be a concise written document appropriate to the size of organization and the nature of its activities prepared in consultation with workers and made effective by the endorsement of the most senior accountable person in the organization; it should be made available internally and externally for the scrutiny of interested stakeholders. It should include principles and objectives to which the organization is committed relating to the protection of the safety and health of all members of the organization; it must comply with relevant OS&H national laws and regulations, voluntary programmes and collective agreements to which the organization subscribes. It should be kept under continual review to improve OS&H performance and be integrated with other management systems in the organization. Organizing This is about ensuring that the employer takes overall responsibility for the OS&H protection of workers, acknowledging that line management has responsibility, accountability and authority to evaluate or control OS&H and the hazards and risks existing in the organization. Competence and training requirements should be defined and implemented covering all members of the organization. The competence of interest here is that which identifies, eliminates or controls work-related hazards and risks, and which implements the OS&H management system. The system needs to be documented and maintained, referring to the allocated key OS&H management roles and responsibilities for implementation of the OS&H management system and the significant OS&H hazards/risks arising from the organization’s activities to be controlled, recording the arrangements, procedures, instructions or other internal documents to implement that control.

183

184

Strategies to prevent corporate accidents Planning and implementation The guidelines recommend an initial review to evaluate the existing system carried out by competent persons, in consultation with workers. This should identify the current applicable national laws and regulations, etc., identify, anticipate and assess hazards and risks to safety and health in the work environment and determine whether planned or existing controls are adequate to eliminate hazards or control risks. The result of the initial review should be documented and become the basis for making decisions regarding the implementation of the OS&H management system as well as provide a baseline from which continual improvement of the organization’s OS&H management system can be measured. The planning, development and implementation of the system can then take place, including priority setting with objectives, plans to achieve those objectives, with responsibilities and performance criteria and provision of adequate resources. Hazard prevention and control measures are developed including, in order of priority: (a) eliminate the risk; (b) control the risk at source; (c) minimize the risk by design of safe work systems, or provide personal protective clothing where residual hazards remain. Further planning should encompass hazards associated with management of change, emergency preparedness, procurement of goods and services and contracting out of work. Evaluation This involves the development of procedures to monitor, measure and record OS&H performance, stating responsibilities, accountabilities and authority for this at different levels in the organization. Performance indicators need to be developed against which the achievement of OS&H objectives can be measured. This should provide feedback on performance, based on the identified hazards and risks and the stated commitments in the OS&H policy, in the form of information to confirm that the dayto-day arrangements for OS&H are operating effectively. Action for improvement This involves corrective action arising from the results of OS&H management system performance evaluation and audits. It starts with identifying and analysing the root causes of any non-conformities with OS&H regulations or OS&H management system objectives followed by implementation of the corrective measures. The effectiveness of the measures needs to be followed up and documented. Continual improvement needs to be practised by reviewing the effectiveness of, and making any necessary changes to, the OS&H management system itself. Audit This is shown in Figure 7.2 as a continuous cycle, a ‘wheel within a wheel’, since it encompasses all the OS&H system components described above. It comprises periodic audits to determine whether the OS&H management system and its elements are in place and that they are adequate and effective in protecting the safety and health of workers and preventing incidents. It is necessary to develop an audit policy and a programme which includes auditor competency, audit scope, frequency,

Safety management methodology and reporting. In addition to routine audit, there needs to be management review to evaluate the overall strategy of the OS&H management system and whether it still meets the overall needs of the organization and its stakeholders. This identifies and records any deficiencies with plans to implement the necessary changes. The technical guidance in ILO-OSH 200, as with many other of its codes of practice and technical publications, reflects the consensual views of the ILO’s 175 member states. It has been adopted in many countries worldwide, at both the national and organizational level, as a framework for an OS&H management system, and in many cases used to strengthen compliance with national regulations and standards. The integration of the OS&H management system elements into a company’s overall business policy and management arrangements is encouraged.

Auditing approaches to safety management Two of the best known and long-accepted proprietary systems which are available for health and safety auditing have been selected for a brief review based on information which is publicly available on the websites of the companies marketing the system. It should be noted that neither of these audits comprises an SMS; however, they do assist organizations to establish and develop management systems where none exists or they exist only in rudimentary form. They also help to improve existing management systems. The standard against which the chosen audit system evaluates the client is all important and the standards are made explicit in each case. It is equally important that the audit scope is comprehensive in terms of covering all hazards and risk at each facility audited. The potential weakness common to all audit systems is that they only probe the areas identified in the audit plan and if this is not completely comprehensive, some areas of risk may be inadvertently omitted. Any assessment using a checklist is only complete so far as the checklist is complete.

The International Safety Rating System The International Safety Rating System (ISRS) is a widely used method of auditing existing SMSs which was first developed over thirty years ago by the International Loss Control Institute. In that period it has undergone substantial modification, although the overall principles remain much the same: to provide a points-based rating system that can be used to assist organizations to assess their management systems and identify areas for improvement. The audits are conducted by an accredited or licensed safety auditor who may be internally trained or an independent consultant. The system is proprietary and is currently marketed and applied by Det Norsk Veritas (DNV),5 a Norway-based independent foundation which offers certification and other services internationally. The latest version of the audit system, ISRS7, was developed by the proprietors as a joint industry project in consultation with the nuclear, chemical and petrochemicals industries.

185

186

Strategies to prevent corporate accidents The ISRS defines the management system as ‘a framework of controls for managing health, safety, environmental, quality and other business risks, which focuses upon continual improvement and involves a series of interconnected control activities’.5 The system to be audited is broken down into fifteen areas of management, which are referred to as ‘processes’. For each process the audit presents the user with a question set and points are allocated on the basis of the answers given; the result provides the user with an indication of business performance. The fifteen processes which are audited comprise leadership, planning and administration, risk evaluation, human resources, compliance assurance, project management, training and competence, communication and promotion, risk control, asset management, contractor management and purchasing, emergency preparedness, learning from events, risk monitoring, results and review. The audit can be applied at different levels of intensity, varying from a quick Alpha Assessment based solely on employee perceptions and taking a few days, to an Omega Assessment, which is a much more rigorous and comprehensive audit covering all fifteen processes and taking a few weeks. The ISRS standard has been developed, it is understood, on the basis of what is being done by leading organizations, so effectively the user is being audited against others rather than against an external standard. However, it is claimed that, in its implementation, ISRS meets the requirements of the following standards:

• ISO 9001:2000: Quality Management • ISO 14001:2004: Environmental Management • OHSAS 18001:1999: Health and Safety Management • PAS 55: 2004: Asset Management • Global Reporting Initiative 2002: Corporate Social Responsibility. The international standard OHSAS 18001:1999 is described above. Global Reporting Initiative 2002 encourages corporate reporting on economic, environmental and social performance by all organizations. The other standards are important, but are outside the scope of this book. The advantages of the system are claimed to be systematic and effective risk control, advanced management decision support, improved safety, environmental and business performance, the ability to meet and exceed regulatory requirements, optimized work processes using industry best practice, quantified goal setting, internal and external benchmarking, improved personnel behaviour and commitment, global coordination of performance for international organizations, and a single integrated management system to drive continual improvement. Perhaps the greatest advantage is that the audit result is presented as a numerical rating or ‘level’ of achievement against the standards set by ISRS. Levels achieved can vary from level 1 to the highest level 10. The result enables a company, or a single facility within a company, to measure its own progress with time against the standard achieved in consecutive audits. The analysis of the overall result in terms of the contribution from each process enables strengths and weaknesses to be identified, and improvements to be applied to the latter.

Safety management

CHASE Audit and Evaluation programme The CHASE Audit and Evaluation programme6 is a software-based proprietary safety management audit tool which includes active monitoring by line managers and independent auditing. Three CHASE modules are available, in the fields of health and safety (audited against HS(G)65 or OHSAS 1801), environment (audited against ISO14001) and legal compliance. The standard, e.g. HS(G)65, on which the audit is based, generates the interactive question sets within the module. The modules come with the CHASE package or can be user generated to provide maximum flexibility and tailor the audit to suit particular situations. Once the module has been set up it is applied to areas where an evaluation is required. The area structure usually reflects the management structure of the organization, such as administration, maintenance, production, security, stores or workshops. As the questions appear they can be answered ‘yes’, ‘no’ or ‘not applicable’. No score is registered for the latter. There is also the possibility for the user to enter comments or other notes relating to questions. Each question set relates to a particular area being evaluated, such as the OS&H policy, for instance. The questions then flow progressively through the set, to test the implementation against the chosen standard. For each question, guidance is provided referring to the requirements of the standard. Thus, the first question may be, for example, ‘is an up-to-date copy of the written policy available at the location?’ Guidance states that ‘OHSAS18001 requires that an organization has a written policy which establishes an overall sense of direction for the organization. This policy must be promulgated throughout the organization’. The answer given could be ‘yes’, with an additional comment entered into the programme such as ‘a copy dated 12 March 2006 is held at the general manager’s office’. The second question explores the subject further, for example, ‘have the contents of the policy been communicated to all employees?’ The guidance states that ‘OHSAS 18001 requires the safety policy to be communicated to all employees’. The answer this time may be ‘no’. When questions are answered ‘no’ the user is able to enter recommendations and set priorities, ‘completion due’ date and ‘completed’ date to enable them to be tracked over time. Thus, a recommendation for the second question may be added such as ‘a summary of the policy should be sent to all employees including the location of the policy and how to gain access to it’, with a completion date by which the recommendation must be actioned. The user progresses in the same way through the list of questions until that area has been fully audited. An analysis page can be accessed to show the scores for the evaluation and the percentage completion presented as either a table or a chart. When the whole audit is complete a comprehensive report can be printed off showing the results. In addition, the current score can be compared with the scores from previous evaluations in order to monitor progress by area. Areas can be broken down to subsections as appropriate for more detailed analysis. The system can easily be interrogated to produce sorted lists of recommendations for implementation by the manager responsible for an area of activity. The CHASE system can also be adapted to conduct behavioural safety interviews with employees on a one-off or unscheduled basis as and when required. Questions are generated by CHASE relating to a

187

188

Strategies to prevent corporate accidents particular task and the way it is carried out, use of safety equipment, etc. Each question in turn is submitted to the employee, the interview response being recorded together with comments and recommendations as for the safety audit. Again, a full report can be printed off. The advantages claimed for the CHASE system are that it helps to establish procedures for risk assessment and control, identifies health and safety training needs, provides an effective means of active monitoring and auditing safety performance, reinforces the role of line managers in the management of safety and provides an effective self-training tool for managers. It is flexible enough to carry out a check against the chosen philosophy of either the HSG65 model as in BS 8800 and the second edition of the HSE publication Successful Health and Safety Management or OHSAS 18001 and the associated 18002 guidance. It is thus auditing against the UK regulator’s requirements or against an international standard.

A generic internal safety audit Conventional safety audits do not meet the same stringent principles that are applied, for example, in financial audits. Financial auditing, by its very nature, is all encompassing in its scope and follows a set of strict guidelines. In addition, a financial audit produces results which definitively establish whether an activity is ‘successful’ in meeting strict objectives by balancing monetary sums and cash flows, and it is able to identify precisely where deviations are occurring. Such precision is not possible with a conventional safety audit simply because there is no equivalent ‘currency of safety’ by which success can be definitively measured. Moreover, most safety audits are only capable of sampling limited aspects of work activities at any one time with the hope that the high-risk areas have been covered; they do not set out to audit every aspect of an operation, although given sufficient resourcing, even this may be achieved over a long enough period. The idealized approach which follows defines in a simple way the main generic characteristics of an audit of a company’s SMS. It provides a basis for developing a typical workplace audit.

Stage 1: Prepare an audit plan The plan sets the frequency, scope and objectives of the auditing arrangements to ensure that the main component parts of the company’s facilities are audited selectively over time. A lead auditor needs to be appointed to prepare and agree the plan with senior management, obtaining their support both in provision of audit resources and in ensuring that staff time is allocated for interviews and discussions. The lead auditor will also manage the audit programme and coordinate the activities of internal safety auditors, dealing with problems which arise. The output from the audit plan is a timetable of audits and locations, but will not at this stage include the detail of the audit procedures. The scope and frequency of the audit are always determined by the nature of the hazards and risks associated with the company’s operations, the importance of the activities taking place and the results from previous audits. Those

Safety management activities which are high risk, have higher importance and have had non-conformance problems in previous audits will be prioritized in the planning of audits.

Stage 2: Prepare an audit procedure The audits identified in the audit plan are developed in the form of written procedures for each audit activity. An audit procedure will comprise two main components:

• a standard against which compliance is checked • a checklist developed for each item from a prioritized list of facilities/activities to be audited and based wherever possible on the standard.

In general, the standard should determine the scope of the checklist, but in practice it is an iterative process since standards are not always immediately applicable to every situation without some degree of interpretation. In some cases, therefore, elements of the checklist themselves come to form the standard. Where this is the case, it should be noted in the audit procedure, i.e. the adoption of ‘internal’ standards. The procedure may include other elements such as the competence requirements and attributes of the persons carrying out the audit. For instance, the auditor should possess knowledge of the SMS, including operational and procedures manuals, be proficient in both written and verbal communication, and should have credibility within the organization.

Stage 3: Audit implementation The main purpose of an audit is to make a comparison between an ‘actual’ situation being audited and a notional ‘ideal’ situation which is defined largely by the audit standard, against which compliance is being measured, and identify where there is a mismatch. However, as discussed above, it may not always be possible to define the ideal situation in terms of an external standard, and the audit checklist and questions will then form the standard. Ideally, this ‘internal’ standard setting will be completed in advance during the preparation of the procedure and be approved by local management. It may be defined by best practice, or accepted practice within the organization. Compliance cannot always be measured in pure black-and-white terms and quite often questions may arise about whether the ideal situation is realistically achievable or applicable to the actual situation. This needs to be investigated with management, become part of the audit report and later be subject to management review. Thus, some degree of subjective judgement by the auditor is always necessary to decide whether and to what degree compliance has been achieved and, if not, why not.

Stage 4: Reporting the audit results In this stage, non-conformances between the actual and ‘ideal’ situation are reported, together with recommendations for corrective and preventive action. The report is communicated to the appropriate level of management for the requisite changes to be made and improvements implemented. The timetable for improvements is agreed between the responsible levels of management and noted in the report. The recommendations for improvements are carried forward to the next audit to ensure that they have been implemented. The report is maintained on file for future reference.

189

190

Strategies to prevent corporate accidents

Behaviour-based approach to safety management As with auditing approaches, behaviour-based methods do not themselves comprise an SMS. They provide a method of observing unsafe behaviours and analysing these based on the insights of behavioural psychology to suggest ways in which the behaviours can be modified. They are therefore used to bring specific identifiable safety problems under intensive scrutiny, rather than providing a comprehensive overview of safety management. This section describes the approach and gives examples of its application in practice. Some proprietary methods are referenced for further study if required.

The safety pyramid The behavioural approach is based on the premise that 88 per cent of all accidents are caused by unsafe acts of people, 10 per cent by unsafe conditions and 2 per cent by acts of God or events beyond human control. These figures come from Heinrich’s analysis of 75,000 accident reports in the 1920s.7 The behaviour-based theory of accident prevention refers to unsafe acts as unsafe behaviours. Since the majority of accidents are attributable to this cause, the theory proposes that changing people’s behaviour can have a major influence on the frequency of accidents. The image presented is of a huge ‘cloud’ of unsafe behaviours only a few of which lead to an accident, usually when combined with some other coincidental event. Only a small proportion of accidents result in lost time and an even smaller proportion lead to a fatality. This theory, illustrated by Heinrich’s safety pyramid,7 shown in Figure 7.3, has dominated accident prevention thinking for over seventy years.

Fatality Lost time injuries

First aid

Unsafe behaviours

Figure 7.3 The safety pyramid (based on Heinrich7).

Safety management If unsafe behaviours are the precursors of accidents, then it follows that if the behaviours can be controlled the accident rate will also be brought under control. One approach to controlling unsafe behaviour is to attempt to change people’s attitudes to the way work is carried out, so that they will, as a result, change the way they behave. The behavioural approach suggests that changing attitudes in order to change behaviour is a counter-productive effort which has a poor payoff and rarely leads to permanent improvements in safety. Common examples of efforts to change attitudes and ultimately behaviour are the use of safety notices and management schemes which implore employees to behave more safely with incentives of reward or punishment. The main problem with trying to change attitudes is the difficulty of measuring whether an improvement has been achieved (apart from perhaps assessing whether the accident rate has been reduced, which is a purely reactive and long-term approach to improving safety).

Attitude versus behaviour The behavioural approach to safety recognizes the difficulty of measurement of attitude. A well-known quality principle states that ‘only what can be measured can ultimately be controlled’. The approach therefore suggests that the relationship between attitude and behaviour must be turned on its head. A change in attitude can certainly change behaviour, but a change in behaviour can also lead to a change in attitude.

Seatbelt example The most well-known example of this principle is the wearing of seatbelts. When seatbelts were first introduced, many drivers believed that they did not improve safety since they would make it more difficult for the wearer to exit the car in the event of an accident (attitude). The fact that an injured driver could not exit a car and that seatbelts reduced injuries was often ignored. Contributing to the reluctance to wear a seatbelt was the inconvenience of having to don the belt before every journey (attitude). However, when the law (in the UK) made it mandatory to wear a seatbelt (behaviour), drivers started to change their habits. As drivers became used to the idea of wearing a belt at all times, the change of behaviour led to a change of attitude and drivers (and passengers) no longer felt safe if they did not strap themselves into the vehicle. The principle adopted by the seatbelt safety campaign was that it was much easier to change behaviour than to change attitude. Furthermore, it is very much easier to measure behaviour (since it is observable) than it is to measure attitude (which is internalized but can be revealed through behaviour). The ability to measure behaviour leads to the possibility of changing it.

Antecedent–behaviour–consequence The behavioural approach to safety, by concentrating upon the way people behave, is founded on the early work8,9 of B.F. Skinner (1904–1990), the founder of behavioural psychology. Skinner argued that all voluntary behaviour is triggered by

191

192

Strategies to prevent corporate accidents external stimuli; he called a stimulus that elicits a response an ‘antecedent’ (he also argued controversially that no ‘internal events’ could act as stimuli, thus introducing an element of determinism into his theory). The ‘antecedent’ is followed by the ‘behaviour’ it elicits, which is in turn followed by an environmental ‘consequence’. Thus, the model of human behaviour that Skinner proposed was based on the sequence of antecedent–behaviour–consequence (ABC). Skinner also showed that the most powerful determinant of behaviour is the consequence. This is in contrast to the antecedent, which is merely the trigger for behaviour, although it can, as will be shown, also predict the consequence.

Audiovisual alarm example An example of this in an industrial context is an audiovisual alarm in a control room which indicates high process temperature. When the alarm is activated, the operator upon noticing the alarm (antecedent) is motivated to correct the process variable by increasing the flow of cooling water (behaviour) to the process. The consequence of not increasing the flow of water is that the process will shut down, production will be lost and the operator will be reprimanded. It is the consequence, therefore, that is the more powerful influence upon the operator’s behaviour; much more than the antecedent (the audiovisual alarm) which merely triggers the behaviour. In the not unusual situation where the alarm gives frequent false activations, the operator is likely to develop a different behaviour of cancelling and ignoring the alarm, taking no further action. This behaviour is also driven by the consequence, in this case, the wasted effort in investigating what has been construed as a false alarm. Although the antecedent is still the same (the alarm), the consequence is different and this now drives a different behaviour. However, in the new context, as in the old, the antecedent remains a predictor of consequence as far as the operator is concerned.

Effects of consequence The way in which consequences drive behaviours can vary enormously, depending upon their relative strengths and weaknesses as behaviour determinants. A simple set of rules can be formulated to decide where the consequences lie on a spectrum of strength– weakness. The rule is often referred to as soon–certain–positive, representing the parameters timing–consistency–significance, respectively. This is illustrated in Table 7.1 The table can be interpreted very simply in common sense terms using an everyday example: smoking. Table 7.1 Consequence table Parameter Consequence

Timing

Consistency

Significance

Strong

Sooner

Certain

Positive

Weak

Later

Uncertain

Negative

Safety management

Smoking as an example of strong/weak consequences Smoking is well known to have serious consequences and is therefore a common example of an unsafe behaviour. The fact that smokers are aware of the serious consequences yet continue to indulge in the unsafe behaviour can be explained by analysing the relative strengths and weaknesses of the consequences using the three parameters of timing, consistency and significance.

Timing The sooner a consequence occurs following a behaviour, the stronger will be its effect upon the behaviour and vice versa. Many young people take up smoking, even though it is known to cause lung diseases (cancer or respiratory illnesses), because the onset of the disease is later, since it is a delayed, long-term effect. However, the pleasure of smoking and the gratification of the addiction are immediate effects (sooner) and are therefore much stronger in determining behaviour. Although the consequences are negative (illness or early death) their timing makes continued smoking more likely.

Consistency The more certain the consequence of a behaviour the stronger its effect upon the behaviour and vice versa. In the case of cigarette smoking, it is uncertain (in the smoker’s perception) that the outcome will be illness or early death (not all smokers die of these diseases), therefore the influence on behaviour (in this case a positive influence: to stop smoking) will be weak and the person will continue to smoke.

Significance When the consequence of a behaviour is positive for the person (more pleasurable or gratifying) then the stronger will be its effect upon the behaviour and vice versa. In the case of smoking, the consequence is positive reinforcement since the person derives pleasure each time a cigarette is smoked. The effect is to influence the person to continue smoking. The health consequence of smoking is negative and therefore has less influence on behaviour. The three factors combine to make people more likely to start cigarette smoking and then continue the habit which, because of the addictive qualities of tobacco, is extremely difficult to give up.

ABC analysis example: failure to wear goggles In the behavioural safety approach, the principle of timing–consistency–significance is used to examine and control or alter behaviour using an ABC analysis. The objective of the analysis is to determine which consequences are impelling an

193

194

Strategies to prevent corporate accidents observed unsafe behaviour and then attempt to change these so that they favour safe behaviour. In order to accomplish this it is necessary to identify:

• the antecedents and consequences in relation to the behaviour of interest • whether they operate ‘for’ (in favour of) the unsafe behaviour or ‘against’ (tend to promote safe behaviour) • where they lie on the spectrum of strength–weakness using the above rule set. From this it is possible to analyse systematically the consequences which may determine the wearing of an item of personal protective equipment (PPE) such as safety goggles when cutting timber in a sawmill. The example is based on the approach described by Thomas Kraus10 and used by Behavioural Science Technologies (BST).11

Stage 1: Analyse the unsafe behaviour This involves constructing an ABC table to show antecedents and consequences for the unsafe behaviour always stated in observable terms, in this case failure to wear goggles. This information is obtained by a combination of observation and staff interviews. For the purposes of the analysis the consequences are rated in terms of:

• timing: sooner (S) or later (L) in time • consistency: certain (C) or uncertain (U) to happen • significance: positive (P) or negative (N). Where the consequence rating is not clear one way or the other, the two are combined, e.g. neither positive nor negative is P/N. Based on the ratings each consequence is then assessed as to whether it favours (for) or inhibits (against) the unsafe behaviour and the strength (S) or weakness (W) of its effect (Table 7.2). Table 7.2 Analyse the unsafe behaviour Failure to wear goggles

Consequence rating

List of antecedents

List of consequences

Timing

Consistency

Significance

For or against

Strength/ weakness

Goggles not readily available

Saving in time

S

C

P

F

S

Goggles not readily available

Greater comfort

S

C

P

F

S

Goggles not replaced

Better visibility

S

C

P

F

S

Peer pressure

Improved ‘image’ (macho)

S

C/U

P

F

S

Inadequate training

Eye injury

L

U

N

A

W

Timing: S: sooner; L: later. Consistency: C: certain; U: uncertain. Significance: P: positive; N: negative. F: for; A: against. S: strength; W: weakness.

Safety management From Table 7.2 it can be seen that four out of five of the consequences are strong (S, C and P) and are driving the unsafe behaviour. The consequence that should be of most significance, eye injury, has the weakest effect on behaviour since it is perceived as delayed (L) and uncertain (U) and is negative (N).

Stage 2: Analyse the safe behaviour Based on Table 7.2, a new table can be constructed which shows how the safe (opposite) behaviour might best be promoted, as shown by Table 7.3 The new list of antecedents has been generated from the previous list by providing a set of countermanding conditions to those that originally triggered the unsafe behaviour. There is no longer any excuse for staff not to wear goggles because they are not available. Moreover, they are now available in good condition (replaced regularly), giving proper visibility. Changing the peer pressure from one which promises a more ‘macho’ image to one which preferentially favours safe behaviour by providing better role models is a matter of culture change and will have a positive consequence. Although this culture change may take longer to achieve, it will ultimately have a long-term benefit on other areas of behaviour apart from the wearing of goggles. It should be noted that the negative consequence of eye injury remains the same and continues to have a weak effect upon behaviour. The ultimate result has therefore been to substitute the stronger consequences that previously reinforced unsafe behaviour for ones that now support safe behaviour. Table 7.3 Analyse the safe behaviour Failure to wear goggles

Consequence rating

List of antecedents

List of consequences

Timing

Consistency

Significance

For or against

Strength/ weakness

Allow more time for tasks to be carried out safely (with goggles)

Time or production pressures do not conflict with safety

S

C

P

F

W

Make goggles more readily available

Feels ‘uncomfortable’ not wearing goggles

S

C

P

F

S

Ensure goggles are replaced regularly

Better visibility

S

C

P

F

S

Provide better role models (e.g. supervisor)

‘Safe image’ is a good image

S

C

P

F

S

Provide better training

Eye injury

L

U

N

F

W

Timing: S: sooner; L: later. Consistency: C: certain; U: uncertain. Significance: P: positive; N: negative. F: for; A: against. S: strength; W: weakness.

195

196

Strategies to prevent corporate accidents

Stage 3: Formulate an action plan This takes the information provided by the stage 2 analysis and turns it into a plan of action with a timetable to implement the necessary changes to confirm the new antecedents and by implication the more favourable consequences. Because antecedents determine behaviour by predicting consequences, the consequences that previously favoured the unsafe behaviour have now largely been reversed and will now favour safe behaviour. It should be noted that only antecedents that predict strong consequences have been adopted in this example. Safety notices (to wear goggles) and reprimands for unsafe behaviour may be provided but, according to behavioural theory, these measures are not very effective since they predict weak consequences (delayed timing, uncertain and, in the case of reprimands, are negative). Rewards to recognize safe behaviour (e.g. safety awards) are similarly not very effective because, even though they are positive, they are also delayed, traditionally being based on historical accident statistics rather than observed behaviour. The whole plan hinges on the theory that actions (wearing goggles) with positive results tend to be repeated, whereas actions with negative results are more likely to be avoided. It is important to the whole exercise that the wearing of goggles is clearly demonstrated to yield benefits since this will in turn reinforce the new behaviour so that safe working becomes habitual (as with the seatbelt example). The desired end result is that the change in behaviour has led to a permanent change in attitude.

Proprietary behavioural programmes Several proprietary behaviour-based safety programmes are available on the market internationally. Among the most prominent are BST and the STOP programme marketed by DuPont.

Behavioural Science Technologies Behavioural Science Technologies (BST)11 is a global safety consultancy founded by Thomas Kraus10 which claims to develop safety leadership capability, create high-performance cultures and strengthen employee commitment to safety by applying unique processes, technology, tools and training. It has recently been reported12 that there has been a shift in emphasis in the company’s approach away from the use of the word behaviour (which has connotations of blame) to the concept of working interface, which more encompasses the whole of the employee’s exposure to risk, including the equipment being used, the environmental conditions and organizational influences. This overcomes the potential problem with behavioural approaches that the observations will focus overmuch on the employee and may miss certain less obvious exposure risks.

DuPont STOP programme The DuPont STOP programme13 is founded on the principle that all injuries and occupational illnesses can be prevented. It focuses upon training the employee to consider safety in all aspects of their work. It concentrates upon on-the-job safety and utilizes eleven safety principles which focus upon the personal responsibility of

Safety management each worker for their own safe behaviour. Employees are trained to adopt two principal techniques: self-observation and total observation. Self-observation requires employees to visualize the way in which the job used to be carried out and how it will be carried out, comparing these to ensure safe behaviour. Total observation is more intensive and requires the employee to use all their sensory inputs to check that their work is being carried out safely. The programme is based on an inventory of critical worker behaviours derived from trained observation by both workers and supervisors with the aim of identifying unsafe acts. Significant management commitment to the programme is integral to the approach.

Analytical approaches to safety management Two very different analytical approaches are described below, both of which are considered to be representative of this category of SMS analysis and development. The Management Oversight and Risk Tree (MORT) is a well-established methodology which uses a diagrammatic fault tree approach to build up a picture of how an accident may occur, focusing on the strengths and weaknesses in the control and management systems. The second approach describes a method of systems analysis of existing or proposed management systems for safety critical activities (SCAs) which resembles a quality assurance approach.

Management Oversight and Risk Tree method The Management Oversight and Risk Tree (MORT)14 originated in the early 1970s and was based on work carried out to provide a risk management programme for the US nuclear industry which was compatible with and able to analyse complex management systems. It comprises a diagrammatic approach which utilizes a form of fault tree to analyse the way a process is organized in order to identify gaps in the protective barriers which are supposed to protect it from losses. The events in the tree represent management and organizational weaknesses using conventional AND and OR gates. The tree is not solved mathematically, however, as with a standard fault tree; it is merely a representation of events associated with an incident or accident drawn up to increase the understanding of the interactions between them. In addition, MORT can be used as an accident investigation tool to analyse an accident that has already happened. The detailed MORT analysis represents a dialogue between the user and the situation being investigated using a generic question set provided in the MORT Manual14 to guide the process. The sequence of questions builds up a logical interrogation of the situation in such a way that facts are revealed which may not have previously been obvious. New lines of questioning may therefore be opened up. The question set also provides the user with confidence that the investigation process has been comprehensive. The interpretation of causes is made easier by the fact that the information flow is developed and presented in a diagrammatic fashion resembling a fault tree. The reader is referred to the MORT Manual14 (available online) for further details of the method.

197

198

Strategies to prevent corporate accidents

Safety Management Organization Review Technique method A modification of the basic MORT analysis, as described above, has been developed in Sweden and is called the Safety Management Organization Review Technique15,16 (SMORT). It comprises evaluations using a checklist of two types of factors:

• safety-specific factors (management factors which are specifically designed to

•

promote safety in the organization), including safety attitude, safety equipment and protective equipment, emergency preparedness, safety experience exchange, and safety programme activities (safety objectives, safety organization, safety representatives, inspections, safety meetings, accident investigation and safety action plan). general management factors (management factors to improve the production system and organization in general), including education and training, machines and technical equipment, maintenance, transportation and storage, housekeeping procedures and activities, communication, leadership and work administration.

Relevant causal factors identified begin with risk critical factors at the workplace level and proceed by expanding the analysis to all levels of management in the organization. Information and data for input to the analysis are obtained from staff interviews and document review. It can be used for investigating accidents which have occurred or indeed to assist in planning the development of safety systems and in auditing these.

A systems approach to managing safety Introduction ‘Managing safety’, as discussed earlier, is something of a contradiction. Strictly speaking, ‘safety’ is the desired outcome of work that is properly controlled by management. The work can and must be managed; it is debatable whether safety per se can be managed. The main premise of this book is that when things go wrong, it is the responsibility of management. If management is unaware that work is not being undertaken safely then it is the responsibility of management to have made themselves aware. Management systems should be designed to enhance this awareness. The method described below was developed and used by the author over a number of years, mainly in the offshore oil and gas industry.17 It is an activity-based system analysis based on the underlying philosophy that most accidents occur as a result of work not being properly controlled by management in respect of the way it is carried out. When work is carried out correctly it will be done according to company prescribed procedures, authorized working methods or best practice. If work is properly controlled by management then accidents, including large-scale accidents, can be prevented. Most of the major accident case studies described in Appendix 2 have a common link. They occurred, not under abnormal or exceptional conditions,

Safety management Level 1

SYSTEM

Define system boundary

Level 2

System description

Describe the system to be analysed

Level 3

System model

Decompose the system to component parts

Level 4

System analysis

Determine the failure impact of system components

Level 5

System improvements

Recommend improvement measures

Figure 7.4 Generic systems method.

but during normal routine operations. However, because of a lack of effective control by management, routine work activities deviated from accepted norms. In some cases, these deviations had themselves become routine, yet were still not detected by management. The work activity might have been proceduralized but procedures had not been followed. In other cases procedures either did not exist or were inadequate to control the work. The approach involves a complete analysis of management systems to check that all SCAs taking place at the company’s facilities are properly controlled. This includes activities at both management and workplace level, but with particular emphasis on routine activities wherever there is a safety implication. The approach is quite demanding in its scope. Systems for controlling work must be identified together with the manager or owner of the systems as well as methods to verify compliance. In order to analyse the complete system in its entirety, it is decomposed into a discrete set of subsystems following the generic ‘systems method’ illustrated in Figure 7.4. The rest of this section describes how the systems method is applied to the management of safety. A worked example of the method of application can be found in Appendix 3.

System description The analysis commences with the system description. Any industrial operation can be described in terms of a set of work activities. The set of activities is often the same or very similar for the same industrial operation, whether it is oil and gas drilling operations, the operation of a nuclear power plant or managing a rail network. However, the way the set of activities is organized and managed for that operation

199

200

Strategies to prevent corporate accidents is likely to vary considerably across different companies even though the set of activities is roughly the same. Depending on the operation, some of these activities will be safety critical. This is determined by the nature of the hazards generated and the level of risk they pose. The description begins by identifying the set of SCAs which characterizes the operations, or for an existing management system by confirming that the set of activities is complete. For each activity, a criticality rating of 1–3 is assigned to each activity to indicate the degree of risk, using a scheme such as: 1. High risk: where a failure can lead to potentially catastrophic consequences involving loss of life or extensive property damage, i.e. major hazard risk. 2. Medium risk: where the effects of failure are not so severe but possibly involve serious injury or local property damage. 3. Low risk: activities which are only marginally safety critical, first aid injury and negligible property damage. The first step is to identify all the activities which characterize the operation, including non-SCAs. This demonstrates completeness. The second step is to identify which of these are safety critical and then to assign these a criticality rating. The output is a catalogue of all activities. This forms the system description for the purposes of the analysis. Only the SCAs are modelled and analysed in the rest of the process.

System model The analytical approach requires that for every SCA an identifiable management system must exist. In order to analyse the systems in place a management model is used to represent the real-world system. The systems model adopted here comprises three essential elements. These are a means of control, a defined responsibility for implementation of that control and a system for verification of compliance with standards and procedures. For any SMS to provide confidence for senior managers, it must be possible to demonstrate that for each SCA all three elements of the model are present, are being used and are effective given the level of risk. The elements are defined as follows.

Means of control It is management’s responsibility to ensure that every SCA which has been catalogued in the system description has an effective means of control. To provide management confidence it is necessary to demonstrate that the means of control provided is fit for purpose. Whether a system is fit for purpose is defined by how effective are the means of control in relation to the level of risk (see below) from the activity. For activities at criticality rating 1, the means of control must be highly formalized. It will ideally consist of a ‘paper’ system with a formal audit trail, and will include a set of documents demonstrating the existence of control procedures, work procedures and lines of communication.

Safety management For activities at criticality rating 2 the means of control may be less formalized. However, it will still be necessary to record the basis of the system and why it is considered adequate. For activities at criticality rating 3 it is sufficient for the responsible manager merely to record a brief description of how the work is controlled or summarize this in the form of a communications flowchart of the system. The approach is essentially risk based, with an emphasis upon the system being fit for purpose in relation to the risk. In setting up formal SMSs it is important to avoid unnecessary bureaucracy by recognizing that managers’ time needs to be prioritized. However, this is important not just for the sake of time management, but also because systems which inappropriately (in relation to the risk) overburden managers are likely to be supplanted by unofficial, ad hoc and possibly inadequate methods of working. When implementing SMSs it is important to ensure that the systems are ‘owned’ by the manager using the system. This means that the manager must have been involved in the development and implementation of the system. Rather than develop new systems, it is often better to bring existing systems up to standard, making them fit for purpose, by formalizing and improving what is already happening. Types of procedure The means of control usually comprises two types of procedure, one of which is subservient to the other. The top-level procedure is a control procedure which describes how a work activity is controlled and monitored by a manager. It may also be described as a management procedure. The lower level of procedure is the work procedure which describes how the work activities are carried out. It can also be described as a technical procedure, an example being a procedure to undertake a safety critical maintenance activity. There may be a large number of such work procedures which are subservient to a maintenance control procedure, owned by the maintenance manager for example. The control procedure is very similar to a quality procedure in that it will list the work procedures in use, when they were issued and last updated, the location and ownership of controlled copies, etc., together with the formal methods for routine monitoring of the work and verifying compliance by monitoring and audit (see below).

Responsibility for implementation The underlying principle here is that there must be no responsibility without control. For every SCA there must be two identified management job functions with responsibility for correct implementation of the activity. The named functions are:

• Direct responsibility: a job function having direct responsibility for the activity being implemented correctly. This usually means a day-to-day responsibility for managing the work; although this may to some degree be delegated to others under strict control (e.g. supervisory functions), the responsibility is not delegated. The maintenance manager who owns and operates the relevant control procedure for maintenance is a typical example of this job function.

201

202

Strategies to prevent corporate accidents

• Ultimate responsibility: a job function having ultimate responsibility for the activity

being implemented correctly. This usually means an ‘overview’ responsibility for ensuring that the work is managed effectively. It is usually a senior manager who has this role and it is mainly a delegated function, usually to the named manager who has direct responsibility as above. But, as before, the ultimate responsibility is not delegated. An operations manager, to whom the maintenance manager reports, among others, is a typical example of this job function.

This element of the SMS exists in order to demonstrate how each activity is implemented and who is ultimately responsible. It is possible that a single job function may combine both responsibilities, but this is rare. The manager having direct responsibility will own one or more control procedures defining how work is carried out according to work procedures as described above. In addition, the manager with ultimate responsibility will also need to develop a control procedure describing the function(s) with direct responsibility reporting to him (it is likely that more than one manager with direct responsibility will report to the function). The responsibilities are fully documented in the control procedures.

Verification of compliance The provision of an adequate means of control and the identification of the responsibility for implementation are essential building blocks of the systems approach to safety management. These must be in place to demonstrate that all SCAs are under management control. However, merely ensuring that these components are in place is insufficient without a demonstration that they are being used as intended on a routine basis. This demonstration is provided by the third building block, verification of compliance. Two methods of verification are required to provide confidence that the overall system is effective. These are monitoring and audit. Monitoring Monitoring is the prime responsibility of the two job functions named previously, which have been identified as having direct and ultimate responsibility for implementation of the activities. As owners of the documented means of control, they are responsible for ensuring that they are being used. In order to gain this assurance, a system of monitoring needs to be set up. The most effective system of monitoring comprises a control loop with three elements, all of which need be in place to give the required level of assurance.

• feedback to the responsible job function about what is actually happening • decision by the responsible job function on what must be done to rectify any deviations from work or control procedures • action by the job function responsible for implementation to implement the decisions.

This control loop is entirely analogous to the type of dynamic control loop which exists for process control purposes, comprising measurement (of variable), comparison

Safety management (with desired value) and correction (with actuating element). The control procedure must itself specify the system of monitoring in terms of frequency and the method of monitoring the activity using the three elements of the control loop as appropriate. This may seem onerous, but is in line with quality principles and the requirements of a number of regulatory approaches (see above). As with the means of control, the complexity of the system must be kept in proportion to the safety criticality of the activity. Monitoring is a routine activity of the identified responsible job functions and in many cases may amount simply to the well-tried technique of ‘management by walking around’. Audit Audit is a third party independent verification to show that the elements of the SMS, that is, the means of control, responsibility for implementation and monitoring (under verification of compliance), are in place and being used as intended. The audit should also provide assurance that the SMS being audited is still appropriate for the activities being controlled. This is necessary to take account of changes in the activity (or new activities) not controlled by the SMS and changes to the organization which may affect job function accountabilities. The audit frequencies, methods and reporting routes should also form part of the control procedures.

System analysis: criteria for success The systems model described above is built from three essential elements consisting of means of control, responsibility for implementation and verification of compliance. The development of the model may be delegated to suitably qualified staff within the company or be undertaken by external consultants. The catalogue of activities is usually developed by means of structured interviews with key job functions in the company from divisional director level downwards. This is often more effective than reliance on documented sources such as job descriptions, which may be out of date or inaccurate, not always reflecting the activities actually taking place. Interviews with key personnel have the added advantage of ‘selling’ ownership of the model as well as enabling the analyst to understand the prevailing safety culture. The means of control and the responsibilities for implementation are documented using a combination of interviews and a review of existing documentation. In most companies, the basis for the system will already be present and all that may be required is formalization and incorporation of existing documents into the model structure. The analytical part of the process involves an assessment of whether the model meets three criteria for success. These are:

• Completeness: if essential parts of the model are found not to be present then action will be needed to rectify these omissions. • Adequacy: this ensures that the parts of the model that are present are fit for

purpose as defined above. Any that are not will need to be upgraded to an adequate standard.

203

204

Strategies to prevent corporate accidents

• Validation: this ensures that the systems represented by the model are being used in practice. This is not the same as verification of compliance, which in this context is a continuous process to satisfy individual managers that procedures are being followed.

Each of the three criteria needs to be met for each SCA. Completeness is fairly straightforward; if something is missing, then its absence from the model will be obvious. Adequacy is more a matter of judgement, but will depend heavily on whether the level of formalization is appropriate for the assessed safety criticality. Validation should ideally be provided by an independent third party.

System improvement The results of the analysis are recorded in the form of a set of safety management tables, with one table being prepared for each identified activity. This structured documentation set immediately identifies gaps and deficiencies in the system model. This in turn generates recommendations for corrections and improvements to the systems for controlling work. Corrections are made to the system model (SMS) as revealed by the analysis. Improvements are made to the system (of management) where the existing systems are suboptimal with regard to safety. The final stage of the analysis, once the three criteria have been met, involves the translation of the safety management tables into a safety management manual. This will be a record of the SMS written in such a way that future review and auditing is supported. A typical set of safety management tables is reproduced in Appendix 3, with the information entered showing part of the exploration and drilling department of a hypothetical oil and gas company.

Overview The effectiveness of the approach described above is dependent on the fact that all SCAs in an organization are identified and assessed for the presence or absence of the three components and sub-elements comprising the model. The model is not the reality, but is the closest representation that can be achieved to enable the criteria for success to be measured in a consistent way. If the model does not fully represent the actual SMS then the safety of the operation will have been compromised. However, the strength of using an activity-based approach lies in the degree of completeness that can be obtained. It will have been noted that this approach, unlike the audit and behavioural approaches described previously, focuses on the levels of management in the company where the ultimate responsibility for safety resides. The method described is concerned not with the detail of work procedures (although these do need to be adequate), but with control procedures, that is, methods and systems by which management control work. Thus, the analysis would not include assessing a procedure for maintaining a gas compressor on an offshore installation, but would include the system for ensuring that maintenance was carried out to the gas compressor using authorized work procedures. Neither will the method

Safety management undertake safety audits of the workplace in the same way as some of the systems previously described; these also have their place. However, the auditing of management procedures is included and in this respect the approach bears great similarity to a quality assurance system. The advantage of using a modelling approach is that a management standard is set against which the actual SMS can be measured once it is represented in the model format. In one sense the model that is chosen is irrelevant, so long as it can fulfil the criteria of completeness and adequacy and can be validated. The most important part of the exercise is the modelling process and the subsequent analysis process to identify areas for improvement. The overall aim is to ensure that no manager in the organization has responsibility for safety critical work activities without at the same time possessing the requisite means of control. There is no suggestion that the approach will prevent all future accidents, but it will certainly help to minimize the frequency, and possibly the severity, of corporate accidents. There is no doubt that it will also assist companies to meet their legal obligations to demonstrate that their hazardous operations are properly controlled. When a regulator requests to see the company’s SMS, then the quality-controlled safety management manual can be produced. The whole analytical process is shown diagrammatically in Figure 7.5.

Improvement

Company safety policy

Improvement

Organization of activites

System

Level 1 Catalogue of safety critical activities

System description

Level 2 Safety management systems

System model

Means of control

Method of implementation

Verification of compliance

Level 3 Criteria for success

System analysis

Completeness

Adequacy

Level 4

System improvement

Improvement and correction

Level 5

Figure 7.5 Systems analysis applied to safety management.

Correction

Validation

205

206

Strategies to prevent corporate accidents

Case studies Two of the case studies from Appendices 1 and 2 are examined here to illustrate either the failure or an absence of SMSs.

1. The capsize of the Herald of Free Enterprise The capsizing of the roll-on/roll-off (RORO) car ferry Herald of Free Enterprise at the Belgian port of Zeebrugge on 16 March 1987 was the worst accident in terms of fatalities involving a UK passenger ferry for many decades. Soon after leaving the port on the return voyage to Dover, the car deck of the ferry became flooded through the bow doors which had been left open by the assistant bosun who was asleep in his cabin. The entry of water caused the ferry to list to port and roll over onto a sandbank near the harbour entrance. As a result of the accident, 192 people lost their lives through drowning and hypothermia. One victim who was rescued died later. RORO ferries of this design are well known to be highly susceptible to capsizing with only a few inches’ depth of water present on the car deck. The subsequent public inquiry18 into the disaster by Mr Justice Sheen revealed a catalogue of errors which extended from the deckhands on the ferries right up to the highest levels of Townsend Thoresen, the company operating the ferry. The inquiry found in particular that there had been a breakdown in communications between onshore management and the masters of the ferries operating these routes. This stemmed from a defective, even non-existent, safety culture which should have been, but was not, formed and promulgated downwards from director level. Communication between onshore management, who were responsible for provision of resources to ensure safe operations, and the masters of the ferries was effectively unidirectional; that is, upwards. Countless requests from ships’ masters to onshore management for safety improvements were largely ignored since they were considered to involve unnecessary expenditure. This resulted in a more or less permanent standoff between offshore and onshore management. In this case, the presence of SMSs as described above was sadly lacking. Those who were ultimately responsible, that is onshore management, had no effective means of control of the SCAs which were being carried out on a routine basis at sea. They seemed completely unaware of what was actually happening at sea (this was not the first ferry that had left with the bow doors open) and the impression given was that they preferred to remain in ignorance. In this case, those who were directly responsible, the ship’s masters, had no means of detecting from the bridge whether the bow doors were open or shut, and so were unable to exercise their own means of control by receiving feedback that procedures were being followed. The ship’s masters were at least, however, aware of the problem since they had made countless requests for bow door indicators to be fitted. The fault lay at the level of ultimate responsibility. The sinking of the Herald of Free Enterprise was a classic case of inadequate/non-existent SMSs. It is described in more detail in Appendix 1, Case Study A1.1.

Safety management

2. Fire and explosion at the Conoco-Phillips refinery The accident in 2001 at Conoco-Phillips oil refinery at Killingholme in the UK has already been described briefly in Chapter 5 and examined in the context of ‘understanding the risk’. It is described in more detail in Appendix 2, Case Study A2.3, which relates how an early plant modification to a vent pipe to convert it into a water injection point was installed soon after the plant was commissioned. This modification, which was made during the plant commissioning process in 1989, set the scene for the disaster which occurred over a decade later. Such modifications need to be assessed at the time (preferably prior to authorizing the modification) using a management of change (MoC) procedure. Such a procedure should require the modification to be studied using a hazard and operability (HAZOP) technique, which would identify any potential hazards, the risks arising from them and whether the risks could be satisfactorily controlled. The accident at Conoco-Phillips is not the first accident to have occurred as a result of an unauthorized or unchecked modification to the original design. Such changes to design are common during commissioning when ‘teething’ problems occur which were not predicted by the designers. In order to bring the facility online and into production as soon as possible there is a great deal of economic pressure to carry out ad hoc modifications. This appears to be what happened at this refinery. However, when a MoC procedure was introduced in 1999 it did not appear to capture the earlier modification, which was therefore not subject to any form of hazard analysis. This should have been the first line of defence against the accident that occurred and was essentially a failure in safety management in that no effective system existed for managing technical changes. The second line of defence was a system of inspecting the process pipework on a routine basis for corrosion, but this also failed to flag up the section of pipework which was continuously being corroded by the injection of water at the modified vent point. The main reason that the inspection system failed was that the injection point, probably because it was an early ad hoc design modification, was never included in the inspection department’s database of plant and equipment. In this case, an SMS existed but there was a serious failure in putting the principles into practice. Although the HSE, in an audit of the plant in 1996, found that the company ‘had a welldeveloped safety management system with the leaders of the organisation showing commitment to securing high standards of health and safety at work’, in the wake of this accident it was remarked that ‘. . . between 1996 and 2001, Conoco-Phillips were failing to manage safety to the standards they set themselves’.19 In terms of the systems model of safety management described above, the deficiency at the first line of defence can be categorized as the absence of a ‘means of control’ (at the time) to detect plant modifications and assess them for hazards and risk. The deficiency at the second line of defence must be categorized as a failure of ‘responsibility for implementation’. Although a system existed for inspection of pipework it was not being properly implemented since it failed to capture the water injection point. Whether the failure lay at the level of direct responsibility, say the inspection manager, or at the level of ultimate responsibility, say the operations manager, or both, is difficult to ascertain because of insufficient detail in the HSE report.

207

208

Strategies to prevent corporate accidents

References 1. Health and Safety Executive (1997). Booklet HS(G)65: Successful Health and Safety Management (supersedes earlier editions), Sudbury: HSE Books. 2. British Standards Institution (2004). BS 8800:2004: Occupational Health and Safety Management Systems. Guide, London: BSI Library and Bookshop. 3. Occupational Health and Safety Assessment Series Document OHSAS 18001:1999: Occupational Health and Safety Management Systems – Specification, In the Electronic Occupational Health & Safety Book, https://secure.element5.com/shareit/checkout.html? productid=156336&language=English 4. International Labour Office (2001). Guidelines on Occupational Safety and Health Management Systems, ILO-OS&H 2001, Geneva: ILO, http://www.ilo.org/public/english/ protection/safework/cops/english/download/e000013.pdf 5. Det Norske Veritas (DNV), Høvik, Norway, http://www.dnv.com/about_us/index.asp 6. HASTEM, Maldon, UK, http://www.hastam.co.uk/software/c4w.htm 7. Heinrich, H. (1931). Industrial Accident Prevention, New York: McGraw Hill. 8. Skinner, B.F. (1938). The Behavior of Organisms: An Experimental Analysis, New York: Appleton-Century. 9. Skinner, B.F. (1974). About Behaviorism, New York: Vintage. 10. Krause, T.R., Hidley, J.H. and Hodson, S.J. (1990). The Behavior-Based Safety Process. Managing Involvement for an Injury-Free Culture, New York: Van Nostrand Reinhold. 11. BST Global Headquarters, Ojai, CA, USA, http://www.bstsolutions.com 12. Kraus, T. (2006). Surveying the safety landscape (Interview), Industrial Safety and Hygiene News (September), http://www.bstsolutions.com/pdfs/ISHN-Surveying_the_ Safety_ Landscape-Sep2006.pdf 13. DuPont Safety Resources, Wilmington, DE: E.I. du Pont de Nemours & Co., http:// www2.dupont.com/Safety_Products/en_US/products/programs_training/index.html 14. Noordwijk Risk Initiative Foundation (2002). NRI MORT User’s Manual and Chart (The Management Oversight and Risk Tree Analytical Logic Diagram), Delft: Noordwijk Risk Initiative Foundation, http://www.nri.eu.com/toppage3.htm 15. Kjellen, U. (1992). The SMORT Method (Safety Management and Organisation Review Technique Documentation for EEU Course: Safety Management, Trondheim: Department of Industrial Economics and Technology Management, Norwegian University of Science and Technology. 16. Tinmannsvik, R.K. and Hovden, J. (2003). Safety diagnosis criteria – development and testing, Safety Science, 41, 575–590, http://risikoforsk.no/Publikasjoner/science.pdf 17. Po¨yry Energy Ltd [formerly Electrowatt-Ekono (UK)], Horsham, http://www.energy. poyry.com/general/ 18. Mr Justice Sheen (1987). The Merchant Shipping Act 1984: MV Herald of Free Enterprise, Report of Court No. 8074, London: HMSO. 19. Health and Safety Executive (2001). Public Report of the Fire And Explosion at the Conoco-Phillips Humber Refinery on 16 April 2001, Sudbury: HSE Books, http:// www.hse.gov.uk/comah/conocophillips.pdf

8

The learning organization There is nothing more difficult to carry out, nor more doubtful of success, nor more dangerous to handle, than to initiate a new order of things. For the reformer has enemies in all those who profit by the older order, and only lukewarm defenders in all those who would profit by the new order. Nicolo Machiavelli, Italian political philosopher (1469–1527), in The Prince

Introduction The need for organizational learning stems from the fact that companies today have to operate in a business environment that is subject to continual change and flux. Organizational learning is not the same as individual learning, which is a process that most companies take for granted; this lies firmly within the realm of human resources (HR) departments, traditionally including formal education, training, improving skills, building on work experience, etc. Whilst individual learning is important, the learning organization takes a much wider perspective and focuses on enhancing all of a company’s systems (including people) to increase continually the organization’s knowledge and enable it to act to meet the challenges of change. This chapter describes the theory of organizational learning, including the singleand double-loop learning models which essentially define how corporate thinking may be changed to release the full creativity of employees. In order to put this theory into practice it is necessary for companies to promote ‘systems thinking’ and ‘dialogue’, where employees continually expand their capacity to create the results they truly desire, and where new and expansive patterns of thinking are nurtured. From the theory of learning the chapter moves on quickly to its practical application in ‘learning from accidents’. The single- and double-loop learning models are explored in relation to accident investigation, by comparing the traditional ‘domino effect’ approach to accident causation with the more modern multi-layered approach. The former approach tends only to identify and correct the direct causes of an accident, ignoring the root causes and thus almost ensuring that a similar accident

210

Strategies to prevent corporate accidents will recur. The multi-layered approach is better able to identify and correct the underlying root causes as well as the contributory causes of an accident, which will increase the chances of preventing a recurrence. These principles apply both to minor accidents in the workplace and to corporate accidents with wider implications for legal action and company reputation. The method of root cause analysis, with various supporting techniques, is described. One of these techniques, the Kepner–Tregoe method of problem analysis, is described in some detail using a case study from Appendix 2 as a working example. The chapter returns to the important subject of corporate culture described in Chapter 4. It explores the concept of a no-blame culture which in many cases is neither feasible nor desirable. Instead, the concept of a ‘just culture’ is defined which more realistically deals with the attribution of blame for errors and mistakes. The main characteristic of this culture is that it retains the option of punitive sanctions where appropriate to deal with various degrees of reckless behaviour such as intentional violations of rules and procedures. It also avoids the attribution of blame where this is likely to inhibit employee openness about safety concerns, errors and mistakes. Methods of promoting greater openness are explored under the heading of ‘information disclosure’, including the necessity for confidential reporting schemes and policies for managing the difficult subject of whistleblowing. Finally, two case studies from Appendix 1 are used to demonstrate failures in organizational learning.

Organizational learning Communities of practice All learning, at its most basic level, is by individuals. Organizational learning differs in that it deals with individuals as part of a group or ‘community of practice’, members of which are bound together by common activities, rather than interests and by ‘what they have learned through their mutual engagement in these activities’.1 A community of practice is a useful way of describing the group within which organizational learning takes place: ‘people belong to communities of practice at the same time as they belong to other organizational structures. In their business units, they shape the organization. In their teams, they take care of projects. In their networks, they form relationships. And in their communities of practice, they develop the knowledge that lets them do these other tasks. This informal fabric of communities and shared practices makes the official organization effective and, indeed, possible’.1 Organizational learning emanates from an experience of participation in group life as opposed to individual life. Yet another definition of organizational learning is ‘the ability of an organization to gain insight and understanding from experience through experimentation, observation, analysis, and a willingness to examine both successes and failure’.2 It will be shown later how organizational learning thrives in companies that have abandoned a blame culture and look upon failure as a learning opportunity.

The learning organization

Organizational learning models The characteristics of organizational as opposed to individual learning are that it is centred in groups, it tends to be more informal, involving less teaching, it is often less regulated and it can be contradictory in that different groups may hold different opinions and beliefs in creative tension. Unlike classroom learning (facts), there is not necessarily one body of knowledge that is always ‘right’, but there are many alternative strategies to solving a problem or correcting a situation. There have been numerous approaches to understanding organizational learning, one of the most useful being the work of Chris Argyris (1923–), who has influenced thinking about the relationship of people and organizations, organizational learning and action research. In the approach of Argyris and Scho¨n,3 two models of organizational learning are proposed: the single- and double-loop models.

Model 1: The single-loop approach In this model, the learning process is based on the simple detection and correction of error using well-known ‘action strategies’. When an undesirable event occurs, an action strategy, a previously acceptable ‘rule’, is sought which when implemented will prevent the event recurring. The action strategy is based only on an existing or a previous understanding of the problem which led to the event. The accepted or conventional wisdom of the group is not questioned; rather, the existing underlying values, plans and goals of the group are confirmed and reinforced by choosing the known path. This is also called adaptive learning, which reacts to events in the present by making incremental improvements based upon what happened in the past without examining the fundamental appropriateness of the response. There is a tendency to address only the direct causes of the event, thus not getting to the root of the problem (see ‘Learning from accidents’, later). The fundamental assumptions about ‘how we do it here’ are never challenged and the organization is unable to change.

Model 2: The double-loop approach In this model, the underlying conventional wisdom of the group, what Argyris calls the ‘governing variables’, are questioned. Governing variables are the underlying ‘norms’ which members of the group believe need to be kept within certain welldefined limits, set perhaps by previous experience or convention. In the Model 2 approach the governing variables are themselves subject to scrutiny, leading potentially to a major change in the way the problem is understood. It may involve questioning the underlying norms, policies and objectives of the organization, and is therefore seen personally by individuals as inherently more risky than the singleloop approach. This has also been called generative learning,4 which exhibits a tendency to continuous experimentation and feedback in an attempt to improve problem-solving responses and decision making. The approach is more likely to identify the root cause of a problem. It applies systems thinking (see below) to learning by always being prepared to take a fresh look at ‘how we do it here’, enabling the organization to change. The two learning models are shown diagrammatically in Figure 8.1.

211

212

Strategies to prevent corporate accidents Governing variable

Action strategy

Consequences

Single-loop learning Double-loop learning

Figure 8.1 Single- and double-loop learning (based on Argyris and Scho¨n3).

An example of Model 1 and Model 2 learning An example may help to illustrate the principles involved. Governing variables form the underlying rationale by which a person (or group) operates and survives; they resemble a culture since they are innate and learned over long periods and therefore difficult to change. Sometimes diverse governing variables have to be kept in creative tension. There will be certain limits within which a person or group will wish to maintain these variables and this will be achieved by adopting action strategies to suit particular situations. Thus, within an organizational culture there may be a desire to suppress conflict but at the same time appear competent in the work environment. An action strategy may be to avoid discussing a potential conflict situation in order to preserve an appearance of competence, even though the situation really needs to be resolved by discussion. The objective of the strategy is to avoid appearing incompetent by perhaps losing an argument over the issue and therefore losing face. From the point of view of the person or group trying to avoid conflict and appear competent, there will be a perception of success since the governing variables will have been maintained within desired limits. But from the point of view of the situation itself nothing has been resolved properly since discussion will have been avoided and the same situation is likely to arise again in the future. This is an example of Model 1 learning. Model 2 learning will question the governing variables and the person or group will enter into a potentially risky conflict situation in which they may not appear competent if they ‘lose’. But a new strategy will have been tried out and the situation is more likely to be resolved satisfactorily and permanently, leading to a true ‘win’ situation. Eventually, with perseverance, the governing variables will become modified and the interchange will have moved from discussion to dialogue (see below). One of the difficulties in applying Model 2 learning is that in new, uncertain and difficult situations, when creative thinking is called for, it is more natural to settle on the tried and tested remedy (Model 1). There is a human tendency to reduce the level of uncertainty as quickly as possible, especially in a crisis situation, by identifying immediate solutions rather than spending time exploring whether the underlying rationale of the conventional wisdom is still appropriate to the new situation. The problem with Model 1 learning is that people become entrenched in fixed and immutable positions, making them defensive towards the comments of anyone who tries to deconstruct their beliefs.

Characteristics of Model 1 and Model 2 learning Table 8.1 summarizes the main differences between the two approaches.

The learning organization Table 8.1 Comparative characteristics of organizational learning models Model 1

Model 2

Negative feelings are not articulated Rationality is emphasized Win–Lose criteria adopted Choices limited by past experience Unilateral control Protect self and others unilaterally Limited public testing of ideas Discouraging enquiry Defensive relationships Making covert assessments Limited freedom of choice Face-saving strategies avoiding unpopular facts Decreased likelihood of double-loop learning

Conflicting views are allowed to surface Creativity is emphasized Win–win aimed for Free and informed choices are allowed Shared control Participation in decision and action Encouraging public testing of ideas Encouraging questions Open relationships Commitment to a common cause High freedom of choice All ideas are acceptable Increased likelihood of double-loop learning

Compiled from various sources.

From the point of view of corporate accidents, organizational learning is an essential defence against complacency. If conducted correctly, using a generative approach (Model 2), it enables a company to stay ahead of events rather than to be taken by surprise and have to respond with purely reactive measures. Both Model 1 and Model 2 acknowledge the importance of learning from past events to prevent their future recurrence; the difference lies in how the lessons are learned. It is not to say that the generative approach is easy; it requires much more effort, dedication and personal risk taking than the adaptive approach. Changing to a generative approach from an adaptive approach is akin to changing the organizational culture of a company, as discussed in Chapter 4.

Systems thinking Peter M. Senge (1947–) is the acknowledged guru of organizational learning, and while at Massachusetts Institute of Technology (MIT) he studied how companies adapt to new situations. According to Senge, learning organizations are ‘organizations where people continually expand their capacity to create the results they truly desire, where new and expansive patterns of thinking are nurtured, where collective aspiration is set free, and where people are continually learning to see the whole together’.5 He identifies five disciplines that characterize a learning organization: systems thinking, personal mastery, mental models, building shared vision and team learning. The importance of systems thinking has been highlighted in other chapters of this book, in particular, in the analytical approach to safety management (Chapter 7) and in the study of safety culture (Chapter 4). Systems thinking is one of the tools of systems analysis and involves disassembling the parts that make up the whole in order to improve understanding of the system, including the ways in which it may fail. However, the parts are not examined in isolation but rather in the way they link

213

214

Strategies to prevent corporate accidents together and interact to produce a dynamic and complex whole. In other words, the behaviour of the system derives from its overall structure and it does not in this sense consist of the sum of its parts (see also Gestalt and the nature of organizational cultures in Chapter 4). In the context of a community of practice (see above), systems thinking has proved its usefulness in enabling a group of actors to solve a complex problem by ‘seeing the big picture and not just their part in it’.6 Systems thinking involves expanding the field of view to embrace system components that at first sight do not appear to have an important or immediate impact on the system as a whole or the problem which is being solved. Systems thinking can be applied to any system that is built up from interacting and interdependent components to form a complex and unified whole, including mechanistic systems. It comes into its own, however, when studying complex human systems such as organizations. An example is the role played by the research and development (R&D) department in a company when a decision is made to axe it in order to save money. Unless the decision is made in the context of the bigger picture, which includes the company’s future capability to maintain its technical competitiveness, it is likely to have negative long-term consequences. Since it is easy to cost the removal of the R&D department (short-term view) but difficult to place a cost on the consequences of removal (long-term view), the company accountant’s thinking is dominated by the bottom line of the current year’s financial results. The bigger picture is therefore ignored. For the remaining four disciplines of personal mastery, mental models, building shared vision and team learning, the reader is referred to Senge’s own writings5 or summaries available on the internet.7

Dialogue The key to success in systems thinking lies in the willingness of the participants in a group, brought together to resolve a problem or make a decision, to engage in dialogue. This may seem rather obvious, but the sort of dialogue that is necessary has some peculiar characteristics which were described by David Bohm (1917–1992), a distinguished physicist whose expertise extended beyond the realm of quantum behaviour to the behaviour of organizations. He saw dialogue as an essential step on the path to learning and wisdom: dialogue, ‘as we are choosing to use the word, is a way of exploring the roots of the many crises that face humanity today. It enables inquiry into, and understanding of, the sorts of processes that fragment and interfere with real communication between individuals, nations and even different parts of the same organization’.8 He made the vital distinction between dialogue and discussion. In a discussion people tend to hold on to fixed and rigid positions, arguing their corner and trying to convince others to adopt the viewpoint they are proposing. There are two possible outcomes, neither of which is really creative. Either a compromise is reached, which rarely encapsulates the ideal solution, or else a win–lose solution is found; when a winner has emerged from the discussion, the subject is considered closed irrespective of whether the best solution has emerged. Bohm suggests that dialogue, when allowed to develop properly, ‘reveals the incoherence in our thought’ and gives rise to a ‘genuine and creative collective consciousness’. It is achieved by allowing a free flow of conversation from all

The learning organization participants, unrestrained by hierarchical considerations or vested interests, which leads to a process of ‘awakening’. The objective is to explore and if necessary subvert ‘the predetermined purposes and goals that are seldom questioned’ by an organization. As with Model 2 learning, this can call for a great deal of courage on the part of the participants, in particular in overcoming the fear of being thought critical of the company hierarchy with all the connotations for future career which that may carry in some companies. The company that is determined to change will need to make considerable efforts to overcome these fears by encouraging a greater degree of transparency and openness. It is also necessary for the participants who enter the dialogue to leave behind agendas that have more in common with the selfish aims of the individual (see example of Model 1 and Model 2 learning above) than with the interests of the company as a whole. To summarize, organizational learning describes the ways in which a company can adopt more creative ways of thinking in the areas of problem solving and decision making using a set of common principles. Organizational learning is listed here as one of the strategies to prevent corporate accidents; its principles can be invoked in a number of relevant disciplines and techniques which are now drawn together in this chapter.

Learning from accidents Much of this book has, quite rightly, concentrated upon the prevention of corporate accidents by putting in place strategies such as organizational learning as discussed above. Nevertheless, the risk of an accident can never be reduced to zero, as Chapter 5 made clear. When an accident does occur, the way an organization learns from the event is crucial to preventing another accident occurring in the future. At present there are no legal requirements in the UK for companies to investigate accidents, but the Health and Safety Executive (HSE) recently introduced a discussion document,9 which may be the basis for future guidance. There is a legal requirement to report certain accidents and work-related incidents and diseases to HSE under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR), which is not dealt with here. The learning process following an accident ideally moves through a number of stages before the integration of the lessons into the organization is complete. The end result will be changes to the way in which the organization conducts its business; these may be fundamental changes, affecting management practice, where the investigation digs down to the underlying causes, but will be superficial if only the immediate causes are revealed. In reaching an understanding of how an accident occurred, there are two main causation models which can be adopted as a basis for learning. The first model adopts a traditional approach, which mainly focuses on the direct or immediate cause of the accident, and in particular on the failure of the person or mechanism which led to the accident. This model of accident causation is now to a large degree discredited. The second accident causation model adopts a more in-depth approach and seeks out the root causes of the accident, although it is still necessary to identify the direct

215

216

Strategies to prevent corporate accidents Root cause

Direct cause

Accident

Single loop Double loop

Figure 8.2 Accident causation models.

cause. The root causes are frequently to be found within the management systems which control the work and allowed the direct cause to happen. The two models are analogous to the different methods of learning, double loop and single loop, described above and illustrated in Figure 8.1. A modified version of this diagram is shown in Figure 8.2 to represent the two accident models. The single-loop model only addressees the direct cause, whereas the double-loop model extends the range of knowledge to include the root cause as well as the direct cause. As written earlier, both Model 1 and Model 2 acknowledge the importance of learning from past events to prevent their future recurrence; the difference lies in how the lessons are learned.

Model 1: single loop The domino effect The traditional approach attempts to identify a train of causes which have led to an unsafe act or condition which resulted in the accident. Heinrich10 first associated this with the ‘domino effect’, where a small change can set off a chain of linked events, resulting in an undesirable outcome. The principle is illustrated in Figure 8.3. The series of events leading up to the accident stretches back in a sequential manner to the ultimate cause, which is usually seen to be some defect of the person causing the

Social environment and personality

Fault of person causing the accident

Unsafe act or unsafe condition

Accident

Figure 8.3 Traditional accident causation model (after Heinrich10).

Consequence

The learning organization accident. The accident can be triggered by any event in the sequence, which then leads to the fall of the remaining ‘dominoes’. Conversely, the removal of any domino from the sequence will prevent the accident occurring, preferentially the unsafe act or unsafe condition domino. The model proposes, therefore, that since it is difficult to change human behaviour or personality, the key to accident prevention is the elimination of unsafe acts or unsafe conditions. It will be noted that there is some resemblance here to the behavioural safety management model described in the previous chapter.

Accident proneness Because of the emphasis on unsafe acts, this model is often associated with the psychological concept of accident proneness of individuals. The concept suggests that some workers are more likely to be involved in an accident than others owing to certain innate personality characteristics which cannot be changed. This has not been proven conclusively by researchers and many of the results of studies have been contradictory. This is not to ignore a range of environmental and other factors which can increase the probability that a person will have an accident. Workers who are, for instance, tired, stressed, depressed, anxious or subject to other emotional states may well be at an increased accident risk. One study showed that locomotive drivers who are left handed are more likely to be involved in accidents, although this is probably more related to the design of the cab than the personality of the driver. Accident proneness is not generally accepted today and if it does exist may only account for a very small proportion of accidents.

Unsafe acts and conditions According to this model, unsafe acts are defined as an individual’s inappropriate behaviour in relation to the work environment, whereas an unsafe condition is a deficiency in the situation or work environment. Typical examples of the factors which could be classed as unsafe acts and conditions are shown in Table 8.2. Many other examples are possible.

Table 8.2 Unsafe acts and conditions Unsafe acts

Unsafe conditions

Operating without authority Failure to follow rules and procedures Failure to observe warning signs and devices Failure to use safety devices Failure to use personal protective equipment Misuse of equipment or tools Improper act Horseplay Drink or drugs

Failure in communication Inadequate warning or safety devices Structural failure Failure of equipment or tools Unsafe or poor working environment Poor light, excessive noise and dust Pour housekeeping Unsafe access Weather conditions

217

218

Strategies to prevent corporate accidents

Management response Unsafe acts are often seen by management as shortcomings in the behaviour of the individual causing the accident. Using this mode of thinking the remedy is to devise a rule which forbids the identified behaviour to prevent a recurrence of the unsafe act. Unsafe conditions are seen by management as shortcomings in the working environment which can be overcome by devising a technical solution, such as guards or personal protective equipment, to make the conditions safe or protect people from the hazard. The rule can be seen by employers as a ‘quick fix’ which does not involve expenditure, whereas the technical solution tended in the past to have been favoured by the regulator as a more effective, but possibly more expensive, solution. The overall result of using the traditional model is that the direct or immediate cause of the accident is identified, but no efforts are expended to seek out the underlying or root cause. Since the underlying cause will be at the root of not just this accident, but many other similar accidents, the effect on safety of using this approach will probably be limited to the prevention of one type of accident.

Model 2: double loop Multi-causality model The multi-causality model recognizes that very few accidents can be simplified to a single direct cause such as an unsafe act or unsafe condition. Attention needs to be diverted away from the error made by the person who was the direct cause of the accident towards the managers, designers and engineers whose work remote in time and place from the location of an accident may well have led to the accident. In the multi-causality model account is taken of both latent and active failures. A failure (or error) is said to be latent when a significant time elapses between the failure occurring or the error being made and the consequence of the failure being manifested. When a failure is not latent it is said to be active. An active error is an error where the consequences are manifested immediately or almost immediately. In either case the consequence is the discovery of the failure, which may be revealed unexpectedly in the form of an accident. Latent failures are potentially ‘accidents waiting to happen’. The key to accident prevention lies in the ability to detect latent errors as soon as possible after they have occurred. The longer a latent error is allowed to exist the less likely that it will be discovered and the more likely that it will cause an accident. The most common area of activity where latent failures take place in relation to corporate accidents is within management.11 Figure 8.4 represents the multi-causality model12 in terms of the various elements making up the productive process and the associated failure modes which can lead to an accident sequence being initiated.

Productive activities: unsafe acts and conditions The direct causes of an accident, often triggered by an active failure, lie at the level of productive activities where humans and machines are brought together to generate the product. These causes usually take the form of unsafe acts or unsafe conditions as

The learning organization Products Feedback loops

Success

Failure

Decision makers

Line management

Corporate management

Operations, maintenance, etc.

Fallible decisions

Line management deficiencies

Preconditions Reliable equipment, skilled workforce, etc.

Accident precursers

Productive activities Integration of human and machine

Defences Strategies to prevent corporate accidents

Unsafe acts and conditions

Window of opportunity

Accident

Inadequate defences

Causal factor chain

Figure 8.4 Multi-causality accident model (based on Reason12).

discussed previously. However, in order for productive activities to be successfully and safely carried out, a number of preconditions need to be fulfilled.

Preconditions: accident precursors The preconditions usually include safe and reliable equipment which is fit for purpose and a skilled and motivated workforce which is able to use it productively. Failures in the necessary preconditions are called ‘accident precursors’ because they provide a mechanism for unsafe acts and conditions to occur. However, such failures may exist for long periods without causing an accident and therefore they can be regarded as latent failures. Accident precursors can also include factors such as poor motivation, inadequate perception of hazards, high workload, ignorance of the system, defective working environment and dangerous working conditions, all these being the ingredients of unsafe acts and conditions.

Line management: deficiencies The immediate responsibility for the presence of such precursors lies with line management accountable for activities such as operations and maintenance. The deficiencies within line management are also classed as latent failures and may include inadequate staff training, defective procedures, poor employee motivation, incompatible goals, failures in communication and lack of systems of safe work, to name but a few examples. None of these types of failure is a direct cause of the accident, but they may have been in a failed or defective state long before the accident occurred. The line

219

220

Strategies to prevent corporate accidents managers are those with responsibility for implementation, as defined in the analytical approach to safety management described in Chapter 7.

Decision makers: flawed decisions Above the level of line management are the decision makers, corporate managers who are held to be ultimately responsible (as described in Chapter 7, the analytical approach to safety management) when an accident occurs. Their failures are usually in the area of flawed decision making which do not effectively take account of the actual conditions that exist in the workplace at the productive level. The failures at this level may include factors such as lack of resources to provide safe working, neglecting safety for production and failing to maintain an adequate safety culture. As described in Chapter 7, these failures often occur as a result of inadequate feedback and a failure to appreciate what is actually happening in the workplace as opposed to what they believe is happening. These are also latent failures since they are remote in time and place from the location where the accident eventually occurs. They are likely to have been in existence for a considerable time before the accident occurred.

Defences: safeguards against accidents – defence in depth The defences which safeguard against accidents include many of the strategies described in Part 2 of this book. In Figure 8.4, the defences are shown at the end of the productive sequence; in actuality the defences may be applied at any point during the sequence. A defence which is not in place or is inadequate provides a window of opportunity for an accident to occur. In some cases, where the consequences of an accident are particularly serious, the concept of defence in depth may be applied. In this case it would be necessary for a number of defences to fail before an accident occurred. This concept tends to be applied in potential major hazard industries such as the nuclear and chemical industries. The defences would include:

• pre-accident measures such as protective systems or work procedures which prevent process variables from exceeding dangerous limits, and • post-accident measures such as physical containment barriers to limit the consequences or spread of an accident and emergency management.

In the case of defence in depth, it would be necessary for a series of windows of opportunity to be open at the same time in each defence mechanism for the accident consequences to be realized. Failures of defence mechanisms are nearly always latent failures and once they exist they are difficult to identify in advance of an accident occurring.

Causal factor chain The causal factor chain shown in Figure 8.4 is the logical hierarchical chain of causal factors (including both direct and root causes) that extends from the decision-making and policy level through the line management and implementation level to the accident precursors and unsafe acts and conditions at the workplace level. The causal factors are often failures in the above-mentioned defence mechanisms.

The learning organization Of the two models discussed above, Model 2 is the one which is most generally accepted to represent the most common features of accident causation and has the advantage of acknowledging the root causes of an accident. Methods of searching for an accident root cause are described in more detail below.

Root cause analysis Root cause analysis (RCA) comprises a suite of problem-solving tools which can be used in various diagnostic, troubleshooting and accident investigation activities. Root cause analysis is built on the premise that in order to understand what happened at the sharp end (the direct cause) and to prevent its recurrence, it is necessary to follow the train of events back to the blunt end (the root and contributory causes) so that corrective actions can be identified and implemented. The technique of RCA emerged from the engineering and service sectors, in particular, high-risk operations such as aviation and aerospace, and was extended in due course to other areas, including the nuclear and chemical industries and, more recently, patient care. There are numerous methods of undertaking an RCA, but most of them generally include the following five steps, based on US Department of Energy Guidelines:13 1. Data collection: collect information about the accident conditions which existed before, during and after the event, the personnel that were involved and any actions that were taken. Data are best collected as soon as possible after the accident occurrence while memories are fresh. 2. Assessment: determine the causal factor chain: Identify the direct causes which immediately led to the accidents occurring, in particular looking for unsafe acts and conditions. Identify the reasons why the direct cause was allowed to happen including the fundamental reason which if corrected would prevent a recurrence of this or a similar accident. This leads back to the root cause which is where the investigation trail will stop. List any contributory causes arising from the above assessments which on their own would not have led to the accident but in conjunction with other events increased the likelihood of an accident. 3. Corrective actions: for each identified cause, including direct, root and contributory causes, identify effective corrective actions which will reduce the probability that the cause could recur in the future. 4. Report and inform: report the results of the data collection, assessment and corrective stages of the analysis, communicating this to management and other staff who were involved in the accident and others (including other facilities) who are likely to have an interest. 5. Follow-up: review whether the corrective actions taken have been implemented and have succeeded in resolving the problems which lay at the root of the accident, thereby reducing the probability of a recurrence.

• • •

221

222

Strategies to prevent corporate accidents Several techniques are available to assist in the assessment (phase 2) of the RCA, including:

• Events and causal factor analysis to identify the time sequence and causal factor • • • •

•

chain leading to the accident and provide a diagrammatic overview of the causal relationships between events in the chain. Change analysis to identify what changed, comparing the normal conditions some time prior to the accident with the conditions immediately before the accident took place. It utilizes the famous principle elucidated by Kepner and Tregoe (see below): ‘change is the mother of trouble!’ Barrier analysis to identify the lack of physical, administrative and procedural controls that, had they been in place and performing as intended, should have prevented the accident. MORT (Management Oversight and Risk Tree) analysis as described in Chapter 7, to identify factors that allowed the accident to occur using an analogous approach to fault tree analysis. Human performance evaluation to identify environmental and other factors that influenced human performance in relation to tasks associated with the accident and where failures may have occurred. It identifies the systemic failures that may have led to errors or mistakes being made that were the direct or contributory causes of the accident, which in turn may point to the root cause. The evaluation includes all performance influencing factors such as the quality of training and procedures, operability of equipment and ergonomic design of the human– machine interface. Kepner–Tregoe method of problem solving, diagnosis and decision making, involving the systematic assembly of logically ordered information to reveal hitherto concealed patterns within sequences of events. This is a particularly valuable and often neglected tool which can be used to guide a wide range of management activities, and is discussed in more detail below.

Kepner–Tregoe method Dr Charles Kepner and Dr Benjamin Tregoe, while working for the RAND Corporation in the 1950s, carried out research on failures in decision making in US Strategic Air Command. One of their main findings was that success in decision making by officers in the US Air Force depended not so much upon rank, seniority, experience or education, but upon the way in which information was collected, organized and analysed and the degree to which this was done in a logical fashion. Out of this work they came to recognize four basic patterns of thinking in the organizational context. For each way of thinking they developed a systematic procedure for solving organizational and management problems. Kepner and Tregoe (K&T)14 suggested that these thinking processes and problem-solving procedures were applicable to any type of organization regardless of the cultural setting and the content of the problem. The overall K&T programme is summarized in Table 8.3.

The learning organization Table 8.3 Summary of the Kepner–Tregoe14 programme Pattern of thinking

Purpose of thinking

Methodology

What’s going on? Why did this happen? Which course of action should we take? What lies ahead?

Assessing and clarifying the situation To determine cause and effect Making choices from various alternatives Anticipating the future

Situation appraisal Problem analysis Decision analysis Potential problem analysis

All of the techniques depend heavily on the use of gap theory, an approach which seems indeterminate in its origins but which has been in existence for a long time (and not to be confused with the ‘gap theory’ which attempts to harmonize the biblical creation accounts with the geological record!). Gap theory very simply identifies the gap between a desired situation and the actual situation. It is found that most problems can be defined in this way and the technique is clearly applicable to accident analysis. The analysis always commences with the situation appraisal, followed by problem analysis, decision analysis or potential problem analysis, depending on the nature of the problem. Only problem analysis will be briefly described here since it is the technique most applicable to learning from accidents.

Situation appraisal Situation appraisal deals with the question ‘what’s going on?’ and proceeds to assess and clarify the situation, sorting out the information and breaking down complex situations into manageable components in order to maintain control of events. This avoids the typical management situation where information available is usually a mixture of the relevant and irrelevant, the important and the inconsequential. In order to be more productive the components of the situation need to be seen in perspective and prioritized. Situation appraisal identifies problems which need to be solved, decisions which need to be made and future events which need to be either avoided or planned for. Following this assessment it is possible to decide which of the three approaches, problem analysis, decision analysis or potential problem analysis, is to be adopted to identify a solution. According to K&T, situation appraisal takes place in four stages: 1. Recognizing concerns by identifying current deviations between the actual situation and a desired situation (see below), threats to current activities and opportunities for the future. 2. Separating concerns into manageable components, for instance, by breaking apart overlapping and confusing issues into more clearly defined subconcerns. 3. Setting priorities to decide on the order in which the identified and separated concerns will be assessed. 4. Planning the resolution of concerns by firstly selecting the appropriate process to achieve a resolution and then planning the ‘who, what, where and when’ and extent of the resolution.

223

224

Strategies to prevent corporate accidents A concern is described by K&T as ‘any situation that requires action and for which you have full or partial responsibility’.14 The concerns may be identified by asking specific questions such as ‘where are we not meeting standards?’, ‘what problems remain unresolved?’ or in the context of learning from accidents, ‘what caused the accident?’ The technique and how to apply it are described in detail by K&T and the reader is referred to the originators’ publications and website for more information.14 The problem analysis technique has been selected here as the most important in the context of learning from accidents and accident investigation and is therefore described in more detail below.

Problem analysis Problem analysis is based on the ‘cause and effect’ thinking pattern and is used to identify, describe, analyse and resolve situations ‘where something has gone wrong without explanation’.14 This definition applies to most accident situations where it is necessary to identify the direct and root causes. The technique is also useful in diagnosis of problems such as mechanical failure. The type of problem identified by K&T which approximates to the situation immediately before an accident is shown diagrammatically in Figure 8.5. The performance standard in the normal situation represents the circumstances existing in the period before the accident occurred and before the circumstances were in place to cause the accident. The performance standard for the abnormal situation represents the circumstances immediately before the accident representing the direct cause. Clearly, the normal situation should have continued, but because something changed the actual situation came into being, representing the state immediately before the accident. The deviation between should and actual contains within itself the seeds of the accident and the technique sets out to investigate what changed, thereby identifying the immediate or direct cause. Kepner and Tregoe use the expression ‘change is the mother of trouble!’14 to signify that all problems of this nature, including but not exclusively limited to accident causation, come about because something changed.

Investigating the fire and explosion at the Conoco-Phillips Humber refinery The problem analysis technique is best explained by using an example based on Case Study A2.3, the fire and explosion at the Conoco-Phillips Humber refinery, in Performance standard Normal situation

SHOULD

DEVIATION CHANGE

ACTUAL Abnormal (accident) situation

Past

Present

Figure 8.5 The structure of a problem or accident (based on Kepner and Tregoe14).

The learning organization Appendix 2. This is not to suggest that this accident was investigated using K&T methods, but the accident is merely used here as an example of how the technique might have been used to identify logically the direct cause. In brief, the accident described in this case study was caused by the failure of a six-inch-diameter high-pressure gas pipe on the saturate gas plant just downstream of water injection point B (see Figure A2.3.1 in Appendix 2) where water was added to the process to dissolve deposits building up in the pipework. As a result, the main gas pipe became subject to corrosion/erosion over a long period, leading to severe thinning of the pipe wall and its eventual failure. This led to a major release of flammable gas, resulting in a fire and explosion which largely destroyed the process and caused severe damage to houses in a nearby village. It was later found that the water injection point B which caused the corrosion had been fitted many years previously as an unauthorized plant modification during commissioning using an existing one-inch vent pipe. Unlike another upstream water injection point A, injection point B had not been properly designed to disperse the injected water into the gas stream. Water injection point A made use of a static mixer to induce dispersion. The corrosion of the gas pipe had not been discovered during routine pipe thickness inspections. The reader is referred to the full text of this case study in Appendix 2 and the accompanying reference to the HSE report on the accident. The problem analysis technique proceeds in a number of stages and these stages are illustrated in Table 8.4 using this case study as an example of how to apply the technique.

Deviation statement: defining the problem The problem to be solved in this example is not the accident itself, the fire and explosion due to the release of flammable gas, but the direct cause of the release itself, the failure of the gas pipework. Thus, the deviation statement in this example is failure of gas pipework. This statement is shown at the top of Table 8.4. It is known that the pipe P-4363 failed owing to severe corrosion and thinning at the bend. The analysis sets out to confirm in a logical way from first principles why severe corrosion occurred at this point.

Description of the problem in four dimensions To demonstrate that the analysis is comprehensive, that is, it will identify all possible causes, the problem is broken down into the four dimensions shown in column 1 of Table 8.4. These are:

• identity: what it is we are trying to explain • location: where it took place • timing: when it occurred • magnitude: how serious and extensive it is. Several specifying questions are formulated in column 2 of Table 8.4 in order to flesh out the description of the problem in terms of each of the four dimensions. For each specifying question, the performance deviation is noted in terms of how the problem was manifested. This is expressed in terms of the statement the performance

225

Table 8.4 Problem analysis example: fire and explosion at the Conoco-Phillips Humber refinery (Appendix 2, Case Study A2.3) Deviation statement: failure of gas pipework P-4363 Dimension

Identity

Description of the problem

Extraction of key information

Specifying question

Performance deviation is . . .

Closest logical comparison could be but is not . . .

What is distinctive about . . .

What is the item affected by the problem?

Pipe P-4363 on the saturate gas plant

Pipe P-4347 on the saturate gas plant

Pipe P-4363 when compared with pipe P-4347?

What is the problem?

Failure of P-4363

Failure of P-4347

Does the distinction suggest a change or a cause?

Water injection to P-4363 is connected to the top of the pipe but water is added to P-4347 via a static mixer

A change was made to the original design; the water injection point was originally a vent point

P-4363 operates at a higher temperature than P-4347

P-4363 always did operate at a higher temperature: no change, but might affect rate of corrosion

P-4347 contains both hydrocarbon vapour and entrained liquids, while P-4363 contains only vapour

P-4363 always did contain only vapour: no change, but also means fewer liquid droplets

Failure of P-4363 when compared with non-failure of P-4347?

Severe corrosion of P-4363 but not P-4347 suggests something changed affecting P-4363?

Only some light corrosion at P-4347, while P-4363 is badly corroded

Location

Where is the problem observed?

At the bend above overhead condenser X-452/3

At the bend above static mixer on P-4347

Bend above overhead condenser X452/3 when compared with bend above static mixer on P-4347?

Water droplets have less time to coalesce on pipe wall

The pipe bend is closer to the water injection point on pipe P-4363 Timing

When was the problem first observed?

Failure of P-4363 was not revealed before the gas release as it was not inspected

P-4347 was inspected but revealed no serious problem

Failure of P-4363 when compared with non-failure of P-4347? Inspection was not carried out on P-4363

When has it been observed since?

Corrosion of P-4363 observed after the fire and explosion

Corrosion of P-4347 observed after the fire and explosion

Corrosion of P-4363 when compared with corrosion of P-4347? Light corrosion of P-4347 although water injection was continuous, while severe corrosion of P-4363 where water injection was not continuous

Magnitude

What is the extent of the problem?

Thinning of pipe P-4363 at point of failure

Thinning of pipe P-4347

Lack of inspection of P-4363 meant the corrosion was not detected before failure

Water injection to P-4347 via a static mixer ensured that droplets were better dispersed; change was to P-4363 as above

Thinning of pipe P-4363 at point of failure when compared with thinning of pipe P-4347? Thinning of pipe P-4363 was severe and sufficient to cause it to fail, but thinning of P-4347b was negligible

As above

228

Strategies to prevent corporate accidents deviation is in column 3 in Table 8.4. A search is then conducted for a basis of comparison with a similar part of the process where the problem could be found but is not (column 4 in Table 8.4). Whilst not necessarily providing immediate answers or explanations, this type of logic attempts to tease out possible causes for the change which led to the deviation occurring. The approach described by K&T is merely a formalization of the common intuitive approach of examining ‘what changed’ adopted by most people when they come to solve a problem or make a diagnosis. In the case of this example, the closest logical comparison is the upstream water injection point A where the failure did not occur. Note that at this point in the analysis, there is no suggestion that the failure of the pipe P-4363 occurred owing to water injection (as determined by the HSE investigation). The cause is yet to be confirmed at the conclusion of the analysis. In this way all options remain open so that other possible causes, whether they contributed or not, may be identified.

Extraction of key information Distinctions The problem analysis now proceeds by interrogating the performance deviation and the closest logical comparison for each of the dimensions/specifying questions, by querying ‘what is distinctive about?’ More than one distinction may emerge when making the interrogation. This process begins to provide clues, rather than answers or explanations, for the cause of the problem. The question ‘what is distinctive about?’ is posed in column 5 of Table 8.4 and the answers suggested are listed in the same column in the form of a statement in italics. Some of the answers used for this example are only illustrative of the real situation since the level of detail found in the HSE report is insufficient to provide definitive answers for this exercise. Changes Each of the distinctions is now examined to see whether it suggests that a change has occurred which might explain the performance deviation, and these changes are noted in column 6 of Table 8.4. Ideally, the changes noted are only those capable of suggesting a credible cause, since this is the purpose of the exercise and comprises the next step. Not every distinction will necessarily suggest a relevant change. For instance, when making the logical comparison between pipe P-4363 on the saturate gas plant and pipe P-4347 on the saturate gas plant for the dimension ‘identity’ (what is the item affected by the problem?), three distinctions are noted. Only one of these distinctions suggests a change. This is the change made to the original design of P-4363, when a vent point was converted to a water injection point. For the other two distinctions between P-4363 and P-4347, the operating temperature and the composition of the process material, no change had taken place since the plant was commissioned. However, it is noted for the distinction related to temperature that a higher operating temperature might lead to a faster rate of corrosion. In the case of the process material, an absence of hydrocarbon liquid droplets suggests a possibly reduced rate of erosion of the bend at P-4363. These factors may or may not be relevant to the cause of the failure, but at least they have been noted and can be taken into account in the next step.

The learning organization Generation of possible causes From the list of distinctions and changes it is possible to select possible or credible causes for the deviation statement.

• Possible cause 1: the change made to the original design of P-4363, when a • •

vent point was converted to a water injection point, resulted in erosion of the bend owing to the water droplets not being properly dispersed into the gas stream. Possible cause 2: the water injection point to P-4363 is very close to the bend where the erosion/corrosion took place so that high-velocity water droplets did not have sufficient time to coalesce on the pipe walls but instead impacted the eroded end. Possible cause 3: the higher temperature of the gas at pipe P-4363 resulted in a rapid rate of corrosion.

Lack of inspection of P-4363 may have been an important contributory failure leading to the accident but does not constitute a direct cause and so is not included in the list of possible causes. From the above list it is now necessary to identify the most probable cause.

Testing for most probable cause Of the three causes listed above, possible cause 1, the injection of water to P-4363 by modifying a vent pipe during plant commissioning, without the use of a static mixer to induce dispersion as with P-4347 where very little corrosion occurred, is the most probable cause of the failure. It is unlikely that temperature or the position of the water injection point contributed significantly to the failure. The problem analysis exercise has therefore confirmed the findings of the HSE investigation into the accident. The next step is to verify this finding if possible.

Verification of the true cause The verification of the true cause sets out to prove that the most likely cause was in fact the actual cause of the deviation statement, the failure of the pipe P-4363. This may involve setting up experiments or asking further questions which supply additional information to that already obtained in the analysis. In this case study it is hardly possible to replicate the failure by carrying out an experiment. However, it is quite possible that metallurgical examination will substantiate that most of the thinning of the pipe bend was due to erosion by water droplets carried at a high velocity in the gas stream. The use of a case study for a past accident where the direct cause has already been discovered is somewhat theoretical and requires the use of creative thinking. It does, however, demonstrate the power of the problem analyses technique developed by K&T to reveal hidden aspects of a problem, enabling these to be subjected to critical scrutiny as potential causes. Even if these aspects of the problem are eventually found to be irrelevant and discarded, the exercise will have at least demonstrated thoroughness. The technique has been used on a wide variety of problems, not restricted to

229

230

Strategies to prevent corporate accidents equipment failures but embracing aspects of human error and management failure. For this case study there is no reason why the technique could not be used to trace back to the root cause of the accident.

Building a just culture The attribution of blame The role of RCA in the process of learning from accidents, as discussed above, is based on the principle that unless the accident investigation proceeds beyond the direct cause, the same or a similar accident is likely to recur. The principle is complicated by the fact that most direct causes of accidents are associated with human error, usually at the sharp end, whereas root causes tend to be associated with management or organizational failures at the blunt end. Whenever human error is implicated in an accident or other type of system failure, the concept of blame enters the picture. The blame is usually attributed by management to the person who made the error. The effect of blame attribution is two-fold. Firstly, blame ignores the causes of the error. Blame attribution does not take account of the fact that a high proportion of human errors are systemic in nature,11 that is, they are caused or made more likely by the existence of defective systems, whether these are

• physical systems such as a set of tools, a computer display or written procedures, or • non-physical systems such as a company organization, a safety culture or management systems.

Quite often defects in physical systems can be traced back to defects in culture, organizational and management systems. Errors that are not systemic in origin are random or unpredictable errors which can never be entirely eliminated, although it has been found that these are few in number. If an error is systemic then the attribution of blame is inappropriate. Placing the responsibility for the error upon the person making it without examining the contributory causes will almost ensure that the error will occur again. Secondly, blame inhibits reporting of errors. In an organization where it is likely that workers will be blamed and possibly punished for their errors, then errors that occurred but did not cause an accident are unlikely to be reported. The Heinrich pyramid described in Chapter 7 shows that for every accident that occurs there is a huge cloud of precursors including human errors which did not on that occasion lead to an accident. If the only errors which are revealed are those which caused an accident, then accident prevention will be severely inhibited. Figure 8.6 illustrates in a simple way the concept of blame. There is always a danger that attribution of blame following an accident provides the simplest, most convenient and least costly explanation of the error or accident precluding a lengthy investigation and the expensive correction of system faults. This is represented by investigation route ‘A’. If remedial measures to prevent the error are taken then they will tend to be in the nature of additional rules or retraining of staff. Whilst this may

The learning organization ACCIDENT

Investigation route A

Direct cause

Root causes

Human error

Management or organizational failure

ATTRIBUTION OF BLAME

Accident can recur

Investigation route B

Correction of root causes

Accident recurrence prevented

Figure 8.6 Concept of blame.

be appropriate in some cases (see below), it is unlikely to prevent systemic errors occurring. Focusing attention upon the individual making the error, rather than upon the faulty system, almost guarantees that accidents of a similar nature will occur again. Investigation route ‘B’, in contrast, may be more complex, expensive and lengthy, but will reveal the root causes of the accident and is more likely to prevent a recurrence. In the process the direct cause, the human error, is also identified but now the root cause of this is corrected.

Blame, no-blame and just cultures Blame culture Cultures which focus on blame following an error are characterized by an atmosphere where errors are covered up, preventing the systemic causes being revealed. These are often referred to as blame cultures or punitive cultures. In such a culture, staff will try to conceal their errors and often work in a climate of fear and under stress. As a result, staff turnover is high and inexperienced workers carry out tasks. The factors that characterize a blame culture may in themselves increase the probability of errors being made. The underlying principle that drives a blame culture is that the individual worker who makes the error is fully accountable for the outcome. In a blame culture, management set high standards of performance for workers under their control, accompanied by frequent exhortations to perform better with the threat of disciplinary action if standards are not met. The severity of the disciplinary action is generally proportionate to the consequences, or potential consequences, of the error. Workers who are disciplined are thought by management to have been dealt with justly having little regard to the causes of the error, which are usually assumed to be caused by carelessness or inattention. Incidences of violation of procedures are thought to be totally unacceptable and will attract severe retributive action. There is

231

232

Strategies to prevent corporate accidents talk of there being always ‘bad apples in the tub’ and where this is perceived the sanction of dismissal is used as a deterrent. The effects of such a punitive environment are in the end counter-productive and are likely to lead to more errors, the opposite of the expected result. Fear of punitive action, including potential career damage or termination of employment, will only result in errors being covered up so that the causes are never discovered and therefore cannot be corrected. The chances of errors being reported in this environment are extremely small and workers will develop cultural subterfuges in order to prevent management finding out what is actually happening. Learning opportunities are thereby missed and management will be deceived into thinking that ‘no news is good news’. Such cultures tended to predominate up until about 1990, when alternative (no-blame) cultures began to be promoted.

No-blame culture The opposite of a ‘blame culture’ is in theory a ‘blame-free’ or ‘no-blame’ culture, and indeed such a culture is designed to encourage staff to report errors they have made so that the root causes will be revealed and corrected. Revealing the systemic causes of error may lead to the need for expensive remedial measures, but the consequence of further errors, if this is not done, will be far more costly in the long term than correcting the problems. Cultural shifts towards a no-blame attitude to errors occurred during the 1990s in the aviation, railway and healthcare industries in particular, mainly as a reaction to traditional closed professional cultures which were steeped in a regime of cover-up endemic to these industries. The no-blame culture recognizes that most errors are systemic in nature and unless the defective systems are corrected the errors will continue to occur. The culture also recognizes that human performance will always be flawed to some degree and errors can never be completely eliminated. It abandons the idea that fear of punitive action will cause staff to improve their performance and acknowledges the counter-productive effects of these measures. However, as no-blame cultures became increasingly adopted through the 1990s it eventually became apparent that a major drawback existed. Whilst providing an atmosphere in which inadvertent errors could be revealed and discussed without fear of punitive action, it was not able to confront satisfactorily the problem of workers who wilfully and repeatedly failed to meet performance standards, and in the case of safety critical activities, failed to perform safely. It is clearly inappropriate to provide punitive measures to deal with errors which are inadvertent, but at the same time it is not in the interest of safety to ignore what may be described as reckless behaviour. In the case of the latter it is possible that immunity to sanctions is likely to encourage such behaviour. In addition, failing to apply sanctions in such cases would appear to be against natural justice (particularly within peer groups) and in such a situation a no-blame culture becomes practically unworkable.

Just culture The concept of a just culture, in the context of blame, was developed in the late 1990s in response to the perceived failure of the blame-free or no-blame culture to deal

The learning organization adequately with all circumstances. A just culture, as with a no-blame culture, recognizes that ‘honest’ human error will always occur, that is, errors that were completely unintentional, especially if they were system induced, but even if they arose from a momentary lack of vigilance or alertness. The latter may, on examination, also be found to be system induced, for instance by workplace-induced stress or tiredness. In fact, the definition of a human error is ‘an unintended failure of a purposeful action, either singly or as part of a planned sequence of actions, to achieve an intended outcome within set limits of tolerability pertaining to either the action or the outcome’.11 A human error therefore occurs if there was no intention to commit an error when carrying out the action, the action was purposeful and the intended outcome of the action was not achieved within set limits of tolerability. Errors need therefore to be distinguished from the more difficult problem of violations of rules or procedures. The definition of a violation is ‘an intended action that has taken place in breach of a set of rules, whether or not these rules are written down, are implicit within the action, or have been developed as part of custom and practice’.11 The main difference between an error and a violation is the matter of intention. Thus, a violation must always meet the two conditions that there was some level of intention in violating the rule and there was prior knowledge of the rule being violated (although not necessarily full knowledge of its consequence). There is a number of methods of classifying violations to reflect the circumstances under which they occurred in order that they are dealt with appropriately. One of the methods15 uses a ‘causation-based’ classification which distinguishes situational (or system-induced) violations (due to factors dictated by the employee’s immediate workspace environment) from optimizing violations (due to a perceived motive to ‘optimize’ a work situation for a variety of possible motives including removal of boredom or intentional risk taking). Both types of violation are intentional, but the former is probably best dealt with on a ‘no-blame’ basis since it may be possible to correct the adverse workplace situation that has induced the violation. This could include a management review of procedures and rules to ensure that they are still matched to the task requirements. The second class of violations, however, somewhat euphemistically classed as optimizing violations, may need to be treated differently. A more precise definition of this class might be reckless violations, that is, deliberately flouting rules for reasons unrelated to the work activity. Having established the vital difference between an error and a violation, and distinguished two types of violation, it needs to be decided in what way, if any, they should be treated differently. A just culture sets out to treat them differently by effectively placing them along a ‘culpability spectrum’,16 as shown in Figure 8.7. Within this spectrum of behaviours has been placed ‘substance abuse’ and ‘sabotage’ in order to complete the picture and place errors and violations in context. At the left of the spectrum, culpability verges on the criminal taking the response outside the corporate sphere. The definitions of reckless and negligent in this context are: ‘a person acts “recklessly” with respect to a result if s/he consciously disregards a substantial risk and acts only “negligently” if s/he is unaware of a substantial risk s/he should have perceived. The narrow distinction lies in the actor’s awareness of risk. The person

233

Strategies to prevent corporate accidents Culpable Criminal

234

Blame-free Negligent

Reckless

Unintentional

Sabotage Reckless violations Substance abuse System-induced Careless errors violations

System-induced errors

Figure 8.7 Culpability spectrum.16

acting negligently is unaware of harmful consequences and therefore is arguably neither blameworthy nor deterrable’.17 This presents an argument against punishment of the negligent employee, relying on the positive influence of learning to outweigh the deterrent effect of punitive action. Another view is that ‘”negligence” involves a risk that a “reasonable” and “prudent” person would have foreseen whilst “recklessness” involves taking a “deliberate” and “unjustifiable” risk’.17 To reconcile divergent views, the ‘negligent’ area on the spectrum in Figure 8.7 is shown as bridging the dividing line between culpable and blame-free behaviour. Companies need to adopt a consistent position on these complex issues and put effective policies in place to deal with the various manifestations of performance failure so that a just culture can be developed within the organization. Guidelines on where to draw the dividing line between culpable and blameless behaviours need to be drawn up. The Global Aviation Information Network (GAIN) has published A Roadmap to a Just Culture: Enhancing the Safety Environment,18 which provides a set of guidelines intended for the aviation industry but applicable in many ways to any industry. The reader is referred to this document for more information. One of the important aspects of building a just culture is information disclosure. This is dealt with in the next section.

Information disclosure One of the key aspects of a just culture, and for that matter of a learning organization, is the need for a free flow and dissemination of safety-related information throughout the company. This will only happen if the employees understand that they are operating in a non-punitive environment where their disclosures will not have a negative effect on their career or job prospects. A free flow of safety information throughout the company promotes learning from errors and mistakes prior to an accident occurring and enables the organization to build on the knowledge gained. It is therefore an important aspect of accident prevention. Two forms of information disclosure are described in this section, confidential reporting (internal disclosure) systems and whistleblowing (public interest disclosure) policies. Both make an important contribution in their own way to the learning organization.

The learning organization

Confidential reporting systems Rationale A confidential reporting system (CRS) comprises a management system which not only allows, but encourages employees to disclose their own errors, correct their mistakes and raise safety-related concerns within the company without feeling that they may be jeopardizing their own career or employment security or being disloyal to colleagues or the organization. The enduring principle is that no-one who comes forward in good faith to raise a concern has anything to fear. In most cases, of course, safety-related concerns can be dealt with through normal company reporting channels without the requirement of confidentiality. Confidentiality is sometimes needed in order to overcome perceived problems of blame or punitive action by the company. The rationale for confidentiality is that receiving feedback of information from employees, especially where this may put them at risk of disciplinary action, is more valuable than any benefit which might be gained from any deterrent effect of punitive measures. The success of a CRS is highly dependent upon developing an atmosphere of trust between the employee and the employer. At the same time this trust cannot be completely naive since it must always take account of the distinction between acceptable and unacceptable behaviour, as discussed in the culpability spectrum above. Building trust must be accompanied by a common agreement about the point where standards of behaviour fall foul of the dividing line for punitive action. The company procedure which defines culpability must be agreed and clearly understood by all. There are several important attributes of an effective CRS. This list is based on the GAIN document18 referred to above.

• Visibility: employees need to be made aware that a CRS exists and familiarize themselves with the procedures and mechanisms that support it. • Maintaining the employees’ voice: the system must ensure that the reports are • • • • •

used to voice the concerns of employees and not used to underpin existing management priorities. Publicized participation: the contribution rate from different parts of the organization needs to be publicized to demonstrate that there is trust in the system (but without setting quotas). Marketing strategies: these will include audience focus (employees are the audience, not management), linking safety values to the core business (tangible evidence that safety enhances production, efficiency, etc.), reward and recognition for participation in the reporting scheme. Management commitment: visibility of management’s involvement in the reporting process to show that they also trust the value of reporting incidents but especially are seen to act upon the information received. Employee involvement: ensure that employees are actively involved in the decisionmaking and problem-solving process which follows from a reported incident. Employee confidentiality: ensures that anonymity of the reporter is preserved. Steps may need to be taken in preparing the report so that the reporter cannot be identified from the reported circumstances.

235

236

Strategies to prevent corporate accidents It has to be stressed that the most important attribute of a CRS is the free and open dissemination of safety-related information gathered, bearing in mind the anonymity requirements. Quite often, the scheme allows for safety-related concerns to be transmitted initially to an independent ‘safety broker’ who prepares the report, cloaking it in anonymity as necessary, before bringing it to the attention of a wider audience. This is designed to promote the sense of confidentiality among the participants.

Confidential reporting schemes Various industries and businesses have successfully operated confidential reporting schemes. Some of these are summarized below. ASRS One of the earliest CRSs is the US Aviation Safety Reporting System (ASRS),19 which was established in 1975 and is administered by the National Aeronautics and Space Administration (NASA) in consultation with the Federal Aviation Administration (FAA), which provides most of the funding. The scheme is voluntary, confidential and non-punitive. It collects, analyses and responds to voluntarily submitted aviation safety incident reports in order to reduce the future likelihood of aviation accidents. Reports are submitted by pilots, air traffic controllers, flight attendants, mechanics, ground personnel and others involved in aviation operations, describing any incident in which aviation safety was compromised. The reports, which are submitted anonymously, are analysed by aviation safety specialists. The principal objective is to identify any aviation hazards which are raised in reports and submit these for immediate action by means of an alerting message issued to the appropriate FAA office. Information, including excerpts from ASRS safety reports, is disseminated by means of a monthly safety bulletin which is issued to over 85,000 aviation personnel across the industry. The information generated often results in human factors research studies being commissioned with an emphasis on real-life operational applications concerning human performance. It is noted on the website19 that immunity from punitive action and the assurance of confidentiality and waivers do not extend to reports of accidents or criminal activity such as hijacking, bomb threats and drug running. Thus, the punitive limits are defined by the system. CHIRP The UK Confidential Human Factors Incident Reporting Programme20 (CHIRP) for the aviation and maritime industries has been in existence since 1982. Confidential reporting is available to flight crew, air traffic control staff, aircraft maintenance engineers, cabin crew and the general aviation community. Information provided from reporters is made available in a non-identifiable form to those with responsibility for addressing the problems. Details of reporters’ identities are not retained and are returned to the reporter on closure of the report. Dissemination of information gained takes place on as wide a basis as possible through a number of publications to aviation staff. CHIRP is complementary to a mandatory occurrence reporting system operated by the UK Civil Aviation Authority (CAA). It enables individuals in the

The learning organization industry to raise safety issues without being identifiable to their peer group, management or the regulatory authority. The system maintains confidentiality but not anonymity; anonymous reports are not normally the subject of remedial actions since they cannot be validated. CIRAS The Confidential Incident Reporting System21 (CIRAS) for the UK rail industry has been operating since 1996 and is administered by the Centre for Applied Social Psychology at the University of Strathclyde. CIRAS was initiated by a rail company called Scotrail and other railway companies later volunteered to join the scheme. Following the Ladbroke Grove rail accident in 1999, when thirty-one people died and over 400 others were injured, it became mandatory for all UK rail companies to be members of a CRS, and CIRAS was extended to cover the whole of the national rail network from 2000. Since the UK rail industry is in private ownership, CIRAS complements rather than replaces private companies’ own internal reporting systems, which staff are encouraged to use in the normal run of affairs. If a railway employee feels unable to raise a safety concern with his employer for whatever reason, then that person is able to report the matter confidentially to the administrators of the scheme. The system is confidential but not anonymous, reporters’ details are not submitted to rail companies and there has never been a breach of confidentiality in this respect. However, safety issues which are raised will be taken to the employer in confidence in order that corrective action may be implemented where appropriate. The scheme administrators are able to analyse reports enabling trends to be identified and assisting rail companies to improve their safety performance to the benefit of everyone in the industry. CIRAS is an independent charitable trust made up of representatives from the trade unions (RMT), the Rail Safety and Standards Board (RSSB), Network Rail, and the Association of Train Operating and Freight Operating Companies (ATOC). Medical error A US Institute of Medicine (IOM) report, To Err is Human: Building a Safer Health System,22 published in November 1999, estimated that preventable medical mistakes cost the lives of between 44,000 and 98,000 people annually in US hospitals. As a result the Patient Safety and Quality Improvement Act was signed into Federal law in 2005, requiring healthcare systems to undertake RCA of ‘adverse events’ (a term used for medical error in the healthcare industry) and to share the findings and make improvements without attributing blame to medical personnel. It indicated the US government’s commitment to fostering a culture of patient safety by fostering voluntary and confidential reporting of such events. The Act not only required blame-free investigation to take place, but also prohibited employers from adopting sanctions against healthcare workers who disclose errors, apart from in cases where the employees might be in breach of the law. The report also recommended that a mandatory nationwide medical error reporting system be initiated, although this has not yet been put into place. As a result of these initiatives, it is reported that healthcare bodies in about twenty-four states now have medical error reporting systems.

237

238

Strategies to prevent corporate accidents

Conclusion Not all authorities are in favour of CRSs; there is an argument that the existence of a CRS indicates a failure of an organization or an industry to engender trust between management and employees. The need for employees to hide behind a veil of anonymity seems to indicate a breakdown in relationship with the employer. It is argued that a company ought to work towards establishing an open reporting culture where employees are not fearful to come forward and express their concerns to management. In fact, as emphasized above, a CRS is complementary to this sort of open culture, and a CRS should not preclude working towards this eventual aim. But even the best open culture will not operate perfectly in all circumstances and the confidential route should therefore be left open for those more difficult situations which prevent concerns being raised openly. There may, however, be situations where even a CRS fails to bring about the change necessary to satisfy safety concerns that have been raised. When the normal reporting channels, and a CRS if it exists, have been exhausted, frustrated employees are sometimes left with the option of whistleblowing on the company. However unsatisfactory this may seem to employers, it is still necessary for companies to have a whistleblowing policy in place in order that employees understand their position. The passing of legislation in the UK and USA over the past few years to protect whistleblowers makes a company policy on the issue even more imperative. This subject is dealt with in the next section.

Whistleblowing Why whistleblow? Although most safety concerns and incidences of human error are dealt with in a satisfactory way through normal or confidential reporting channels, situations may come about where an unresolved difference remains between employee and company. A number of instances of this situation have occurred in the context of major corporate accidents described in the case studies in Appendix 2 and these instances are discussed further below. When an employee has exhausted all the usual channels provided but still finds that a conflict exists between the duty to act in the employer’s interests and the duty to the community or colleagues, clearly his or her duty to the latter must prevail. This situation was described in Chapter 3, under the heading ‘Management and professional ethics’. It often results in ‘whistleblowing’; a dictionary definition is ‘bringing an activity to a sharp conclusion as if by the blast of a whistle.’ It may not be in the employee’s best personal interest to act in this way since it is well known that whistleblowers have in the past been subject to significant victimization. The ethical dilemma is whether to align their interest with the employer, ignore the safety concern, risk an accident but preserve their career, or to align their interest with the community and risk potential damage to their future prospects. Public interest demands that an employee take the latter course and this has given rise to the term ‘public interest whistleblowing’ and the legislation that has been introduced to support this.

The learning organization

UK public disclosure legislation Whistleblowers often experience hostility or ostracism by managers and colleagues who believe they are showing disloyalty and a lack of respect for the company. This has resulted in potential whistleblowers failing to act to bring serious corporate problems to the attention of those able to correct the situation, sometimes resulting in a preventable accident. It has also resulted in low esteem and intolerance of whistleblowers, particularly by employers; because they are frequently a lone voice they can easily be perceived as a maverick who is sabotaging the organization. This perception of the whistleblower began to change in the UK following the publication of the report of the Nolan Committee on Standards in Public Life in 1995. The committee was set up following allegations of ‘sleaze’ in many areas of public life, including both the legislature and the executive. Its terms of reference were to investigate ‘the standards of conduct of all holders of public office’.

The UK Nolan Committee Report One of the seven key ‘principles of public life’ recommended in the first Nolan Report23 was the principle of selflessness, which stated that ‘Holders of public office should act solely in terms of the public interest. They should not do so in order to gain financial or other benefits for themselves, their family or their friends’. Clearly, this reflects the same ethic as the code of conduct of various professional bodies referred to in Chapter 3. Yet the Nolan Committee also foresaw that this responsibility could not easily be discharged in a culture of hostility or fear of victimization. Indeed, it was suggested that it was exactly this sort of closed culture that had allowed the development of sleaze in public life, perceived or otherwise. The outcome of the committee’s work was, amongst other recommendations, a series of guidelines on good practice for openness, particularly in public bodies, including the civil service, local government and the National Health Service (NHS). The second Nolan Committee Report,24 published in 1996, dealt, amongst other matters, with the issue of whistleblowing. It stated that: all organizations face the risks of things going wrong or of unknowingly harbouring malpractice. Part of the duty of identifying such a situation and taking remedial action may lie with the regulatory or funding body. But the regulator is usually in the role of detective, determining responsibility after the crime has been discovered. Encouraging a culture of openness within an organization will help: prevention is better than cure. Yet it is striking that in the few cases where things have gone badly wrong in local public spending bodies, it has frequently been the tip-off to the press or the local Member of Parliament – sometimes anonymous, sometimes not – which has prompted the regulators into action. Placing staff in a position where they feel driven to approach the media to ventilate concerns is unsatisfactory both for the staff member and the organization. The Nolan Committee for the first time brought a degree of respectability to the role of the whistleblower in helping to uphold high ethical standards in public life. It led directly to the Public Interest Disclosure Act 1998.

239

240

Strategies to prevent corporate accidents

The Public Interest Disclosure Act 1998 Following the 1997 general election, the newly elected Labour government supported a Private Member’s Bill introduced by Richard Shepherd MP to protect public interest whistleblowers. As a result the Public Interest Disclosure Act 199825 received Royal Assent and came into force in 1999. It is defined as ‘an Act to protect individuals who make certain disclosures of information in the public interest; to allow such individuals to bring action in respect of victimization; and for connected purposes’. The Act provides protection from victimization for public interest whistleblowers and applies to every employee, whether in the public or private sector. The Act forms part of existing employment legislation and introduces the concept of a ‘protected disclosure’. This is defined as information which in ‘the reasonable belief of the worker’ reveals issues of malpractice by their employer including criminal offences, miscarriages of justice, failure to comply with legal obligations, and dangers to health, safety and the environment, either in the UK or overseas. In making such a disclosure the worker has the right ‘not to be subjected to any detriment by any act of his employer done on the grounds that he had made the disclosure’. A legal body in the UK, an employment tribunal may decide whether a disclosure is protected if the worker presents a complaint that he has suffered victimization. It is possible to claim unfair dismissal and compensation if victimization is brought about by reason of a protected disclosure.

Employee’s obligations To ensure that a balance is maintained between the interests of the public and the employer, certain safeguards have been built into the Act. A detailed description of these safeguards is not given here, but the main pre-conditions for a protected disclosure include:

• The worker must make the disclosure in good faith, having a reasonable belief that a malpractice has occurred. • The employee must not personally benefit from the disclosure. • The matter must first have been raised internally with the employer or an official

regulator before it is raised in a wider context, such as to the media, the police, member of parliament, etc. If the matter is raised outside the company, with the media for example, then it must be on the basis that: – there is no prescribed regulator, or – there is a reasonable belief by the whistleblower that he may be victimized for making a disclosure internally or to a regulator, or – there is a reasonable belief that evidence may be destroyed or a cover-up will occur, and the issue is exceptionally serious.

A protected disclosure made outside the company or to a regulatory body will be correspondingly more difficult to prove at an employment tribunal.

The learning organization Employer’s protection Protection for employers against unwanted disclosures outside the company, which they might regard as damaging, is very simple:

• Employers should introduce a procedure for whistleblowing by employees. • Employees should be made aware that reporting to a prescribed regulator is acceptable. • Employees should be made aware that there is a policy of no victimization against whistleblowers.

It should be noted that none of the above is mandatory under the Act, but they should rather be regarded as best practice. In addition, confidentiality agreements and ‘gagging clauses’ in employment contracts which might purport to preclude the worker from making a protected disclosure are unenforceable as far as the Act is concerned. This may not apply if an employee is in breach of the Official Secrets Act and is convicted of an offence. The above provides an outline of the current legal protection afforded to whistleblowers in England, Wales and Scotland. It is not intended to be comprehensive and readers seeking legal advice about whistleblowing should consult a qualified expert on employment law.

US legislation Early legislation Unlike the UK, which has no written constitution, US citizens working for the government are protected first of all by the 4th and 5th Amendments of the Constitution which prevent government establishments from discriminating against employees who ‘express reasonable dissent on matters of public concern’. This protection is enhanced by a variety of other statutes. Employees in the private sector are not, however, protected in this way. The first true whistleblowing legislation to be passed in the USA was language included in the Civil Service Reform Act 1978 (CSRA), providing employee protection from victimization for making information disclosures about misconduct in government establishments (but with many exceptions). It made illegal specific forms of harassment and prohibited action against staff for whistleblowing disclosures, refusal to violate the law, and exercise of appeal rights including violations of constitutional or statutory rights. The CSRA created the Federal Office of the Special Counsel (OSC or Special Counsel) to provide redress for whistleblowers before the US Merit Systems Protection Board (MSPB). The relation between the OSC and MSPB was that of a prosecutor and judge, respectively. The Whistleblower Protection Act The protection provided by the CSRA was later strengthened by the Whistleblower Protection Act (WPA)26 of 1989, which applied to federal employees making a disclosure revealing illegal or improper government activities. The protection of the WPA can only be invoked when a number of elements are present: a personnel

241

242

Strategies to prevent corporate accidents action that was taken because of a protected disclosure made by a covered employee. Covered employees are mainly in the executive branch of government but do not include certain workers in the security field, for instance, the FBI and CIA. Protected disclosures are any disclosure of information that a covered employee ‘reasonably believes’ shows ‘a violation of any law, rule, or regulation’ or evidences ‘gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety’. There is an overriding condition that the disclosure is not prohibited by law or subject to secrecy by executive order. The requirement for the employee to have a ‘reasonable belief’ simply means it was believed in good faith but does not necessarily have to be true. In 1994, twenty improvement amendments were made strengthening the protection given to whistleblowers under the WPA. The WPA of 1989 and 1994 was generally under-utilized and overly restrictive in the way it could be applied. In March 2007 the House of Representatives passed the Whistleblower Protection Enhancement Act (H.R. 985) with the objective of clarifying which disclosures of information are protected from prohibited personnel practices that have a detriment to the employee. The legislation is still restricted to government employee protection, but now extends to federal workers who specialize in national security issues and employees who work for companies with government contracts, and clarifies disclosures of actions that threaten the integrity of federal science. It also removes many restrictions on the scope of disclosures, especially regarding time, place, form, motive, context or prior disclosure, and includes formal or informal communication. It now allows whistleblowers access to federal district courts if the MSPB fails to take action within 180 days. The Sarbanes–Oxley Act In July 2002, Congress passed the Sarbanes–Oxley Act in the wake of the financial scandals involving companies such as Arthur Anderson, Enron and World.Com. This legislation extended whistleblower protection to the private sector and in particular those who have a reasonable belief that a publicly traded company has engaged in fraudulent activities. This has resulted in corporate whistleblowers having much better protection from victimization than employees in the public sector, although this is not to say that disclosures of government misbehaviour are any less important.

Corporate whistleblowing arrangements According to the Nolan Report, corporate whistleblowing arrangements should be seen ‘both as an instrument of good governance and a manifestation of a more open culture’. Victimization by an organization of employees for whistleblowing is no longer acceptable. The Nolan Committee recommended that a corporate approach to whistleblowing should include both policy and practice. The charity Public Concern at Work,27 which provides confidential advice and support packages to organizations setting up whistleblowing arrangements, suggests that the following elements should be included.

The learning organization Policy Malpractice should be taken seriously and examples should be given of the types of concern which would distinguish whistleblowing from a grievance. Staff must be able to raise concerns internally, but outside their line management. It should be made clear that the company will respect the confidentiality of staff that raise concerns. Staff should be able to receive independent confidential advice from a suitable agency. The rules about how an employee should raise concerns outside the organization, for instance, to the regulator, should be carefully formulated and spelled out to employees. It should be made clear to company management that victimizing a bona fide whistleblower is a serious disciplinary matter. Practice Companies should not only ensure that members of staff are made aware of the whistleblowing procedures within the organization, but also provide realistic advice about the need for openness, confidentiality and anonymity. The whistleblowing procedures need to be regularly communicated to staff and continually reviewed to ensure that they continue to work in practice.

Conclusion The main conclusion to be drawn is that if a company has the correct procedures in place then whistleblowing is not an activity to be deprecated but rather a further avenue to promote organizational learning, openness and the free flow of information. In spite of all this, where safety issues are at stake, it is imperative that employees’ concerns are taken seriously from the outset and acted upon where appropriate, well before employees feel that it is necessary to whistleblow outside line management or, worse, outside the company. The Public Interest Disclosure Act 1998 in the UK, and similar arrangements in the USA, although providing welcome protection to employees, will only be a last resort for employees of a company which is operating an open and just culture.

Case studies in failures of organizational learning Two particular case studies in Appendix 2 illustrate failures in organizational learning, the loss of the space shuttle Columbia (Case Study A2.1) and excessive mortality in children’s heart surgery at the UK’s Bristol Royal Infirmary (Case Study A2.4). Both case studies also demonstrate both the successes (eventually at Bristol Royal Infirmary) and failures (space shuttle Challenger accident) of whistleblowing. Failures in whistleblowing are defined as situations where employees become aware of an unsafe situation and raise this with their company management, who then fail to respond. For reasons of misplaced company loyalty or fear of retribution, employees then decide not to take matters any further, for instance outside the company to a safety regulator, and an accident ensues as a result. There have been many situations where this scenario has been played out, often followed by the whistleblower losing his employment and subsequently failing to find similar work in the industry. Apart

243

244

Strategies to prevent corporate accidents from these case studies there are numerous other examples of failures in whistleblowing leading to corporate accidents. Quite often this has been linked to a closed, secretive, threatening and information-retentive culture within the company where the accident occurred. The inquiry into the sinking of the Herald of Free Enterprise (see Appendix 1, Case Study A1.1) in 1987, which cost 193 lives after the ferry put to sea with the bow doors open, found that the warnings of ships’ masters about this particular danger had been transmitted to management on numerous occasions but went unheeded. Following the Piper Alpha explosion in the North Sea, when 167 workers died, the public inquiry report28 stated that ‘workers do not want to put their continued employment in jeopardy through raising a safety issue that might embarrass management’.

1. The loss of the space shuttle Columbia The tragic loss of the space shuttle Columbia in 2003 is summarized in Chapter 4 and described in detail in Appendix 2, Case Study A2.1. Following the fire and explosion which destroyed the space shuttle Challenger seventeen years earlier, the Rogers Commission,29 which was set up to investigate the accident, identified a number of failures in the NASA organization and made numerous recommendations for these to be rectified. Unfortunately, it was not possible to fix the technical compromises which led to the current design of the orbiters, particularly the ‘strap-on’ disposable solid fuel rocket motors with their vulnerable design. The Challenger accident was caused by a brittle failure of the O-ring seals between the rocket segments by launching at too low an ambient temperature. The Columbia accident was due to a failure of the same item of equipment, in this case due to pieces of solid insulation cladding breaking away from the solid fuel motors and damaging the heat-resistant tiles on the orbiter. As with many defective equipment designs with safety implications, the only recourse left open to the operator to limit the chance of an accident is to tinker with the human systems, often the operating procedures and the organizational arrangements. The Rogers Commission had identified a lack of an independent body to take an overview of safety issues at NASA and an undue influence of flight schedule pressures upon safety. It recommended that ‘NASA should establish an Office of Safety, Reliability, and Quality Assurance to be headed by an Associate Administrator, reporting directly to the NASA Administrator’. The Columbia Accident Investigation Board (CAIB),30 set up in the wake of the Columbia accident, found that the safety organization set up by NASA following the Challenger accident had not met the original intent of the Rogers Commission; in short, it did not have sufficient independence, either in authority or in funding. Furthermore, in the intervening period, NASA had delegated much of its responsibility for safety to a single specialist contractor to manage the thousands of different contracts supporting the project. This had resulted in a major reassignment of NASA staff and a loss of safety knowledge from the organization. The effective result was that safety responsibilities had been transferred from the government to the private sector and NASA’s in-house safety expertise was

The learning organization subsequently eroded. In these circumstances the chances of learning from the previous Challenger accident were severely diminished. The Columbia accident was, in effect, an accident waiting to happen owing to a serious failure of organizational learning. The failure of whistleblowing which occurred was associated with the Challenger accident and involved Roger Boisjoly, a structural engineer for Morton Thiokol Inc., the firm that manufactured the solid fuel rocket boosters and was responsible for the design of the O-ring seal. Mr Boisjoly had led a technical working group at the request of his employer to consider the problem of low-temperature affecting the flexibility of the seal at launch. However, when he recommended that the launch of Challenger should be postponed because of the possibility of catastrophic failure, he was ignored even up to the point of a telephone conference held with NASA on the eve of launch. The main concern of the contractor and NASA was a reluctance to accept any delay in the shuttle launch, for political reasons. At the Rogers Commission hearings, Mr Boisjoly described the difficulty of communicating his concerns while working in an adversarial environment. Following the accident Mr Boisjoly found himself shunned by colleagues and managers; he retired from the company and was unable to work in the industry again.

2. Children’s heart surgery at the Bristol Royal Infirmary This case study is reported in summary form in Chapter 4 and in detail in Appendix 2, Case Study A2.4. It related to the deaths of a number of children aged under one year after open-heart surgery in the Bristol Royal Infirmary and raised immense public concern. When matters were finally brought to public attention a public inquiry was instituted, led by Professor Ian Kennedy, Professor of Health Law, Ethics and Policy at University College, London. In his report, summarized in Appendix 2, Case Study A2.4, Kennedy found that there were no proper management systems to determine responsibility for resolving problems when they arose. The end result was that the problems were not resolved at all, while children who should have survived continued to die. The concerns about paediatric open-heart surgery were first raised in 1986 by Dr Stephen Bolsin, a consultant anaesthetist at Bristol, but no action was taken to protect the health and safety of the children who were being treated. At great personal risk to his future career, and undeterred by attempts to keep him quiet, Dr Bolsin continued to bring the matter to the attention of the authorities. Like many whistleblowers before and since, Dr Bolsin found himself ostracized by his profession for having broken ranks, and unable to obtain suitable work in the UK was forced to emigrate with his family to Australia. The failure of learning in this tragic series of professional errors was mainly perpetuated by a professional subculture which has already been discussed in the context of this case study in Chapter 4. Unfortunately, the incident also demonstrates most of the worst features of Model 1 learning summarized in Table 8.1. These include unilateral protection of self and others by limited public testing of ideas, discouraging enquiry, defensive relationships, making covert assessments, limited

245

246

Strategies to prevent corporate accidents freedom of choice and face-saving strategies avoiding unpopular facts which might show the organization in a bad light. The outcome of this inquiry was a number of new measures adopted by the NHS in the area of patient care, the care of patients being its principal core value, including a commitment to a more open culture. A statement in the House of Commons on the day of publication of the inquiry report referred to this: If the NHS is to learn from when things go wrong, it must move beyond a culture of blame. The tenor of the Bristol inquiry report is, in my view, a significant step towards a more open and honest health service. Medicine is not a perfect science. Even the best people can make the worst mistakes. Putting right what can sometimes go wrong relies on the NHS being able to acknowledge error and having systems in place to minimise error. The absence of such an approach at Bristol, and in the wider NHS at the time, contributed directly to the tragedy that cost dozens of children their lives.31,32

References 1. Wenger, E. (1998). Communities of practice. Learning as a social system, Systems Thinker, http://www.co-i-l.com/coil/knowledge-garden/cop/lss.shtml 2. McGill, M.E., Slocum, J.W. and Lei, D. (1992). Management practices in learning organizations, Organizational Dynamics, 21, 5–17. 3. Argyris, C. and Scho¨n, D. (1978). Organizational Learning: A Theory of Action Perspective, Reading, MA: Addison Wesley. 4. Wittrock, M. (1989). Generative processes of comprehension, Educational Psychologist, 24, 345–376. 5. Senge, P.M. (1990). The Fifth Discipline. The Art and Practice of the Learning Organization, London: Random House. 6. Aronson, D. (1998). Overview of Systems Thinking, http://www.thinking.net/Systems_ Thinking/OverviewSTarticle.pdf 7. Peter Senge and the Learning Organization, http://www.infed.org/thinkers/senge.htm 8. Bohm, D., Factor, D. and Garrett, P. (1991). Dialogue – A Proposal, http://www.infed.org/ archives/e-texts/bohm_dialogue.htm 9. Health and Safety Executive (2001) Proposals for a New Duty to Investigate Accidents, London: HSE, Policy Division, SASD, http://www.hse.gov.uk/consult/condocs/cd169.pdf 10. Heinrich, H.W. (1931). Industrial Accident Prevention, New York: McGraw Hill. 11. Whittingham, R.B. (2004). The Blame Machine: Why Human Error Causes Accidents, Oxford: Elsevier Butterworth-Heinemann, Chapter 3. 12. Reason, J. (1997). Managing the Risks of Organisational Accidents, Aldershot: Ashgate. 13. US Department of Energy (1992). DOE Guideline: Root Cause Analysis Guidance Document, DOE-NE-STD-1004, -92, http://www.maintenanceworld.com/Articles/doe/rootcause.pdf 14. Kepner, C. and Tregoe, B. (1997). The New Rational Manager, Princeton, NJ: Princeton Research Press. 15. Mason, S. (1995). Improving Compliance with Safety Procedures, Sudbury: HSE Books.

The learning organization 16. International Federation of Air Traffic Controllers’ Associations (2003). The Need For a Just Culture in Aviation Safety Management, 11th Air Navigation Conference, Montreal, 22 September–3 October 2003, http://www.icao.int/icao/en/anb/meetings/anconf11/ documentation/ANConf11_wp092_en.pdf 17. Robinson, P.H. and Grall, J.A. (1983) Element Analysis in Defining Criminal Liability: The Model Penal Code and Beyond, 35 Stan. L. Rev. 681, pp. 695–696. 18. Flight Ops/ATC Ops Safety Information Sharing Working Group (WG E) of Global Aviation Information Network (GAIN) (2004). A Roadmap to a Just Culture: Enhancing the Safety Environment, 1st edn, http://204.108.6.79/products/documents/ roadmap%20to%20a%20just%20culture.pdf 19. Aviation Safety Reporting System (ASRS), Moffett Field, CA, USA, http://asrs.arAviation Safety Reporting System (ASRS) c.nasa.gov/ 20. CHIRP, Farnborough, http://www.chirp.co.uk/main/default.asp 21. CIRAS, Confidential Incident Reporting System for the UK Rail Industry, Centre for Applied Social Psychology, University of Strathclyde, http://www.ciras.org.uk/ 22. Institute of Medicine (1999). To Err is Human: Building a Safer Health System, Washington DC: IOM, http://www.iom.edu/?id=12735 23. Nolan Committee on Standards in Public Life (1995). First Report, Cm 2850-I, http:// www.archive.official-documents.co.uk/document/cm28/2850/2850.htm. 24. Nolan Committee on Standards in Public Life (1996). Second Report, Cm 3270, London: Stationary Office, p. 21. 25. The Public Interest Disclosure Act 1998, http://www.opsi.gov.uk/ACTS/acts1998/ 19980023.htm 26. The Whistleblower Protection Act: An Overview, CRS Report for Congress, http://fpc.state.gov/documents/organization/81927.pdf 27. Public Concern at Work. Making Whistleblowing Work, London: PCAW, http:// www.pcaw.co.uk/index.html. 28. Lord Justice Cullen (1990). The Public Inquiry into the Piper Alpha Disaster, London: HMSO. 29. The Presidential Commission on the Space Shuttle Challenger Accident Report (1986), http://history.nasa.gov/rogersrep/genindex.htm 30. Columbia Accident Investigation Board (2003). Report, Vol. 1, http://caib.nasa.gov/news/ report/pdf/vol1/full/caib_report_volume1.pdf 31. Learning from Bristol: The Government’s Formal Response to the Report of the Public Inquiry into Children’s Heart Surgery at the Bristol Royal Infirmary 1984, www.hcsu.org. uk/index.php?option=com_docman&task=doc_download&gid=508 32. Hansard (House of Commons Daily Debates), http://www.publications.parliament.uk/pa/ cm200102/cmhansrd/vo010718/debtext/10718-04.htm

247

9

Corporate social responsibility

Corporate Citizenship involves corporations becoming more informed and enlightened members of society and understanding that they are both public and private entities . . . They are created by society and derive their legitimacy from the societies in which they operate. They need to be able to articulate their role, scope and purpose as well as understand their full social and environmental impacts and responsibilities. McIntosh et al.,1 p. 16 If a squirrel is a rat with good PR, the skeptics certainly smell a rat in companies’ claims about their social responsibility. MORI Poll, Corporate Brand and Corporate Responsibility 2

Introduction The directors and senior managers of companies are required to work within corporate structures which at the highest level will define the aims and objectives of the organization. Relevant to the purpose of this book are the aims and objectives which, when efforts are made to implement them, will limit the incidence of corporate accidents. It is now necessary to move outside the private corporate realm and consider the role of the corporate body in the wider societal and global context. It is also necessary to study the relationship between the corporate body and the various stakeholders who have an interest in the company’s performance economically, ethically and philanthropically. If the balance among these various interests can be maintained in equilibrium than the company will have developed an additional and effective strategy to prevent corporate accidents. The company will have ceased to be driven solely by the profit motive with the ever-present danger of cost externalization as mentioned in an earlier chapter and explored further in this chapter.

Corporate social responsibility This chapter is in many ways an extension of Chapter 3. In that chapter, the rather bleak outlook for corporate ethical behaviour was formed by the emphasis upon a single, and rather oversimplified, model of the corporation, the so-called neoclassical or monetarist model, as derived from the ideas of Adam Smith, and described in Chapter 2. This model depicts the corporation as having a single purpose, the maximization of profit and increasing the value of the company’s stock for the benefit of the stockholders. Single-minded pursuit of this purpose with the ever-present temptation to externalize costs within the remit of the law can very easily become the normal way of doing business. Within the constraints of the neo-classical economic model, the various stakeholders considered in Chapter 3 lacked the motivation and/or the power to promote corporate ethical behaviour over and above that required by law. The counter-measure, government regulation, as described in Chapter 6, revealed that health and safety laws, even in developed countries, effectively prescribe only minimum standards. Unless companies aim for a higher standard than merely staying within the law, corporate accidents are made more likely. This chapter shows that in practice there are corporate structures other than the neo-classical model which can be adopted by companies and which remove some of the constraints of the purely monetarist approach. Working within these structures, directors and senior managers in particular are legitimately able to take account of ethical concerns while at the same time paying attention to the main purpose of the company, to increase profitability and the value of the stock. This structural solution to the problem of corporate ethical behaviour is developed in this chapter and contributes what is yet another strategy to defend against corporate accidents. This chapter suggests that the ideal of corporate citizenship deriving from an ethical policy is a necessary precursor to the development of real social responsibility if the latter is to be more than an ephemeral exercise in corporate public relations and image building. The terms ‘corporate citizenship’ and ‘corporate social responsibility’ (CSR) are often used interchangeably. Here, particular definitions of these terms are developed as a hierarchical relationship in Figure 9.1. This shows how ethical policy (a purpose other than just making money) is translated via corporate citizenship (an ethical structure or corporate model) to be realized in terms of corporate social responsibility (implementation as social action). The hierarchical relationship between these three levels of ethical behaviour is shown in Figure 9.1 alongside the equivalent relationships which flow from the safety policy (purpose), that is, safety management systems (structure) and methods of working (implementation). This is consistent with the systems approach to managing safety described in Chapter 7. It will be noted that both the ethical and safety policies are shown as deriving from the corporate culture of the company as described in Chapter 4. As shown in this chapter, unless the requisite corporate culture is in place and the basic assumptions of this reflect the ethical concerns of the company, ethical behaviour is unlikely to ensue except perhaps as empty statements (artefacts) which are not borne out in practice. Each of the three levels of ethical behaviour is now considered in more detail, with examples being provided from ethical companies who have adopted corporate citizenship ideals and translated these into social responsibility activities.

249

250

Strategies to prevent corporate accidents Corporate culture Ethical

Health and safety

Ethical policy

Purpose

Safety policy

Corporate citizenship

Structure

Safety management systems

Corporate social responsibility

Implementation

Methods of working

Figure 9.1 Hierarchy of ethical and safety concerns.

Corporate ethical policy The corporate ethical policy (sometimes called a code of ethics) essentially expresses the purpose of a company (if any) apart from the main declared purpose of most companies: to make a profit, pay out a dividend and increase the value of the stock for the owners. As described below, the purpose needs to be translated into action via structures which support the purpose. If the expressed purpose and the action correspond then the company can be said to be acting with integrity. A very simple definition of ethical policy is: The company’s reasons for existence (purpose) beyond just making money and being compliant with the law. This is not to be confused with specific corporate goals or business strategies which are simply the means to implement the many policies including ethical policy. It was also noted in Chapter 3 that ethics includes but goes beyond compliance with the various laws that govern corporate behaviour. It was stated in Chapter 3 that the corporate body, although it can be defined legally as an artificial person, is unable to do anything of its own volition, let alone comprehend the finer points of ethics and morality. It can only operate through the intention and will of the human corporate actors which animate it. Corporate ethical policy is not therefore something the company does, rather it is aimed at the standards of conduct of the directors and managers who determine the behaviour of the organization. When society sees a company behaving badly, perhaps in failing to take account of the interests of stakeholders, or perhaps more seriously following a corporate accident, it sees the

Corporate social responsibility human face of those managers and directors who are responsible, not the faceless organization. This was pointed out in Chapter 2, in the critique of new corporate manslaughter legislation. Many concerned bodies were surprised to discover that corporate manslaughter charges under the new legislation, applicable in the UK from April 2008, can only be brought against a corporate body, not against managers or directors in the company who may have been found to be negligent. Charges against such persons would need to be brought separately, with all the legal difficulties that this has entailed in the past. It is important therefore that ethical policy is directed towards those ultimately responsible when things go wrong. However, ethical policy should be seen not as a code of conduct that restricts people’s freedom to act, but as a means of empowering people to act in ethical ways.

Core values Ethical policy is often put into practice in the organization by mean of a code of ethics for the company and for its employees which advises on the ethical response to various circumstances when they arise (see below). A company cannot act responsibly in its duties to its stakeholders and to society generally unless it has an ethical basis for action as set down in an ethical policy. However, every company is unique and each must develop an ethical policy that is based on its own core values. Core values have been defined as the ‘central and enduring tenets of the organization . . . they remain fixed while business strategies and practices endlessly adapt to a changing world’.3 Whilst core values will depend to some extent upon the kind of business in which a company is engaged, a study of core values across a spread of companies reveals a basic set of values common to most companies. Core values can be divided into two main types, moral and social values and organizational values. Moral and social values are those values which are brought to the company by individuals and which are underwritten by the company. Organizational values are those values which are brought by the company for individuals to subscribe to. Typical values are shown for each category in Table 9.1.

Table 9.1 Typical core values Moral and social values

Organizational values

Respect for others Honesty and integrity Fair-mindedness Caring for fellow employees Patience Tolerance of diversity Enthusiasm Being community minded Frugality

Motivation Fulfilling commitments Cooperation with peers Pursuit of excellence and quality Responsiveness to customers Mission focus Innovation and creativity Entrepreneurial spirit Shareholder value Teamwork

251

252

Strategies to prevent corporate accidents The main problem with core values arises when the espoused values do not correspond with the reality of everyday life in the company. The company may lay claim to a core value and the staff may espouse the value without having the least idea of how to apply it in a given situation, especially where the situation is novel or causes a conflict with normal job parameters. To ensure this correspondence, it is necessary for the ethical policy to be developed in the form of a code of ethics which is much more specific and becomes part of the method of working. This is discussed below.

Code of ethics The code of ethics may be the same as the ethical policy, or it may flesh out a brief statement of ethical policy in more detail across the main areas of a company’s operations. It provides ethical standards to which the company and its stakeholders can be held accountable. It can also be used as a standard for the company to assess whether its employees have engaged in unethical practice. Guidance is widely available from many sources on constructing a code of ethics and the following represents an overview of the typical aspects of business activity which need to be considered. As might be expected, the key areas to be included in the code of ethics are really centred around the main stakeholders. There is a strong element of reciprocity between the obligations of stakeholders and the corporate body. Typical areas to be included are listed below.

The purpose of the business The purpose of the business is described, typically as found in a business plan. It describes the services or products which are being provided, with the focus upon the needs of the customers and the role of the business in society from the point of view of the company.

Employees Typically, the requirements of the code for employees are divided into two parts:

• Obligations of employees to the company:

– Positive (‘shall do’) injunctions include acting with high standards of honesty, integrity, fairness and equity in all aspects of their employment as well as actively promoting compliance in letter and spirit with laws, rules and regulations which govern the operation of the business. Exercising due care and diligence in the performance of their duties and responsibilities, attending to detail in all aspects of work, being mindful of the sensitivities of others, protecting confidentiality and being courteous, open and honest. – Negative (‘shan’t do’) injunctions include avoiding participation in any illegal or unethical activity such as entering into any arrangement that would conflict with the interests of the company, the community or prejudice the performance of professional duties; not using the company’s assets for personal benefit.

Corporate social responsibility

• Obligations of the company to employees. This would state that the business values

its employees and would refer to the company’s policies on working conditions, recruitment, development and training, rewards, health, safety and security, equal opportunities, retirement, redundancy, discrimination and harassment, diversity awareness, mentor programmes and work–life balance.

Directors The requirements for directors include maintaining a high standard of integrity in the conduct of their personal, business and professional affairs; not accepting any payment, gratuity or other asset, for assisting in obtaining business or securing special concessions from the corporation; not profiting from the acquisition or disposition of corporate property; and not making improper use of corporate assets for personal benefit. Their personal interest and their duty to the company should not be put into conflict, therefore directors will promptly report all actual, potential or perceived conflicts of interest to the company secretary. Directors will comply with all laws affecting directors.

Customers Typical ethical standards relating to customers will ensure that products and services provided by the company will be of high quality and delivered in a timely and equitable manner while protecting customers’ health and safety. When quality of products and services provided by the company is not satisfactory to its customers, prompt remedial action needs to be taken. Customer satisfaction and good faith in all agreements, quality, fair pricing and after-sales service is given the highest priority. Information supplied to customers should not distort or deliberately misrepresent the facts.

Stockholders Usually the board of directors is responsible for drawing up the code of ethics for the company and the general stockholders’ meeting for approving the code. The stockholders as owners of the company assets should therefore exert their responsibility by having ethical oversight and become guarantors of compliance in respect of ethical obligations of directors and managers. At the same time directors and managers must protect the investment of the owners and ensure a proper return on the capital.

Suppliers Ethical obligations of the company require fair and honest dealings with suppliers, maintaining objectivity based on price, quality, service and reputation, among other factors. Employees dealing with suppliers should not accept or solicit any personal benefit from a supplier or potential supplier that might compromise their objectivity. Their obligations may also include prompt settlement of accounts, cooperation to achieve quality and efficiency. Care must be taken in the area of gifts given or received, to avoid any suggestion of bribery or excessive hospitality. Promoting the use of minority and women suppliers is encouraged.

253

254

Strategies to prevent corporate accidents

Society and the community It is now largely accepted that corporate ethical obligation to society and the community goes beyond merely refraining from doing harm. The latter is in any case mostly achieved by compliance with the laws and regulations that protect society. This includes compliance with the spirit of the law as well as the letter. The principle is that the company benefits from society and the community (for instance in being able to recruit staff that is educated by the state) and should therefore be giving something back besides wages and taxes. Giving back takes two main forms: distributing or investing money or company resources based partially on philanthropic giving rather than return on investment considerations, and corporate voluntarism or community volunteer work by employees. Whilst corporate giving may seem to be in conflict with shareholder interests, there is evidence that today’s stockholders are increasingly interested in the ethical conduct of their investments and not only in the return on their investments. This theme is further developed when discussing CSR below.

Ethical testing Simple ethical tests for a business decision have been set out by some companies as an aid to employees in guiding the decision-making process. Some of the guidelines include factors such as:

• Transparency: Do I mind others knowing what I have decided? • Effect: Who does my decision affect or hurt? • Fairness: Would my decision be considered fair by those affected? A more intensive question set has been set by Texas Instruments, a company acknowledged to be a leader in the area of developing a comprehensive ethics policy. This is reproduced in Table 9.2. This information is provided to Texas Instruments employees on a business-card size mini-pamphlet to carry with them. This simple approach to helping employees to resolve ethical dilemmas may be more important than trying to cover all possible ethical concerns by means of a detailed code of ethics.

Table 9.2 Texas Instruments Quick Ethics Test4 Texas Instruments Quick Ethics Test Is the action legal? Does it comply with our values? If you do it, will you feel bad? How will it look in the newspaper? If you know its wrong, don’t do it! If you’re not sure, ask.

Corporate social responsibility Another possible approach to testing an ethical policy to determine whether it is comprehensive is to benchmark it against documents such as the Universal Declaration of Human Rights, adopted in 1948 by the General Assembly of the United Nations.5

Conclusion The areas of concern described above, which may be covered by an ethical policy and/or code of ethics, are not meant to be all inclusive, rather indicative of what many ethical companies may include in such a policy. Particular business situations may dictate other concerns that need to be addressed. Professional ethics, dealt with in Chapter 3, provide guidance to employees who are members of professional bodies in the areas of competency as well as working in the public interest. It may be questioned whether the areas studied in this brief summary of corporate ethical policy are relevant as a strategy to prevent corporate accidents. It needs to be borne in mind that the general atmosphere engendered by promoting the values of integrity, honesty, openness and adherence to the truth acts to make a corporate accident less likely. This theme is followed up in the section on case studies at the end of the chapter.

Corporate citizenship The concept of corporate citizenship represents the structure that needs to be in place for the ethical policy to be implemented in terms of CSR output. Corporate citizenship is explored here in terms of the development of a number of corporate structures which have historically led to the concept. The corporate structures described below define how ethical behaviour can be legitimately pursued and encouraged by directors and senior managers. Clearly, if the corporate structure is geared only to increase profits and stock value, then this will constrain those in control of the company from acting in any other ways which might conflict with this aim. This is particularly the case when those actions may involve ethical behaviour over and above the minimum that is required by the law. However, if the corporate structure actually specifies aims and objectives other than the profit motive, including ethical concerns, then constraints upon management in this respect will be removed. The Brent Spar case study mentioned in Chapter 3, and described in detail in Appendix 2, Case Study 2.6, demonstrates how unsatisfactory it is that companies should be driven to take action by consumer, public or community pressure when things go wrong. In spite of the fact that the Brent Spar incident did not result in loss of life, injury or damage to the environment, it was nevertheless a corporate accident in terms of the definition set out in Chapter 1. Companies should always be in a position to pre-empt such situations rather than reacting to events which have moved beyond their control. It is a fundamental responsibility of management that action should be taken before the unacceptable consequences of unethical behaviour develop and the company’s hand is forced to act retrospectively to correct a flawed

255

256

Strategies to prevent corporate accidents corporate decision. If the corporate model is such as to force the company to think through its behaviour, damage to reputation due to adverse publicity along with financial detriment will be avoided. Three corporate models are described below, the neo-classical model, the stakeholder model and the corporate citizen model. The concept of corporate citizenship is then further explored prior to describing CSR in terms of its defensive value with respect to corporate accidents.

Corporate structure models The neo-classical model Origins The neo-classical economic model, already discussed in Chapter 2, derives from the ideas of Adam Smith and others and today is represented by the work of economists such as Milton Friedman,6 who subscribe to what is known as monetarist theory. Monetarism is the economic ideology underpinning the economic policies of the Thatcher and Reagan governments in the UK and USA, respectively, in the 1980s. With some modification, it is still the predominant feature of government economic policy today in these and many other countries. Neo-classical or monetarist economics emphasizes the importance of establishing equilibrium in maximizing utility. Equilibrium, it is claimed, can only be achieved through government nonintervention in the market, the only economic role of government being to control inflation through monetary policy. The theory embraces the idea of Smith’s ‘invisible hand’ of the market, which alone can achieve equilibrium in, for example, maintaining full employment. Left to its own devices, the market will ensure that as unemployment increases so wages will fall; companies will then hire additional labour to increase output and profits, causing employment to rise again, thus restoring equilibrium. In this model, individuals, mainly workers and consumers, maximize utility through making rational choices and companies are able to maximize profits. Essentially companies are seen as entities whose chief aim and purpose is to make profits for the stockholders and maximize the stock value, that is, the value of the stockholders’ investment. Any other aims which the company might espouse not only will be secondary, but must not detract from this primary purpose of maximizing shareholder benefits. At the same time, however, the utilitarian principle will ensure that society as a whole will reap the maximum benefit. The neo-classical corporate model is simply illustrated in Figure 9.2.

Cost externalization The neo-classical model, or one closely resembling it, is upheld by the laws under which companies today are compelled to operate. For example, just as a director or manager of a company would not be allowed to use company funds to buy himself a holiday home in the Caribbean, so, company funds cannot be used for charitable, social or other purposes which do not have the effect of maximizing profits or increasing stockholder value, directly or indirectly. Any director or manager who

Corporate social responsibility

Shareholders

Stock value

Government regulation

Limited

Profits as dividends

Corporation

Intervention

Policy

Control

Directors

Figure 9.2 The neo-classical corporate model.

uses company resources in any other way than to advance the financial interests of the company would be acting illegally. Some would take this further and advance philosophical objections to CSR. Friedman in his writings viewed spending private money on public good as an aberration: I have called it a ‘fundamentally subversive doctrine’ in a free society, and have said that in such a society, ‘there is one and only one social responsibility of business – to use its resources and engage in activities designed to increase its profits so long as it stays within the rules of the game, which is to say, engages in open and free competition without deception or fraud.6 At the same time, companies do have specific responsibilities under the law which are not associated with profit maximization, such as protection of the environment and minimizing the detriment to the health, safety and welfare of the workforce and others affected by their operations. These costs are required to be internalized, that is, borne by the company. These laws effectively restrict the ways in which companies are allowed to externalize their costs through environmental pollution or dangerous operations. Many of these legal restrictions have been set on a scientific basis or have historical origins in previous corporate accidents which led to them becoming enshrined in law.

Asbestos: an example of cost externalization The case of asbestos is a good example of such a restriction. Asbestos is a naturally occurring substance which, because of its strength, insulating and fire-resisting properties, has been in widespread use for over a century and has certainly saved countless lives in a variety of ways. Mining of asbestos commenced during the late

257

258

Strategies to prevent corporate accidents 1870s and reports of disability and death due to exposure to the substance were reported as early as 1898 in Britain, 1906 in France and 1908 in Italy. Eventually, the incurable and debilitating disease called asbestosis came to be recognized as an industrial illness caused by the accumulation of asbestos fibres lodging in the lungs of people exposed to the dust. The disease results in severe irritation and inflammation of the respiratory system and can also lead to a severe and lethal form of lung cancer called mesothelioma. These diseases have affected not only production workers in the asbestos industry, but also people exposed to even small concentrations of asbestos while working in places such as shipyards, refineries, railways, energy and the construction industry, including demolition or renovation of older buildings. The asbestos industry was fully aware of the dangers of asbestos long before the advent of legal restrictions on its use and handling. It is estimated that millions of workers were affected by asbestos prior to regulations being introduced in most countries. Over the past four decades, some quarter of a million asbestos claims have been filed in the USA alone, with an estimated potential cost to industry and its insurers of $70 billion. It is perhaps one of the best examples of how externalization of costs (in this case on to workers and users) to maximize profit levels is rarely a sustainable option in the long run. The first Asbestos Regulations were introduced in the UK in 1931 and have since been followed by ever more stringent control measures, culminating in the UK in current Control of Asbestos Regulations 2006. The health problems of exposure to asbestos have not been resolved; the World Health Organization (WHO) reports that currently about 125 million people are exposed to asbestos in the workplace and that globally 90,000 people die from asbestos-related diseases every year. Asbestos causes about half of all deaths from occupational cancers. There are many thousands of other deaths related to non-occupational exposure to asbestos. Asbestos-related deaths are still rising, even in countries that have banned its use, as a result of the long latency period of the diseases. As with asbestos, many of the limitations placed upon cost externalization by companies are now to be found in the detailed laws and regulations relating to health, safety and environment. However, limitations on companies are not always enforced by legislation, but are sometimes found in more general duties of care placed upon directors and managers. Beyond legal duties and responsibilities many companies today have adopted voluntary ethical codes of behaviour coming under the general heading of corporate social responsibility. Modern developments in corporate structure have tried to encapsulate these wider ethical responsibilities of companies which are not overtly associated with the profit motive. However, it has to be admitted that these apparently more ethical corporate models are not underpinned by the same legal and financial imperatives as the neo-classical model. It is largely left to the corporation to determine the type of corporate model and structures under which it will operate.

The stakeholder model The stakeholder model broadens the perspective of the corporation to take account of the interests of groups other than the stockholders. Not only does each stakeholder group have a vested interest in how the corporation performs, but in a number of

Corporate social responsibility Local community

HS&E impact

Government regulation

Shareholders

Stock value

Profits as dividends

Customers

Goods and services

Corporation Intervention

Work, time and skill

Employees

Policy

Control

Directors

Parts and raw materials

Suppliers

Figure 9.3 The stakeholder corporate model. HS&E: health, safety and environment.

cases the viability of the company may depend upon the existence and consent of the group. The stakeholder groups shown in Figure 9.3 include all of the human actors described in Chapter 3, plus the local community affected by the company’s operations, particularly regarding health, safety and the environment. The links between stakeholder groups and the corporation are shown in the form of the main inputs and outputs which exist. It should be noted that government regulation and intervention is still shown, but may now be more actively involved than in the case of the neoclassical model. The difference between this model and the neo-classical model is that the company structure takes into account the interests of all the stakeholders when formulating and expressing its corporate aims and objectives. Effectively, these interests are written into the company’s constitution at the highest level of company policy, and senior managers and directors are not merely allowed to take them into account in their decision making, but in fact are under an obligation to do so. It is, however, necessary to go much further than merely writing these corporate obligations into company policy. Part II of this book has shown how strategies to prevent corporate accidents need to be built into the company’s structure at every level. At the highest level, ethical concerns must become an integral part of the company’s culture as described in Chapter 4. The ethical policies deriving from the corporate culture not only should be written down as described above, but also need to be implemented by identifiable systems. In the case of ethical behaviour the implementation is further discussed below in terms of CSR. In this corporate model, it is usual for the obligations to be fulfilled by means of ‘contracts’ between the company and its stakeholders. This approach ensures that the commitment to ethical obligations is not expressed just in general terms (i.e. as

259

260

Strategies to prevent corporate accidents ‘good’ intentions), but also set out in more detailed contractual terms stating how they will be achieved and how they will be measured for success. Of course, the use of contracts is quite normal to regulate relationships with suppliers and customers. No company or its supplier would expect to enter a mutual arrangement without some form of contract to protect the interests of each party. Similarly, the relationship between the company, as the supplier of goods, and its customers is also governed by contracts defined by various consumer protection laws relating both to quality and fitness for purpose of goods, health and safety of the end user, and financial recompense where goods fail to reach declared standards. In a similar way, contracts with employees regarding remuneration and working conditions are the norm. Whether by negotiation with individuals, collective bargaining with trade unions or in accordance with employment legislation, the relationship is required to be governed by a contract of employment. Contracts with the stockholders of the company, certainly regarding financial arrangements, are required and are governed by company law. Perhaps less common is the concept of a ‘contract’ with the local community, whereby the company participates in consultation with community representatives to deal with concerns and/or undesirable impacts on the safety and welfare of the community at large. The stakeholder model described here is the model adopted by many companies today and achieves its principal purpose of pre-empting problems and misunderstandings by ensuring that each group fully understands its rights and responsibilities, thereby ensuring consistent and long-term benefits to each party. It is part of the role of directors and senior managers of the company when drawing up and agreeing contracts with the various stakeholders to ensure the correct balance between the interests of the various groups, one with another, and between the groups and the company itself. However, the duties of the company to its stakeholders must always be tempered by financial reality and in the real world, as opposed to the ideal, the duty to the company’s stockholders will tend to take priority. In this respect there will always be a counterbalancing tendency for the company to revert to the neo-classical model in order to ensure its continued competitiveness and ultimately its existence. The stakeholder model provides a much firmer foundation than the neo-classical model for a company to behave ethically, since the very process of entering into consultation and contractual agreements makes it necessary to practise openness in its decision making. However, a company’s ethical policy may not always be made explicit and the stakeholder model is somewhat parochial in its scope. This is particularly the case in a world where very large companies wield enormous power on a global scale. This points to the need for a model which encompasses a broader and more explicit view of ethical responsibilities. This has been termed the corporate citizen model and is described below.

The corporate citizen model The corporate citizen model is essentially the stakeholder model set within a broader global context relevant to the modern era of large corporations whose activities not only affect the immediate stakeholders, including the local community, but have

Corporate social responsibility

Corporate citizen

Local community

Stockholders

Stock value

HS&E impact

Government regulation

Profits as dividends

Customers

Goods and services

Corporation Intervention Work, time and skill

Policy

Employees

Control

Directors

Parts and raw materials

Suppliers

Social/global context

Figure 9.4 The corporate citizen model. HS&E: health, safety and environment.

wider implications. Figure 9.4 illustrates how the stakeholder model is set within a wider social, cultural and global context to form the corporate citizen model. The stakeholder model set within this context remains relatively unchanged.

The corporate body as citizen In order to understand the concept of the corporate body as surrogate ‘citizen’ it is necessary to make an analogy with citizenship as applied to human individuals. The individual as citizen agrees to form a compact with society which, among other obligations, accepts that there are common ethical concerns which affect both the individual and fellow citizens. This largely unwritten and informal compact with society involves a desire to find collective solutions to common problems, realizing that this may sometimes involve giving up a degree of self-autonomy and freedom in the interests of achieving a greater ethical good beyond what is required by the law. Citizenship is effectively a defence against the isolation and inherent selfishness of the individual and the possibility of unethical action. However, the loss of selfautonomy and the short-term gain that is sacrificed are compensated for by the long-term benefits to the individual and society which come with participation and cooperation. ‘Your concern is my concern’ is the essence of citizenship and the basis of public democracy. This provides the foundation for the long-term security of the individual, bringing an expectation of predictability which enables them to plan for the future with greater confidence.

261

262

Strategies to prevent corporate accidents The corporate body considered as ‘citizen’ is likewise required to take on certain obligations to wider society which are not necessarily dictated by law but equate to ethical behaviour as defined earlier. It also may involve the surrender of some selfautonomy and indeed power in the interests of the greater whole. The greater whole is taken here to be the company, together with the social and global milieu in which it operates. The stakeholder model is, however, still essential to give confidence that the company is taking into account the interests of those immediately affected by its operations. Through consultation and cooperation with the stakeholders, the company, like the individual, is operating within a form of democracy, but one that is largely governed by the private contracts which exist between stakeholder and company. This is similar to the public compact between the citizen and society, but is perhaps more formalized out of the necessity to build structures and systems which define how managers will operate and make decisions that strike the correct balance between profit and ethical behaviour. Business needs to see itself as part of the public culture, rather than seeing the public culture as something external to the company.7

Public and private democracy It is useful to contrast the concepts of public democracy and private democracy8 to understand better how the corporate body can act in an analogous fashion to the private citizen who has surrendered certain limited aspects of autonomy to bring about the greater good. The (democratic) nation state can be defined as a public democracy which takes account of the wide but differing interests of its citizens. Success is achieved by striking a balance between the voluntary limitation of individual power and the pursuit of individual needs and aspirations. In contrast, the corporate body in the form of the second model, the stakeholder model, may be defined as a private democracy where the roles of the citizens or stakeholders are defined by the formal contracts which bind them to the company. Any individual powers which they possess are limited by the scope of these contracts. The company has no obligations to the stakeholders beyond these contracts, except for obeying the law. The interests of consumers, for instance, will only be taken into account as far as their contractual rights are defined by consumer protection and health and safety law, and as far as their loyalty and their demand for the company’s products are maintained. They are unlikely to be consulted on wider issues such as, for instance, how the company produces its products, as opposed to what the company produces. Similarly, the interests of the stockholders will be mainly restricted to the level of profits paid out as dividends and the value of the company’s stock, since that is the nature of their contract. Ethical concerns may be of interest to some stockholders, but this is unlikely to be spelled out except perhaps retrospectively in ‘feel-good’ terms in annual company statements. The corporate citizen model, however, begins to depart from the rather rigid confines of the private democracy and corresponds much more closely to the public democracy of the nation state. A public democracy is much more flexible in allowing its citizens to participate in all matters which will affect them, and provides the structures and opportunity to resolve a wide range of issues. This in turn leads to a

Corporate social responsibility well-ordered, peaceful and efficient society. As an example, recent developments in democracy such as the Freedom of Information Act have enhanced the power of the citizen and enforced greater openness by government. The principal differences between a private and public democracy with regard to the way companies operate is summarized in Table 9.3. The general principle underlying corporate citizenship is that when the corporate body strives to become ‘citizen’ it takes on board many of the moral sensibilities and ethical concerns that are taken for granted in the case of the individual citizen. The result is that the company adopts an ethical stance which leads it away from the narrow short-termism and preoccupation with immediate profit of the neo-classical model. At the same time, because the stakeholder model is still operating, but now within the larger social and global milieu, the important but narrower interests of the stockholders will still remain crucial to the company’s success. However, the company is now operating more like a public democracy which involves a consideration of societal and global issues, leading to a longer term view encapsulating the wider interests of not only the stakeholders but also society as a whole. This invariably means not just that the company has agreed to sacrifice a degree of

Table 9.3 Private and public democratic corporate models8 Private Democracy (Neo-classical and stakeholder models)

Public Democracy (Corporate citizen model)

Actions of the company dictated by the interests of the few who may have a say in what happens

Actions of the company dictated by the interests of many, who will often have a say in what happens

Voluntary ethical behaviour only so long as it is in the interests of the company, e.g. local charity work must be accompanied by publicity to make it worthwhile

Corporate citizens see ethical behaviour as a necessity for which a ‘business case’ can be made

Stakeholders’ interests secured only through formal contractual agreements (some stakeholders may be excluded from these contracts in the neo-classical model)

Stakeholder interests may include ethical concerns not necessarily defined by contractual agreements

Limited consideration or consultation on any issues which do not immediately affect stakeholders (mainly stockholders for neo-classical model)

Wider consideration and consultation on broader social and global issues extending beyond narrow stakeholder interests

Exclusion of ‘strangers’ (non-stakeholders) from the decision-making process, which is largely secretive

Greater openness and transparency with fewer decisions made behind closed doors and more involvement of ‘strangers’

Information transmitted on a ‘need to know’ basis through ‘internal’ channels only, information showing the company in a bad light is always suppressed

Information is made available to all (except where trade secrets or competitiveness may be at risk) via public documents and the internet, including mistakes

Corporate ethical behaviour on an ‘as and when’ basis mainly beneficial to the stockholders plus some other stakeholders

Corporate ethical behaviour controlled by formal systems designed to benefit both company and society

263

264

Strategies to prevent corporate accidents self-autonomy and power in the interests of the greater good, but that as a result it must now become more open about how it operates its business. This openness means, for instance, that health and safety issues arising from the company’s operations are no longer discussed behind closed doors, but potentially become public property. The company becomes proud of its ethical policies and practices because they are effective in preventing corporate accidents. Not only does the company now have nothing to hide, but it will be keen to publicize its efforts in a legitimate bid to improve its image, competitiveness and financial success. The chances of CSR being merely a cynical device to attract good publicity have receded. For the corporation this is a win–win situation that reinforces the general principle that ‘good’ companies do well.

Examples of corporate citizenship Johnson and Johnson The corporate citizen model is not particularly novel, but its precepts are the exception rather than the rule in many companies. The pharmaceutical company Johnson and Johnson more than sixty years ago adopted a simple credo which described the company’s responsibilities to its customers, employees, local communities and stockholders. In 1935, the founder of the company, Robert Wood Johnson, adopted what he termed ‘a new industrial philosophy’, This set out the corporation’s responsibility to customers, employees, the community and stockholders, and was innovative for the era in placing the interests of the customers ahead of the stockholders. Today, Johnson and Johnson is a global corporation with operations across Africa, Asia/ Pacific region, Eastern Europe, Europe, Latin America, the Middle East and North America. It is one of the world’s most successful companies operating in the medicare field, a business where ethics is of considerable importance. The original credo of the company has been updated over the years and the current version is available on the internet.9 Johnson and Johnson is a long-established corporate citizen. In the credo there is a requirement for managers not only to be competent, but also to be just and ethical in the way they manage. The company refers to the credo not as a mission statement, since it does not refer to the company’s purpose, but as a value statement which sets out the ways in which the company intends to act. This credo approximates very closely to the citizenship model described above. However, even Johnson and Johnson has not been immune from corporate accidents. The Tylenol incident in the 1980s and the response by Johnson and Johnson is a classic case study of corporate responsibility in action. In 1982 the analgesic drug was tampered with by unknown individuals who inserted cyanide poison into the capsule form of the product, resulting in the deaths of seven people. Even today, twenty-five years on from the event, rather than leave it in the past the company provides an excellent example of corporate openness and transparency by providing an account of the tragic incident on its website.10 Appendix 2, Case Study A2.7, describes the incident and how the product was later reissued in tamper-evident packaging. The company eventually recovered not only its reputation but most of its share of the analgesic market.

Table 9.4 Corporate citizenship statements Company

Statement

Reference

ExxonMobil

Our long-term business success is tied to meeting growing energy demands in an economically, environmentally, and socially responsible manner. Consistent with our belief that the way results are achieved is as important as the results themselves, our corporate-wide management systems are designed to ensure that citizenship is integrated into our business practices.

http://exxonmobil.com/Corporate/ Citizenship/CCR5/citizenship_ perspective.asp

While our management systems govern our approach to corporate citizenship, we identify our most important citizenship issues in the context of our business standards and objectives, discussions with experts outside our company, and evaluation of emerging external trends. Pfizer

Citizenship defines our role in local and global communities and how we strive to conduct business responsibly in a changing world.

http://www.pfizer.com/pfizer/ subsites/corporate_citizenship/ what_is_cc.jsp

Being a good corporate citizen includes listening to, understanding, and responding to our stakeholders about their needs regarding Pfizer’s policies and operations. Stakeholders are people or groups who affect, or are affected by, Pfizer’s business activities. Our relationship with them is at the heart of our citizenship because they define what it means for Pfizer to create value. They are the ones who will determine when Pfizer fulfills its mission to become the world’s most valued company to stakeholders. Microsoft

As a successful global corporation, we have a responsibility to use our resources and influence to make a positive impact on the world and its people. At Microsoft, our passion to do well is matched by our desire to do good. We believe the best way to achieve those parallel goals is to align our business and global citizenship strategies. To achieve that goal, we consulted with our employees, and with people in government and industry from many parts of the world, because we wanted to create a citizenship framework that would both reflect and enhance the other aspects of our business.

http://www.microsoft.com/ about/corporatecitizenship/ citizenship/default.mspx

Hewlett Packard

HP is committed to being a leader in global citizenship. We are proud of our efforts as global stewards, helping to reduce environmental impacts, raise standards in HP’s global supply chain and increase access to information technology worldwide. We conduct our business with uncompromising integrity and strive to live up to every one of our commitments to our customers, partners, employees and shareholders. Furthermore, we believe that global citizenship is good business. We embrace our responsibility to society by being an economic, intellectual and social asset to each country and community in which we operate.

http://www.hp.com/hpinfo/ globalcitizenship/

266

Strategies to prevent corporate accidents

Corporate citizenship statements Table 9.4 provides a selection of corporate citizenship statements for a number of major companies as an example of the various ways in which the concept is expressed. The main requirement for any company, if it is to avoid corporate accidents, is to have in place a corporate model which exhibits the qualities of citizenship and public democracy described in Table 9.3. This structured approach to corporate ethical policy must then be transmitted via the corporate culture into the everyday running of the company. It is manifested in socially responsible behaviour as discussed in the next section.

Corporate social responsibility Definition As the size, power and reach of companies have expanded over the past few decades, especially as a consequence of globalization, so has the capacity of companies to affect the societies and communities where they operate either for better or for worse. The pragmatic definition of CSR adopted here is the way companies ‘give something back’ to society besides wages and taxes, as already mentioned briefly above, under the heading of ‘Society and the community’. Until recently this has tended to be interpreted as philanthropy, donating money to good causes at the end of the financial year. Now it is seen more as ‘an all year round responsibility that companies accept for the environment around them, for the best working practices, for their engagement in their local communities and for their recognition that brand names depend not only on quality, price and uniqueness but on how, cumulatively, they interact with companies’ workforce, community and environment’.11 The Institute of Business Ethics defines CSR as ‘the voluntary actions taken by a company to address the ethical, social and environmental impacts of its business operations and the concerns of its principle stakeholders’.12 How social responsibility is discharged under this broader definition depends to a large degree on the type of business activities in which the company is engaged and the potential for these to affect people other than its principal stakeholders. To determine whether a company is acting in a socially responsible way it is necessary to separate out how much of a company’s behaviour corresponds simply to compliance with legal requirements and how much is in reality socially responsible. Social responsibility, as with ethics, is mainly discretionary, comprising principles which a company chooses to follow over and above what is mandatory as dictated by the law. Compliance with the law as a way to defend against corporate accidents has already been discussed in earlier chapters. Sometimes ‘compliance with the law’ is found included in company CSR statements; this is hardly a discretionary activity. This chapter is attempting to identify activities that correspond to socially responsible behaviour which could reduce a company’s susceptibility to corporate accidents.

Corporate social responsibility

The case for corporate social responsibility Attempting to make a business case for CSR may seem to be contradictory. It can be argued that ethical behaviour is something which is worthwhile to do for its own sake and should not need further justification. Many companies may claim that undertaking CSR activities is an end in itself, not another means to make money. However, the primary responsibility of a company remains to its stockholders. If CSR has financial as well as social and ethical benefits, then CSR may become not just a moral responsibility but an economic necessity that assists a business to stay in existence and compete effectively. There are numerous areas where CSR has been shown to be beneficial to business; two of these are discussed below.

Reputation A MORI poll on ‘Corporate brand and corporate responsibility’2 showed that ‘fourfifths of the public believe that large companies have a moral responsibility to society . . . but the majority of the public also believe that large companies ‘‘don’t really care’’ about the long-term environmental and social impact of their actions’. It was also found that ‘other than the traditionally-despised politicians and journalists, business leaders are the professional group least trusted to tell the truth’. Much of this public disillusionment came about in the wake of the Enron and other major public financial scandals which are somewhat outside the definition of a corporate accident used in this book. However, there is no doubt that cases where corporate responsibility for major accidents was perceived to be evaded have added to this sense of public disillusionment. One of the main cases for CRS therefore stems from the necessity to maintain corporate reputation not just in the eyes of stakeholders in general, but particularly amongst customers and potential customers. In the past ‘branding’ was a role of the marketing department and tended to be disassociated from ‘reputation’, which was a role of the public relations department. This is no longer the case and marketing now must embrace the area of ethics and corporate responsibility. If companies fail to take an interest in the issues that are important to the public then there will be increasing levels of dissonance between the two and the company’s financial performance will suffer as a result. If part of what customers want is companies that are socially responsible then satisfying this demand is as important as satisfying their desires for well-priced, reliable products and services. It has become increasingly obvious that there is a strong reputational case for companies not just to claim CSR, but to be seen to put it into practice. The phrase ‘to be seen’ is important since, in the era of the internet and global visibility in which companies now operate, there is no hiding place for organizations that do not exhibit social responsibility as part of normal business practice. News travels so quickly that even one disgruntled customer can make their feelings known to the world at the press of a button, making it very difficult for companies to respond. It is clearly better to stay on the right side of the ethical divide in the first place.

267

268

Strategies to prevent corporate accidents

Investment There is nothing new about ethical investment. It was in the nineteenth century that religious organizations first began to be selective about their investments, particularly regarding companies who offered poor working conditions or employed child labour. In the 1970s the Pax World Fund was started in response to the Vietnam War, thus inaugurating the first publicly available mutual fund to use social and moral criteria to determine its investment decisions. Now called the Pax World Balanced Fund,13 social screening has been employed on a wide scale since the 1980s and up to the present day, with a trend away from ‘avoidance investing’ to a more proactive approach, favouring socially responsible companies. In the UK, a major incentive for companies to examine their ethical behaviour came about when a law14 was passed in 2000 requiring pension funds to disclose their policies on social, environmental and ethical issues. This law requires all pension funds to declare the extent to which socially responsible investment (SRI) principles influence their investment strategy. Progress in CSR has been advanced as growing evidence of a link between a company’s ethical policy, corporate citizenship, social responsibility and good financial performance. The UK Institute of Business Ethics carried out research15 on the financial performance of companies in the FTSE 350 for the years 1997–2001, comparing companies who had ethical codes with those who did not. On the basis of a number of chosen measures of performance, it was found that ethical companies added more economic value than those without ethical codes and it was judged that investment in ethical companies was probably more secure. In the USA, Professor Curtis Verschoor, of DePaul’s School of Accountancy in Chicago, found in a study16 of 500 top US companies that an expressed commitment to an ethical code was reflected in a three times greater average ‘market value added’ compared with those having no such commitment. On reflection, better financial performance from ethical companies is not so surprising since it indicates that companies who take these matters seriously are likely to be better managed than those that do not. For instance, companies that are committed to sustainable futures are of necessity going to be more economical with their consumption of energy, water and raw materials, whereas companies who attempt to externalize costs are likely to be less frugal with resources. Managing frugality into corporate activities at the start is likely to be much more economical than fixing the problems later, after they have been exposed to the public gaze, with loss of reputation and sales. Socially responsible investment has now itself become big business and demand for SRI portfolios continues to increase year on year, amounting, it is estimated, to about 8 per cent of all professionally managed investment in the USA. Bearing all this in mind, it will soon become a necessity for companies to be able to demonstrate their commitment to CSR if they wish to attract the investment needed to continue in business. Corporate social responsibility will become the hallmark of a successful company rather than, as some would still maintain, a drain on profitability. Furthermore, the shares of companies exhibiting CSR will be more highly sought after by more stockholders, thus increasing the stock price to the benefit of stockholders.

Corporate social responsibility

Control of risk To the author’s knowledge, there have been no formal studies which have made a specific link between a company’s commitment to CSR and its record on controlling health and safety risks. However, many companies include health and safety aspects when reporting their CSR activities in, for instance, an annual report. The main benefit of CSR in promoting health and safety issues seems to arise from the greater degree of transparency that CSR invokes in reporting corporate matters that might hitherto have been regarded as confidential. Of interest here are any aspects of health and safety that lie beyond the scope of legal and regulatory control, but fall within the voluntary ethical domain. Since companies seem to define and understand CSR in a variety of different ways, it is useful to impose a more formal structure on CSR activities to identify where health and safety issues are included (when they are included). Aspects of CSR activities which are reported by companies fall into the following categories:

• Internal •

aspects, including topics such as human resources (ethical commitments to and by the workforce), occupational health and safety, organizational learning, etc. External aspects: – local, including local corporate citizenship initiatives, local partnerships, local authorities and non-governmental organizations (NGOs), i.e. usually organizations concerned with relief-oriented or development-oriented projects, such as Red Cross and Greenpeace, furthering the political or social goals of their members or fund raisers – global, including human rights, environment, supplies and raw materials, working conditions in overseas factories, use of child labour, etc.

This structure is based on a research report by the European Agency for Health and Safety at Work, Corporate Social Responsibility and Health and Safety at Work.17 Many company CSR reports concentrate on external aspects of CSR activities, in the global context, such as overseas working conditions in factories owned or operated by the company or by the company’s suppliers, and in the local context by involvement of employees in community work or local charities. This emphasis has tended to be at the expense of the internal aspects of CSR, which include the health and safety of workers or the public affected by their operations and issues of occupational health. The latter is of especial importance since, in the UK, out of a total 42 million working days lost through work-related injury and ill-health, 33 million are due to ill-health while only 9 million are due to injury. Since occupational ill-health is less amenable to preventive regulation it is more likely to be acknowledged and therefore more satisfactorily addressed in the voluntary context of CSR. An estimated 13 million of the lost working days due to illness, for instance, result from stress, including stress at work, which is at least partially within the control of the employer. Stress at work does not currently fall under the scope of regulation, although it is recognized and guidance is provided to

269

270

Strategies to prevent corporate accidents employers. There is no doubt that stress can be a major factor in precipitating corporate accidents, particularly where managers are overworked to the extent that their decision making becomes flawed. The European Agency for Health and Safety at Work17 has suggested a number of ways in which a commitment to CSR can lead to improvements in health and safety. These are summarized in Table 9.5.

Table 9.5 Initiatives for improving heath and safety performance within corporate social responsibility (CSR)17 Initiative

Description

Build on existing activities

Positively evaluate and include in CSR declarations health and safety achievements over and above those required by government regulation

Make use of available experiences

Learn from other companies and professional networks (e.g. from the world wide web) how health and safety is included in CSR activities. Test these initiatives for initial motivation (i.e. compliance or voluntary)

Define strategic aims

Use CSR activities to position strategically health and safety in the company formulating long-term goals, progress towards which can be reported on exhibiting transparency. Relate these to other social and environmental goals

Identify and involve relevant stakeholders

Identify all the ‘stakeholders’ who have an interest in the health and safety impact of the company on society and make sure they become involved in dialogue. This may involve ‘strangers’ (see Table 9.3) such as NGOs, consumer groups, media and social partners. This is because today, businesses are confronted with new ‘counter-veiling powers’ from civil society

Balance people, planet and profit

This is about promoting well-being in society by understanding people’s perception of the risk posed by the company’s operations and then responding in a sympathetic but appropriate way which balances people, planet and profits

Balance the external and internal aspects of CSR

Good working conditions are generally safe working conditions and are of interest to prospective employees, local authorities and customers; be proud of and publicize these work-related aspects as well as society-related aspects such as work–life balance. Focus also on the activities of business partners along the supply chain

Show and develop leadership

Be socially responsible in a way that includes health and safety as part of the greater strategy, making this visible in such a way that employees are proud to work for the company

‘Walk the talk’

Live up to the health and safety values advocated in the CSR strategy and ensure that the values become part of the corporate culture. Integrate health and safety into the ethical policy as an ethical statement

Develop ownership

Place the ownership of heath and safety not with safety professionals but firmly with management

Capitalize on opportunities

Ensure that the benefits of health and safety are understood at director level, including financial, labour turnover, reputation and image

Corporate social responsibility The importance of CSR to health and safety is becoming more widely disseminated and an interest has been taken in CSR activities by the regulatory authorities. In particular, the UK Health and Safety Executive (HSE)18 has seen the benefits of CSR in raising awareness and accountability for health and safety matters at director level. The objective is to encourage CEOs and directors to recognize the role that health and safety has to play in enhancing their business reputation. It is also to overcome the potential problem of company directors distancing themselves from these issues (see Chapter 2 about the lack of statutory responsibility of directors for health and safety), as well as to extend public reporting of health and safety performance by companies. The options being considered by the HSE are either to continue the present voluntary approach or to pursue further legislation to make mandatory the appointment of a board member with responsibility for health and safety.

United Nations Global Compact The United Nations (UN) Global Compact (GC)19 is one of a number of national and international initiatives to promote and encourage CSR, particularly among multinational companies. It was launched in 2000 to bring companies together with UN agencies, labour and civil society to support universal environmental and social principles. The GC seeks to promote, through the power of collective action, responsible corporate citizenship so that business can be part of the solution to the challenges of globalization to realize a more sustainable and inclusive global economy. It stresses that the GC is not a regulatory instrument to enforce or even measure the behaviour of companies, but relies on ‘public accountability, transparency and the enlightened self-interest of companies, labour and civil society to initiate and share substantive action in pursuing the principles upon which the GC is based’.19 Claimed advantages include demonstrating leadership through responsible corporate citizenship, producing practical solutions to contemporary problems related to globalization, sustainable development and corporate responsibility in a multistakeholder context, managing risks by taking a proactive stance on critical issues, sharing good practices, improving corporate/brand management, employee morale and productivity, and operational efficiencies. Membership of the GC is dependent on communicating annually to all stakeholders progress in implementing the GC principles and submitting a link to or description of their communication on progress to the GC website.

Examples of corporate social responsibility reporting related to health and safety Some examples of company CSR reporting (not necessarily GC related) are given in Table 9.6.

271

Table 9.6

Examples of corporate social responsibility relating to health and safety

Company

Extract from statement

Reference

Pilkington

The director of environment, health and safety heads a global environment, health and safety (EHS) strategy group comprising the senior regional EHS managers, the global environment systems director and the research and development environment adviser . . . It is Group policy that all incidents must be reported, not only those leading to accident and injury. An intranet-based accident and incident reporting system enables the majority of facilities worldwide to access these reports and quickly communicate lessons learnt.

http://www.pilkington.com/about+pilkington/ social+responsibility/health+and+safety/default.htm

Johnson Matthey

Board responsibility for EHS rests with the chief executive. The group director for EHS reports to the chief executive . . . EHS performance is dependent upon leadership from the top, accountability at divisional level and the commitment of strong local line management . . . [this] minimizes the financial implications for the company thus helping to protect shareholder interests.

http://www.matthey.com/cr/csrreview/2006/ CSRReport.pdf

GB Railfreight

Our definition of corporate responsibility is the action taken by the company that impacts on our customers, our people, our suppliers, the environment and the community . . . we maintain effective health and safety management systems, invest in our people for the long term to bring out the best in them and to become the employer of choice, manage our operations in such a way as to minimise the effects of our activities on the people and the communities we serve . . . we actively encourage and work hard to maintain a positive safety culture throughout the organization.

http://www.gbrailfreight.com/gb-railfreightcorporate-social-responsibility/p_112/

British Nuclear Fuels Ltd

Corporate social responsibility is simply good business practice. It embraces how we run the company and our commitment to health, safety, employees, human rights, the environment and effective community relations . . . Are our actions trusted by the public? Are we listening to the views of others? Are we managing our impact on society? Are we as open and honest as we can be? Are we willing to engage in dialogue on difficult issues? Are we turning our policies and principles into practice? Will our actions enhance or diminish the way we engage with all our stakeholders about our purpose and our principles.

http://www.bnfl.co.uk/UserFiles/File/32_1.pdf

Total Oil

The nature of our activities and our international reach require us to deal with a wide array of specific responsibilities and also arouse numerous expectations. Industrial safety, supporting local development, securing the future of energy, environmental stewardship and combating climate change are all critical challenges that Total is committed to meeting . . . Our corporate social responsibility is built on transparency, stakeholder dialogue, and integrity in the conduct of our business.

http://www.total.com/en/corporate-socialresponsibility/

Corporate social responsibility

Case studies Two case studies from Appendix 2 are used to illustrate the principles described in this chapter. These are Case Study A2.7, the Tylenol incident, and Case Study A2.6, the Brent Spar oil storage facility. The case studies demonstrate, respectively, how CSR should and should not be practised.

1. The Tylenol incident In the Tylenol incident, the pharmaceutical company Johnson and Johnson was faced with the tragic reality that seven of their customers had been poisoned with a contaminated analgesic product. As the case study describes, many companies would tend to react to a situation such as this with a rapid issuance of a denial of responsibility. The thought which is uppermost in the minds of directors and managers at a time like this is often the impending financial damage through loss of sales and damage to reputation and erosion of the customer base. This approach almost always turns out to be counter-productive since the truth will eventually emerge and responsibility will have to be accepted. Delays in acceptance almost inevitably result in unnecessary damage to reputation and financial loss which would not have been incurred if responsibility had been admitted immediately. In this incident, Johnson and Johnson took immediate and full responsibility by issuing a mass recall of the Tylenol capsules. Their first responsibility was to their customers, comprising ‘doctors, nurses and patients, mothers and fathers and all others who use our products and services’, as set out in the company’s ethical credo.9 It subsequently turned out that Johnson and Johnson was not responsible for the introduction of the contaminant into the product and in fact the perpetrator was never caught. Although the company took a large financial loss on the recall its good reputation was maintained and its market share was quickly recovered. The response of Johnson and Johnson became a notable landmark in social responsibility and a triumph for corporate ethical practices in maintaining a company’s reputation.

2. The Brent Spar incident The Brent Spar incident (Appendix 2, Case Study A2.6) demonstrates a somewhat different principle, but nevertheless represents a failure in corporate citizenship and responsibility. The decision by Shell UK to dispose of the redundant Brent Spar floating oil storage facility in the deep waters of the north Atlantic brought about an unexpected and unprecedented corporate crisis which led to a huge financial loss of sales and serious damage to the company’s reputation. The decision for the deep-sea disposal option was made on economic grounds, supported by safety and ecological studies which had revealed that the option was acceptable and probably the least damaging to people if not to the environment. Onshore dismantling would have meant exposing the workforce to hazards which would not arise with offshore

273

274

Strategies to prevent corporate accidents disposal. The fact that the British government had approved the scheme and issued a licence confirmed to the company that it had chosen the correct course of action. Non-governmental organizations such as Greenpeace have been mentioned in this chapter as possible stakeholders with an interest in the activities of corporate enterprises, particularly when these are perceived to be in conflict with the public interest. There is a perception of NGOs as the protector of the public interest when governments can no longer be trusted, and the view that they exist to keep companies ‘on their toes’ is not without legitimacy. In addition, even though their activities may appear to be founded on anti-corporate sentiment, they nevertheless represent a point of view which is supported by a vocal if small section of society. This section is almost certain to include a significant proportion of a company’s customer base, which if they choose to boycott the company’s products can cause substantial damage to a company’s finances and reputation. This is exactly what happened in the case of the Brent Spar facility. Widespread media coverage of the Greenpeace vessel Altair shadowing the facility as it was towed north of the Shetland Islands, and the subsequent dramatic boarding by environmental activists, raised public awareness of the possibility of serious pollution of the ocean. While the degree of pollution which was likely to occur was wildly overestimated by the protestors, this was no longer relevant to the situation in which Shell UK now found itself. The perception of the risk, as discussed in Chapter 5, when subject to public exposure becomes more important than the actual risk as explained to the public by technical experts. Technical expertise is always perceived to be biased in favour of the company and no matter how objectively presented it will be almost impossible to overcome this belief. Shell UK may well have considered that ‘truth’ was on their side, and this may even have been the case, but this had no effect in limiting the damage to the company once the protests and the consumer boycott were under way. This was perhaps the major mistake made by Shell UK in this sad but revealing incident. By the time the company had responded to what had become a disastrous situation it was too late to prevent the damage. The case study provides a lesson in the importance of listening to all stakeholders, assessing the perceived impact of the company’s operations on society and responding in a way which enhances rather than diminishes the company’s reputation.

References 1. McIntosh, M., Leipziger, D., Jones, K. and Coleman, G. (1998). Corporate Citizenship: Successful Strategies for Responsible Companies, London: Financial Times/Pitman. 2. MORI (2003). Corporate Brand and Corporate Responsibility, London: MORI, http:// www.ipsos-mori.com/publications/sl/corporate-brand.pdf 3. Collins, J.C. and Porras, J.I. (2000). Built to Last. Successful Habits of Visionary Companies (original edn 1994), London: Random House, p. 73. 4. Texas Instruments. The TI Ethics Quick Test, Texas Instruments, http://www.ti.com/corp/ docs/company/citizen/ethics/quicktest.shtml

Corporate social responsibility 5. United Nations (1948). Universal Declaration of Human Rights, General Assembly Resolution 217 A (III) of 10 December 1948, http://www.un.org/Overview/rights.html 6. Friedman, M. (1970). The Social Responsibility of Business is to Increase its Profits, New York Times Magazine (13 September), http://www-rohan.sdsu.edu/faculty/dunnweb/ rprnts.friedman.html 7. Birch, D. (2001). Corporate citizenship – rethinking business beyond corporate social responsibility, In M. McIntosh (ed.) Perspectives on Corporate Citizenship, Sheffield: Greenleaf, pp. 53–65. 8. Brown, M.T. (2005). Corporate Integrity – Rethinking Organisational Ethics and Leadership, Cambridge: Cambridge University Press. 9. Credo of Johnson and Johnson, http://www.jnj.com/our_company/our_credo/index.htm 10. The Johnson and Johnson Tylenol incident, http://www.jnj.com/contact_us/info_for_students/ index.htm; jsessionid=4KOIDLPPAOP4ECQPCCFWU2YKB2IIWTT1#question03 11. Corporate Social Responsibility, A Government Update, from a statement by Gordon Brown, Chancellor of the Exchequer, http://www.csr.gov.uk/pdf/dti_csr_final.pdf 12. Institute of Business Ethics, London, http://www.ibe.org.uk/ 13. Pax World Funds, Portsmouth, http://www.paxworld.com/index.htm 14. SRI Pension Disclosure Regulations 2000, amendment regulation issued under Section 35 of the 1995 Pensions Act. 15. Webley, S. and Moore, E. (2003). Does Business Ethics Pay? Executive Summary, Institute of Business Ethics, http://www.ibe.org.uk/DBEPsumm.htm 16. Verschoor, C. (1999). Corporate Performance is Closely Linked to a Strong Ethical Commitment, Business and Society Review, 104 (4), 407–416. 17. European Agency for Health and Safety at Work (2004). Corporate Social Responsibility and Health and Safety at Work, http://osha.europa.eu/publications/reports/210/ csr_report_en_en.pdf 18. Health and Safety Executive (2003). Corporate Responsibility and Accountability for Occupational Health and Safety: A Progress Report on HSC/E Initiatives and Measures, http://www.hse.gov.uk/aboutus/hsc/meetings/2003/141003/c105.pdf 19. United Nations Global Compact, http://www.unglobalcompact.org/

275

10

Conclusions

My Lords, a corporation is an abstraction. It has no mind of its own any more than it has a body of its own; its active and directing will must consequently be sought in the person of somebody who is really the directing mind and will of the corporation, the very ego and centre of the personality of the corporation. Viscount Haldane1

Summary The subject matter of this book has fallen naturally into two separate parts deciding the overall structure of the book. Part I dealt with the corporation, its origins, characteristics and legal accountability to protect health, safety and the environment. It also included a review of corporate manslaughter legislation in the UK and other countries followed by a critique of the various legal solutions which had been adopted to solve the difficulties of bringing successful prosecutions. Chapter 3, ‘Corporate ethics’, which concluded Part I, was key to an understanding of the strategies to prevent corporate accidents which comprised Part II. The reasons why these six strategies were selected were set out originally in Chapter 1. They tended to fall into either one of two categories. The more pragmatic strategies include understanding the risk (Chapter 5), safety regulation and compliance with this (Chapter 6) and safety management systems (Chapter 7). The remaining categories of safety culture (Chapter 4), the learning organization (Chapter 8) and corporate social responsibility (Chapter 9), were classified as more holistic in nature. This term is usually used in medicine to refer to treatment of the complete human person, physically, mentally and spiritually. It tends to see every aspect of life as equally valuable and closely interconnected. Here, in a similar way, the term holistic is applied to the corporate ‘body’ in that the strategies must be applied right across every aspect of corporate life if they are to be effective as a whole in reducing the

Conclusions incidence of corporate accidents. When perfectly applied, it is possible to imagine all the parts of the corporate body working effectively towards a common ethical purpose. The main conclusions arising from each part of the book are summarized below. It is not intended to repeat the detailed conclusions already drawn in each chapter. The purpose here is to gather together some more general conclusions which reflect the overall contribution that the author hopes this book will make to accident prevention.

Part I: Companies at risk Part I of the book attempts to answer some questions which are fundamental to the prevention of corporate accidents. These include questions such as ‘what is a company?’ and ‘what are its accountabilities under the law’? Part I showed how, during the long evolution of the corporation, the concept of corporate personhood was used to facilitate the interaction among the corporation, society, the state and other bodies. The legal status of the corporation may differ from country to country, but the concept of the corporate body as an artificial person is fairly widespread since the entity was derived from common historical origins. For instance, in many countries similar legal difficulties have arisen in applying the law to such an artificial person and some of these became apparent in Chapter 2. Some general conclusions are set out below.

What is a company? It would seem that the wider public is not always aware that companies have the legal status of an artificial person. Yet at the same time, people’s everyday language seems to indicate some vague notion of corporate personhood. This, as already mentioned, can be seen in the anthropomorphic language in which people refer to good companies and bad companies as determined by the way they behave. It seems that there is a largely unrealized ideal that corporate bodies should act as if they were ‘natural persons’ characterized by innate moral concerns about the welfare of others affected by their activities. At the same time there exists a fatalistic belief that companies will not behave like natural persons but will always act in their own interests, driven by the profit motive. There is a gap between the corporate behaviour that the public would like to see and the way some companies behave in practice. This has led to a low expectation of corporate ethical behaviour which seems to extend to most companies. There is no doubt that the expectation gulf has widened in recent decades. This is not to say that corporate behaviour has necessarily worsened; it is more likely to be due to the increased size and visibility of companies in terms of the greater publicity they can expect and the more obvious consequences that ensue when they behave improperly. Over the same period and probably driven by the same factors, the level of public expectation that companies should always act to the benefit of society has increased. At the same time, larger and more efficient companies have been able to make a greater contribution to the well-being of society in more ways than can be

277

278

Strategies to prevent corporate accidents enumerated here. However, as companies have become larger and more powerful their potential for harming society has increased in line with the benefits which they deliver. As already noted, globalization and the separation of ownership and control have contributed to this trend so that today companies are often seen to be monolithic and impervious to public opinion. Increased public expectation has also been driven more recently by a wider awareness of ethical, safety and environmental issues, due largely to information now available on the internet and the advent of 24/7 media reporting. As an example, falling prices of manufactured commodities imported from poorer overseas countries are now more likely to be seen as a sign of foreign worker exploitation than a result of corporate efficiency or beneficence as sometimes claimed by a company advertising a price reduction. This means that companies are finding it more difficult to hide behind social responsibility statements that cannot be substantiated in everyday practice. When a company gets it badly wrong today, the public becomes aware of it tomorrow. It no longer needs word of mouth to destroy a company’s reputation. A well-known manufacturer of confectionery, recently taken to court in the UK for allowing dangerous levels of salmonella in their product, had allegedly not reported the contamination to the Food Safety Agency until some time after they had discovered it. It was only after the contamination harmed a number of customers that it came to light. Following the revelations, it was alleged that some years previously the company had unilaterally trimmed their corporate standards on allowable contamination levels without reference to the regulator. The company was fined around £1 million, but the eventual cost to the company in loss of sales and reputation will far exceed this penalty. There used to be a time when companies could flout public opinion and press on regardless with their main business of making money. But in today’s society, disgruntled consumers do not just air their views to the nearest neighbour over the garden fence, they are able to publish their opinions, justified or not, on the world wide web at the press of a button. The overall result is likely to be that when companies make ethical claims they must be able to substantiate and live up to them or risk the consequences. This trend has to be welcomed since corporate social responsibility has been identified in Part II of this book as an important strategy to prevent corporate accidents. These societal changes seem to emphasize the concept of corporate personhood in a new way. As if to indicate that corporate personhood is more than just a legal fiction, companies today are being forced to recognize that they are in fact citizens of society with appropriate responsibilities alongside the natural persons whom they claim to serve. The strategies to prevent corporate accidents in Part II of the book include the usual safety management imperatives of a good safety culture, compliance with regulations and a full understanding of the risks that are generated. In addition, however, the more holistic strategies such as organizational learning, corporate ethics, citizenship and social responsibility must be included in the armoury of corporate systems which have become necessary in the modern world if corporations are to take their rightful place in society. There is absolutely no reason why the gap between corporate behaviour and public expectation cannot be narrowed if companies choose to follow the route of citizenship.

Conclusions

Corporate legal accountability The main conclusion of Chapter 2, dealing with legal accountability, was that the law has failed to bring corporate bodies to account in a way which would deliver natural justice and satisfy the growing belief among the public that companies have broader social responsibilities than would be delivered by the profit motive alone. This was brought to light in the most obvious way when the most serious charges which can be brought, corporate manslaughter, failed on the two occasions in which they were tested in court against large companies in the UK. Following the failure of the trial of Great Western Trains on corporate manslaughter charges after the Southall rail accident in 1997, calls were immediately made for new and more effective legislation to be introduced. Nearly a decade after the Southall accident, the Corporate Manslaughter and Corporate Homicide Act finally completed its passage through the UK Parliament in July 2007 for enforcement from April 2008. However, early in the parliamentary consultation process, a decision was made by the UK government to limit the legislation solely to corporate bodies, excluding prosecution of any individual persons associated with the offence. Any future prosecutions of individuals would continue to be brought under common law as at the present time, in spite of the serious problems and uncertainties which have emerged from previous prosecutions. This immunity of individuals from prosecution under the new Act is not widely recognized outside legal and professional circles. There seems to be a general assumption that if a corporation were to be found guilty of such a serious offence then those senior officers responsible for the failures which caused that offence would also face liability along with the company. However, those prosecutions would have to proceed separately under existing common law. Because of the difficulty in identifying senior persons in a large company with the commission of illegal acts, the anomaly will remain that responsible individuals in these companies may continue to be protected. This seems to defy common sense and denies natural justice to those most affected by corporate accidents, especially where deaths are caused, in particular the injured and bereaved who will have a natural desire that the responsible individuals are brought to account in a court of law. It is intuitive to most people that while companies may be artificial persons under the law they cannot act without being instructed to do so by natural persons, and it is those natural persons who are strictly accountable when a corporate accident occurs. Apart from considerations of natural justice, any deterrent effect upon companies brought about by the possibility that individuals may be found guilty and sentenced will be lost if those individuals are immune from prosecution. This is further discussed below. The penalties which are allowed to be imposed upon companies are an important deterrent factor in motivating them to obey the law. However, the only penalty normally applicable to a company is a fine. This is also the case under the new UK corporate manslaughter legislation. Whether fines are a sufficient deterrent, particularly where some financial benefit is obtained by breaking the law, is questionable. There is an ever-present temptation for some companies to externalize their costs when under financial pressure to increase their profits. Substantial fines which are much greater than any possible benefits accrued from the behaviour may well have

279

280

Strategies to prevent corporate accidents some deterrent effect. This has happened in a number of prominent cases where very large fines have been imposed for serious contraventions of the Health and Safety at Work etc Act 1974 (HSW Act). When these cases are publicized there may also be a loss of corporate reputation which, depending on the nature of the company’s business, could have a negative effect on future financial performance. However, some countries outside the UK have managed to introduce more creative penalties into the list of possible corporate sanctions, including proportionate fines, equity fines, corporate probation, publicity orders and, at the extreme, corporate dissolution. The introduction of some of these penalties in the UK might have dispelled some of the concerns surrounding the Corporate Manslaughter and Corporate Homicide Act. The fact remains that even the most severe corporate penalties will be limited in their effectiveness since corporate behaviour can only be fundamentally changed when the attitudes of senior individuals within the company begin to change. There is an argument that individual officers of the company will only be motivated to take account of health, safety and environmental protection when those responsible for a corporate accident are affected personally. This may seem rather harsh, but it is argued that power must be accompanied by full accountability for the way in which it is wielded. The argument goes on to say that society should encourage this by whatever sanctions are possible so long as these are just in their application. But this is clearly not the ideal approach. In the end, if the results are to be long lasting, the changes must be more than merely influencing the attitude of individual managers. It is also necessary to have a company safety culture appropriate to the level of risk since, as shown in Chapters 2 and 4, the life of the company extends beyond the life of its employees, directors and stockholders. But then, to be rather cynical, why should a company have an appropriate safety culture so long as it is making a profit? The key to implementing this and all the other strategies is found in the motivation to adopt them, which is addressed by Chapter 3, ‘Corporate ethics’. This chapter begins to move the whole subject away from corporate criminality towards the more positive themes espoused in Part II, ‘Strategies to prevent corporate accidents’.

Corporate ethics Whilst arguments may rage to and fro about the deterrent effect of corporate penalties and sanctions, it is clearly better that companies avoid being brought to justice in the first place by ensuring that corporate accidents are avoided. Chapter 3 raises the important question of whether is it possible for the corporate entity to act ethically. Modern expectations of the way companies behave would seem to point to an affirmative answer to this question. Yet there are many barriers which may obstruct corporate ethical behaviour and these need to be identified so that they can be removed. The profit motive will continue to be the chief modus operandi of the corporation and quite rightly this has always been the case ever since the first companies were founded. Without the profit motive there would be no reason for the company to exist as it does in its present form. Most attempts to construct alternative economic models, such as the command economy, had failed spectacularly by the end of the 1980s.

Conclusions The first potential barrier against ethical behaviour is that profitability and ethics are not perceived to go hand in hand. Ethics can be costly. Why should a company be ethical in the way it conducts its business so long as it stays within the remit of the law of the country in which it operates? Chapter 3 explores moral and ethical behaviour as experienced by individuals and tests whether the same motivations can be applied to the corporate entity in its role as a fictitious person. It reached the natural conclusion that the corporation has little motivation towards ethical behaviour unless this results in some benefit for the company. This is not so surprising since the law insists that any expenditure which the company makes must always advance the interests of the stockholders. Any other expenditure is strictly illegal under company law. Two major conclusions followed on from this. The first conclusion was that companies can only operate ethically when prompted to do so by the human corporate actors who determine their behaviour. The observation of Baron Thurlow referred to earlier has never been more pertinent than today: . . . ‘did you ever expect a corporation to have a conscience, when it has no soul to be damned and no body to be kicked?’ The main stakeholders who make up these human actors were classified into four groups, directors/managers, owners/stockholders, workforce and consumers/public. Doubts about even the possibility of corporate ethical behaviour begin to emerge when it is realized that the behaviour of the first two groups of actors (directors/managers, owners/stockholders) is by nature subservient to the interest of the profit motive, and the third group (workforce) is largely powerless to enforce ethical behaviour. However, the power of the consumer and the public to change effectively the way corporations behave is greater than might be expected and a number of examples showed how companies need to take account of this if they wish to run a successful business. A possible solution to the powerlessness of the first three groups led to the second main conclusion: companies must build ethical practices into the corporate structure and ensure that these permeate into the very heart of the company culture. The general theme of developing ethical policies and structures was further developed in Part II, in particular in Chapter 9, under the heading of ‘Corporate social responsibility’. In Part II, each chapter was devoted to one of the six main strategies to prevent corporate accidents already identified in Chapter 1. General conclusions arising from these chapters are set out below.

Part II: Strategies to prevent corporate accidents Ethics and illegality The main theme of Part II of the book concerns the way in which corporate accidents can be prevented, and in this sense it is perhaps more positive and more pragmatic than Part I. Whilst Part I intentionally set out to ring alarm bells, Part II showed how to avoid the emergency in the first place. Part II starts from the simple premise that companies which do not break the law do not get prosecuted. However, if it were as simple as not breaking the law then the appointment of a company compliance officer would be the solution. Chapter 3 showed how behaviour that may be perceived as

281

282

Strategies to prevent corporate accidents unethical can very quickly stray across the rather fuzzy boundary into illegality. It is appreciated that a regulator may not always share this view; if an accident occurs then it is natural for the regulator to state categorically that the behaviour must always have been illegal, even if only to warn others away from the same danger. In reality, the regulatory authorities probably never detected the aberrational corporate behaviour until after the accident occurred, nor should they always be expected to do so. Examples of this are provided in the book, in particular, the Hatfield and Larkhill accidents, where regulatory bodies became aware of maintenance deficiencies but could not necessarily have been expected to recognize that an accident was imminent. Many other instances could be cited. These are not necessarily regulatory failures; they merely indicate the limitations of regulation as a defence against corporate accidents, and the book recognizes this; in fact, it is one of the main themes. The regulator will rightly argue that it is better to provide help and guidance than to interfere with the way companies operate their business at corporate level. The alternative would not only involve a return to more prescriptive regulation, but in the case of corporate responsibility it would be unmanageable. The sad reality is that most companies involved in corporate accidents never appreciated that what they were doing might be illegal until they were prosecuted, since prior to the accident no specific regulations had been knowingly broken. However, this is not necessarily very helpful to companies who are serious about avoiding corporate accidents. Since the Publication of the Robens Report and the introduction of the HSW Act, there is no prescriptive rulebook which sets out the limits of illegality in a completely deterministic way. The job of corporate compliance officer is not quite redundant, but it may be more advantageous in the present climate that the post be widened to include corporate ethics. The reasons for this have been made clear in the book. The nature of umbrella legislation such as the HSW Act places a general duty upon companies to control the risks arising from their operations using all reasonably practicable measures. Clearly, if an accident occurs involving a fatality a court may decide whether the measures used were reasonably practicable given the circumstances. It is beneficial therefore for companies to examine carefully how their risks are being controlled and whether certain ways of operating may be ‘unethical’ in the sense that if an accident occurs then they are likely to be prosecuted.

The way managers work One of the main premises of the book is that failures of corporate systems represent the potential systemic causes of management errors, mistakes or misjudgements which can lead to an accident. In other words, the management error can be considered in the same way as a workplace error since it also has its root cause in a defective system. Another general point arising is that if management errors are systemic, then any failures in corporate systems will have an influence right across the company and will affect a wide range of management tasks in different areas of the company’s operations. The corporate systems are everyday drivers of the way managers work, and managers will be informed by these systems in controlling

Conclusions the areas of work for which they are responsible. Not only will managers be informed by these systems, their work practices may be constrained so that they do not always work in the most ethical ways or in the ways they may prefer as a professional. The book has already pointed to a general undermining of professional standards resulting from financial pressures. Unfortunately, this is the reality of how many companies operate today; although the nature of a manager’s work must be flexible and adaptive, the work is carried out within an envelope defined by corporate systems. In some cases a defining envelope is necessary to ensure consistency of management decision making across the company, so that the company’s objectives are achieved efficiently. However, the envelope can also be a root cause of accidents when a corporate system inhibits a manager from acting in the best interests of health, safety and environment. This could happen when the corporate system causes a manager to put profit before safety. Even if this goes against the manager’s better judgement, that manager may still be required by corporate systems to act in the short-term interests of the company and its stockholders. Although better judgement may indicate that the decisions are not in the long-term interests of the company, peer pressure and preservation of career and job prospects are important determinants of management behaviour, as discussed in the book. The main conclusion arising from this is not just that corporate systems exist to determine the way managers work, it is that the nature of the corporate systems must encourage managers to work in ethical ways which reflect the longer term interests of the company. Any conflict between profit and safety can usually be resolved by examining the long-term implications, and the argument invariably comes down on the side of safety. The ways in which a balance can be achieved between the costs and benefits of safety improvement measures have already been described. It should be noted that this is not just a desirable approach for companies to take, but a legal requirement which will be tested in the courts if a corporate accident occurs. In practical management terms it means taking into account both the profit motive and the prevention of corporate accidents and achieving a balance that satisfies the company’s best interests and could if necessary, as a minimum requirement, be justified under the law in terms of reasonable practicality.

No responsibility without control As this book has already suggested in the context of safety management systems, work activities need to be kept under a degree of corporate control. The same principles apply whether the activities are at the shop floor, supervisory or management levels in the organization. The difference between management, supervisory and workface activities is largely one of degree; as a rule, the lower down the organization the greater the constraints upon freedom of action. The principles were summarized in Chapter 7 by the safety management maxim of ‘no responsibility without control’. This was proposed as a basis for developing a systematic management approach. The same approach can be adopted at all levels in the company. Just as shop-floor working procedures are necessary to ensure that basic workplace tasks

283

284

Strategies to prevent corporate accidents are carried out safely and efficiently, so the controls on management activities are largely to be found in the corporate systems. It is acknowledged that not all organizations may need to adopt the strict systematic approach described in Chapter 7. When writing this, the author had in mind businesses which create serious hazards with the potential for major accidents. For instance, in creative businesses where there are no serious hazards much more flexibility is allowable and in any case unified and highly controlled decision making is likely to inhibit the creative process. However, in the major hazard industries or industries where the public is at risk, such as in the transportation industry, stricter control of work will be necessary using formal systems. The main reason for having management controls in place is to prevent corporate accidents. However, there is another important reason which has been suggested to the author on many occasions when working at senior management level. This is to provide assurance to senior management and company directors, who are remote from the locus of the work, that the high safety standards which are promulgated at the top of the company are being implemented in practice at ground level. It has already been pointed out that company directors do not have a general legal responsibility for safety under the law and can in theory distance themselves from what is happening. In practice, most directors of companies and senior managers will have genuine concerns about safety and will want to ensure that all the necessary strategic measures are in place, not least so that they can sleep at night. Management systems go some way towards providing this assurance, but need to be kept under continuous review. If a vulnerability is detected then this is a potential precursor of an accident, serious or otherwise. This is demonstrated by the Heinrich pyramid in Chapter 7. Although normally applied to unsafe acts committed at the workface, the Heinrich principle still remains valid in the upper echelons of the company, with the added possibility that the effects will be spread across the full range of company activities. There are of course other types of ‘corporate accident’ apart from those involving health, safety or the environment; financial failure could be defined as such an accident. However, corporate accidents involving serious financial failure or malpractice have not been covered in this book, although the same principles apply: to prevent these occurrences it is necessary to have adequate systems of corporate governance in place. Both in the USA, with the Sarbanes–Oxley Act, and in the UK, with the publication and recommendations of the Turnbull Report, strong measures were taken to improve corporate governance in the wake of a number of financial scandals. However, compared with measures to control financial governance, there is very little effective regulation of corporate practices for health, safety and environmental protection. The prime example of this is the failure to define legally the responsibilities of company directors for health and safety matters as described in Chapter 2. The only health and safety legislation which has direct application to company directors is section 37 of the HSW Act. This Act is now over thirty years old and this section has proved virtually impossible to enforce in the way originally intended. Although attempts have been made to remedy the situation, so far they have resulted in failure. This apparent lack of interest in regulating

Conclusions corporate safety may, perhaps a little cynically, be because financial malpractice or failure can affect a much greater number of people than even the most serious fatal accident. It would also seem that it is easier to detect and fix financial problems than safety problems. As pointed out in Chapter 7, there is no equivalent of a financial balance sheet to reveal serious safety deficits. As a result, company directors pass their time in a state of limbo, where the full weight of the law only descends upon them after an accident has taken place, an event marked by the crossing of that fuzzy boundary between the unethical and the illegal. Most company directors will be much more proactive than this; they will be just as concerned about health, safety and the environment as the law requires them to be in looking after the financial interests of the company.

Case studies Appendix 1 presents two case studies in corporate manslaughter to illustrate some of the points made in Chapter 2. An additional seven case studies in corporate accidents are detailed in Appendix 2. These are provided to illustrate the potential consequences of a strategic failure to prevent a corporate accident, and salient points from two relevant case studies are highlighted at the end of each chapter in Part II. The provision of case studies was considered important to the validity of the book since it grounds in reality what may otherwise be regarded as a rather arbitrary selection of the six key corporate strategies.

Appendix 1 In order to illustrate how the law on corporate accountability has operated (or failed to operate) over the past two decades in respect of corporate manslaughter charges against large companies, two case studies of previous accidents were chosen. These court cases, together with the legal arguments which arose, are described in Appendix 1. In exploring the legal accountability of the company as corporate body in Chapter 2, the book of necessity touched upon the difficulties of charging companies with some common-law offences. On some criminal charges, the difficulty arises from the need to demonstrate mens rea or guilty mind, since in law a company cannot be said to have a ‘state of mind’. It also showed how earlier common-law precedents, often involving quite trivial cases, had a huge influence upon the outcome of more serious cases, in particular, the bringing of corporate manslaughter charges against large companies. The author has tried to avoid the danger of this book becoming a legal textbook and, as already reiterated, it should not be used for legal guidance. Yet it seems to the author, a mere engineer, to be bizarre in the extreme that a legal precedent used to overthrow a major case of corporate criminality originated in a case of overcharging for a packet of washing powder (see ‘The identification principle’ in Chapter 2, and Appendix A1.2)!

285

286

Strategies to prevent corporate accidents The main conclusion arising from Appendix 1 was that efforts to bring manslaughter charges against a large company would always be doomed to failure until more specific legislation was brought onto the statute book, and in the UK this will be the case from April 2008 when the Corporate Manslaughter and Corporate Homicide Act comes into force. Potential problems with current legislation, both in the UK and overseas, as well as the effectiveness of corporate sanctions, have already been discussed above.

Appendix 2 It can be seen from the reference table in Appendix 2, which correlates corporate accidents against failures of corporate systems, that in no case is it possible to identify any one failure as the sole root cause of an accident. This is nothing really new since multi-causality has been noted by numerous accident inquiry reports and presiding judges in court cases. The theory of multi-causality is explored in Chapter 8. However, the multiple failures may not be independent of one another. A major vulnerability of multiple protection systems already noted is that the overall integrity can be destroyed by a common cause mechanism which simultaneously fails all the systems (see Chapter 1). The same principle may well apply, albeit by a slightly different mechanism, in the case of corporate strategies. Rather than a single common cause affecting all the systems (which remains a possibility), it is probable that a weakness in one system will have an influence upon other systems. If this influence detracts from the effectiveness of that system then it will start to undermine the overall capability to prevent corporate accidents. The six corporate strategies described in Part II are probably in a complex symbiotic relationship, difficult to define precisely but complementing each other in the protection that they provide. This can be seen in the case of safety culture, the failure of which was a common element in most of the case studies; clearly, the prevailing culture will have a pervasive influence on the effectiveness of all the other corporate systems. There is a similar situation with safety management systems since these systems are needed to guarantee that the other strategies are not only available and effective, but being implemented in practice. Unless there are complete and effective management systems to implement the strategies, the whole concept will amount to little more than a paper exercise. It is important, therefore, for companies to understand that strategies to prevent corporate accidents must be complete and closely integrated if they are to be effective as a whole. It was not possible in a single book to describe comprehensively every single desirable element of the six identified strategies. The needs of each company will always be different and the systems will need to be tailored so they are commensurate with the type and magnitude of risks which are generated. The author has tried to include the elements which, based on past experience and the study of many accidents, appear to be the most essential. However, at the same time as describing each corporate strategy with its distinctive elements, the book has also tried to

Conclusions explain why each one is important to the prevention of corporate accidents and the contribution which it can make.

A better way forward? The perception of risk by the general public is always heightened in the immediate aftermath of a serious accident, with many calls for reform of the law so that the company and individuals responsible can be brought to account or so that future accidents can be prevented. Risk perception is amplified in the case of multiple fatality accidents, as described in Chapter 6. However, as media attention is quickly diverted elsewhere the perceived risk gradually becomes attenuated until the accident falls below the horizon of public interest; government has many more urgent priorities and the desire for change subsides until revived by the next serious accident. Only the survivors and relatives of those affected have long enough memories to press on desperately with their campaigns to obtain justice and protect others who are at risk. The Herald Charitable Trust2 is an example of such a long-running campaign. This is an extremely costly and lengthy way of making progress in accident prevention and ultimately in delivering justice for those affected by these accidents. In one sense, it is an inevitable consequence of trying to limit the regulatory burden on industry for the justifiable reasons which have been explored in Chapter 6. Yet it is too easy to blame the regulator for failing to detect problems at corporate level before an accident occurs; to do this would require enormous resources and an unwarrantable level of interference with corporate freedom. At the end of the day, it is up to the companies which generate the risks to set up the corporate strategies to control them. This is not the responsibility of the government or its regulatory regime, although they have certain responsibilities to curb the excesses of corporate power. When trying to identify the most important corporate systems which the company needs to prevent accidents, the mind is drawn naturally towards the usual litany of safe systems of working and technical solutions which are found in most health and safety textbooks and some of which are mentioned here. The importance of these should not be underestimated, excellent and necessary as they may be, yet Part I of the book revealed that the systemic causes of accidents at corporate level require a very different kind of solution. Whilst the company still needs to ensure that the usual health and safety systems at workface level are being applied, there is an added dimension at corporate level which strays into an entirely different and often unfamiliar realm, that of corporate culture, ethics and social responsibility. The need for these more holistic strategies stems from the very nature of the corporation described in Chapter 2, where there is always a temptation to externalize costs in order to meet the company’s financial objectives. This is not to say that the aims of health, safety and environmental protection are not to be found in most companies, usually reflected in the company health, safety and environmental policy statements. But the study of corporate accidents also reveals that sometimes these laudable objectives are not alone sufficient and furthermore are not always implemented in working practice. This situation is more likely to arise when the business finds itself under severe pressure to improve financial

287

288

Strategies to prevent corporate accidents performance, with the cost cutting that this sometimes entails. Occasionally, it does not even require financial pressure, and accidents are due to what can only be described as an unacceptable lack of care and commitment at the highest level. Whatever the reason, failures at corporate level are pervasive; the wrong attitude at director level is viral and will quickly travel through the organization to destroy any residual goodwill amongst the workforce to perform safely, and an accident at some time will be the almost inevitable result. The usual cycle of diminishing motivation for change (initial enthusiasm–loss of interest–return to status quo) can then be initiated as described earlier. If the accident leads to a court case then the motivation for change will be intensified, but unless people change, nothing else will change. This may seem rather pessimistic, but fortunately companies which find themselves in this downward spiral are quite rare; when it does happen they are the ones which end up in court! Even so, any company is susceptible to a gradual or an imperceptible erosion of corporate values and needs to be vigilant for this trend, especially when the financial environment is demanding or when serious changes are imposed. This may involve an event such as a takeover by another company. Takeovers frequently involve the process of turning around a company to make it more profitable, with all the inherent dangers of cost externalization. Sometimes the new owner of a company, with different priorities, fails to appreciate how rapid and badly thought out organizational and financial changes can unintentionally undermine the strategies to prevent corporate accidents which were carefully developed and implemented by the previous owners. This book has proposed that unless the corporation is able to develop some kind of moral compass to direct its path through the labyrinth which is the modern business world (where competition and profit are the main driving forces for success), its longterm future may come under threat from short-term considerations. The end result may be a corporate accident which is costly in terms of harm to people, loss of reputation and possibly destruction of assets. Having a moral compass means that the company’s corporate systems to prevent accidents include not just technical systems at equipment level and management systems at people level, but also the more holistic systems such as culture, ethical concerns, social responsibility and the willingness to be adaptive through organizational learning. All these approaches together with their essential elements have been described in this book. Although they may not be easy to put into practice, in some cases requiring fundamental changes to attitudes and behaviour, it is believed that they are the way forward to preventing corporate accidents in the future.

References 1. Viscount Haldane, Lennard’s Carrying Co Ltd v Asiatic Petroleum Co Ltd (1915), AC705, quoted in Molan, M.T. and Hungerford-Welch, P. (2001). Sourcebook on Criminal Law, 2nd edn, Chapter 4, Mens rea, the mental element, London: Cavendish, p. 147. www.cavendishpublishing.com 2. Crainer, S. (1993). Zeebrugge: Learning from Disaster, London: Herald Charitable Trust.

Appendix 1: Case studies in corporate manslaughter

Since the end of the 19th century the ‘Corporation’ has penetrated private lives to an unprecedented level. This means they have social duties to the public which can be interpreted as the ‘directing mind’. If it can be established the extent to which this ‘directing mind’ is responsible for an event which results in a death then Unlawful Killing or Corporate Manslaughter will stand. Mr Justice Scott Baker, at the Trial of Great Western Trains 1999, following the Southall rail crash.

Introduction During the late 1980s and throughout the 1990s, a number of high-profile multiplefatality accidents occurred, some of which involved public transportation. Because they resulted in deaths amongst members of the public there was a discernible cultural shift in society’s attitudes towards serious accidents of this nature. The shift was marked by a trend which directed blame away from those who had been the direct cause of the accident, usually at the operational level, but which instead pointed the finger of blame at failures in management. This led to a call for companies and their senior officers to face criminal liability for their action or lack of it where they were perceived to have been negligent. This trend was reflected in the greater willingness of the legal profession and judiciary to take more seriously the possibility of bringing charges of corporate manslaughter. The major accidents in the UK which precipitated this cultural change were:

• the capsize of the Herald of Free Enterprise roll on/roll off ferry (1987, English Channel, 193 fatalities) • King’s Cross underground fire (1987, London, 31 fatalities) • Piper Alpha offshore gas explosion (1988, North Sea, 167 fatalities) • Clapham Junction rail crash (1988, London, 35 fatalities) • Kegworth (M1) aircraft accident (1989, Leicestershire, 47 fatalities) • Hillsborough Stadium (1989, Sheffield, 96 fatalities)

290

Appendix 1: Case studies in corporate manslaughter

• Marchioness pleasure boat sinking (1989, London, 51 fatalities) • Southall rail crash (1997, London, 7 fatalities) • Paddington rail crash (1999, London, 31 fatalities). Over the twelve-year timeframe of these accidents there was a cumulative effect which had an impact upon the public acceptability of risk. Although only two of these accidents led to corporate manslaughter charges, the whole issue of corporate criminal liability caught the attention of the public mind. The end result, by the beginning of the twenty-first century, was increased public intolerance of perceived corporate negligence. Stemming from this, over the past two decades, corporate criminal liability under common law has been gradually widened to incorporate a more comprehensive range of offences which it is possible to impute to a company. Any residual doubt as to whether this could include manslaughter were removed in 1991 when the crosschannel ferry operator P&O European Ferries (Dover) Ltd was brought to trial on corporate manslaughter charges following the capsize of the ferry Herald of Free Enterprise off Zeebrugge in Belgium and the deaths of 193 people on board. Although this prosecution failed, it set the scene for charges to be brought against larger companies for corporate manslaughter in the future. The next major corporate manslaughter prosecution took place a decade later following a serious rail accident at Southall, West London, when a high-speed passenger train collided with a freight train, resulting in 150 injuries and the deaths of seven people. This prosecution also failed and led directly to a call for changes in the law on corporate manslaughter, changes which have now been encapsulated in the new Corporate Manslaughter and Corporate Homicide Bill discussed in Chapter 2. These two failed prosecutions are examined in this appendix to reveal the principal reasons why the original law relating to corporate manslaughter was unsatisfactory.

A1.1 The capsize of the Herald of Free Enterprise From top to bottom the body corporate was infected with the disease of sloppiness . . . it reveals a staggering complacency. The Sheen Inquiry1

The accident The roll-on/roll-off (RORO) car ferry Herald of Free Enterprise operated between the British Channel ports and continental Europe. The vessel was owned by Townsend Thoresen and had a maximum carrying capacity of 1400 passengers. On 16 March 1987 the departing evening ferry from the Belgian port of Zeebrugge carried eighty crew and 459 passengers on what should have been a routine crossing to Dover. However, unknown to the officers on the bridge, there had been a failure to close the bow doors prior to departure. After passing through the inner breakwater of the harbour the ferry accelerated to about fifteen to twenty knots. Here the waves

Appendix 1: Case studies in corporate manslaughter were of sufficient height to flood the car deck, entering through the open bow doors, causing the ferry to list to port and finally to roll over onto a sandbank near the harbour entrance. The speed at which the disaster developed (about twenty minutes) allowed little time for preparation, such that no warnings or announcements were made and passengers were left mainly to their own devices to escape from the half-submerged ferry. The disaster resulted in the deaths of 193 people, the most serious accident involving a UK passenger vessel for many decades. It was already known that RORO ferries of this design were highly susceptible to capsizing with only a few inches depth of water present on the car deck. In fact, only five years earlier the same company had experienced the loss of its ferry European Gateway when it capsized in four minutes with the loss of six lives at the approach to the port of Harwich following a collision.

The inquiry A public inquiry into the Herald of Free Enterprise accident opened on 27 April 1987, conducted by Wreck Commissioner, Mr Justice Sheen, under the Merchant Shipping Act 1984. Although this court had full powers of investigation, and was to determine who should pay the cost of the investigation, curiously, it did not have any power to make binding recommendations upon any of the parties, relating for instance to design or operational issues. This was unfortunate because the consequences in this accident were exacerbated by a basic design flaw that is common to most currently operating RORO ferries. The Sheen Inquiry found that the immediate cause of the accident was the absence from his post of the assistant bosun who was charged with closing the bow doors at departure from Zeebrugge (he was asleep in his cabin). This prompted the court to examine working practices in the company which revealed that:

• The ship’s captain was under considerable pressure to depart the berth immediately following loading with vehicles and passengers. • The ferry was overloaded and was carrying more passengers than allowable under •

•

regulations. A proper account of the number of passengers boarding the ship was not kept. There was no means of detecting, from the bridge of the ship, whether the bow doors were open or closed, the position of the doors not being visible from the bridge. Instead, it was found that an informal but dangerous system had been adopted whereby the captain operated on the simple assumption that if he heard nothing from the assistant bosun then he would assume that the bow doors had been closed. The result was that on this occasion the captain ordered the vessel to sea with the bow doors still open. There was a failure to measure the ship’s draught before sailing and the draught entered into the ship’s logbook was in error. It was not noticed that the ferry was low in the water at the bow. This had an effect on the amount of water entering through the bow doors.

291

292

Appendix 1: Case studies in corporate manslaughter

• The capacity of the ballast pumps which were used to level the ship took so long to empty the tanks that the ship would be well out to sea before it could get back on an even keel.

However, the inquiry recognized that these causes were essentially the direct causes of the accident and appeared to place the burden of blame principally, and possibly unfairly, on the actions of individual crew members. As a result, during the inquiry the company’s management and organizational arrangements came under intense scrutiny and were shown to be the root cause of the accident. This underlines the general principle that the immediate and direct causes may well have led to the accident on the day it occurred, but without the root cause factors being present, it is unlikely that the accident would have happened at all. The root cause of the accident was to be found much higher in the company, in fact at corporate level, extending as high as the board of directors. The principal problem was one of lack of communication between operational management, in particular between the masters of vessels and the top levels of management onshore. The communication tended to be one way: upwards. The masters had serious concerns about safety which had been expressed in countless memoranda to top management but which were consistently ignored. Management onshore tended to view requests for safety improvements as involving, at best, unwarranted expenditure and at worst as criticism of the company. A standoff between offshore and onshore management resulted in the latter adopting a defensive posture, combined with a refusal to take the necessary action. Very few face-to-face meetings ever took place. The court was given an example of a senior master who had reported concerns about overloading of vessels such that when vessels were trimmed waves would be lapping over the bow doors. The senior onshore manager who failed to act held the view that if the matter was really serious, the senior master would have come to see him and ‘banged on his desk’ rather than send a memo. Overloading and poor trimming of the ship was a significant factor in the Herald of Free Enterprise disaster. Up until the opening of the inquiry, P&O senior managers, and in particular the chairman of the company, remained convinced that the accident was due to a simple human error on the part of the assistant bosun. They did not believe at this time that any corporate blame could be attached. However, senior management was quickly disabused of this perception when in his opening statement on the first day of the inquiry, Counsel for the Secretary of State for Transport said: ‘. . . the disease of sloppy system and sloppy practice infected not just those on board the ship, but infected well into the body corporate of Townsend Thoresen’. (Since the accident the new name and ownership of the company had come to be Townsend Thoresen.) The main corporate failing was found to be an absence of any proper system of supervision of activities at crew level, particularly regarding navigational safety and operations. There was not even an order in existence that the vessel loading doors must be closed before departure and that an officer must check that they had been closed. The system that existed was based on a dangerous fallacy of negative reporting. In the absence of communication that the loading doors were still open,

Appendix 1: Case studies in corporate manslaughter they would assume that the doors were shut. This failure was not unique to this particular vessel, but was a failure of management and of monitoring which was widespread and had existed over many years, involving most of the company’s vessels. The company accepted that there should have been instructions on the operation of the loading doors and therefore the accident was caused by the fault of the company and its employees. The company said that it was right that it should take full responsibility for the accident. Nevertheless, they still maintained that the reason the bow doors were still open was ‘avoidable human error’. When a series of senior management figures and company directors representing Townsend Thoresen gave evidence at the inquiry, Lord Justice Sheen made scathing criticisms of their performance both as witnesses and as company managers. In respect of the technical director of the company, Wallace Ayers, Lord Justice Sheen made these comments: Mr Ayers may be a competent naval architect, but the court forms the view that he did not carry out his managerial duties, whatever they may have been. Lord Justice Sheen commented that the amorphous phrasing of his answers to Counsel’s questions appeared to show that he was ‘incapable of expressing his thoughts with clarity’. In the case of Marine Superintendent Jeffrey Develin, who was a witness, Lord Justice Sheen came to similar conclusions about his work and the quality of his evidence to the court. Mr Devlin admitted at one point that he had misled the inquiry about a proposal to provide warning lights on the bridge of the ferry to indicate the position of the loading doors. At first he claimed that he had not considered such an idea until the day after the disaster, but later admitted that his ‘answer was muddled’. He had in fact previously received warnings from the ship’s senior masters about the potential dangers of the bow doors being left open and the need to provide a positive reporting system. Lord Justice Sheen’s comment was to say that Mr Develin’s response to these legitimate concerns was ‘flippant, facetious and fatuous’. Those giving evidence on behalf of management did not inspire the court with confidence about the managerial skills. The overall result was that Lord Justice Sheen spread the blame for the accident much wider than just the employees working on the ship at the time. In particular, he referred to ‘cardinal faults (which) lay higher up in the company’. He said, ‘from top to bottom, the body corporate was infected with the disease of sloppiness’. The court of inquiry closed after hearing twenty-nine days’ evidence and delivered its findings on 24 July 1987. The result was that Captain Lewry, the ship’s master, was deprived of his master’s certificate for a year and first officer Leslie Sabel lost his marine licence for two years. The conclusions of the Sheen Inquiry stated that: . . . a full investigation into the circumstances of the disaster leads inexorably to the conclusion that the underlying or cardinal faults lay higher up in the

293

294

Appendix 1: Case studies in corporate manslaughter Company. The Board of Directors did not appreciate their responsibility for the safe management of their ships. They did not apply their minds to the question: What orders should be given for the safety of our ships? The directors did not have any proper comprehension of what their duties were. There appears to have been a lack of thought about the way in which the Herald ought to have been organized for the Dover–Zeebrugge run. All concerned in management, from the members of the Board of Directors down to the junior superintendents, were guilty of fault in that all must be regarded as sharing responsibility for the failure of management. From top to bottom the body corporate was infected with the disease of sloppiness . . . it reveals a staggering complacency.1 This conclusion demonstrated a lack of understanding at director and senior management level that they were responsible for providing the resources to implement safety improvements, in many cases quite simple improvements such as a bow door position indicator on the bridge. Corporate failures at the highest level in the organization were therefore the principal root cause of the accident. It is difficult, on reading the evidence of the Sheen Inquiry, not to conclude that the reason behind this apparent lack of corporate interest in safety was driven primarily by a desire to save money, thus externalizing some of the costs of the operation from the company onto the passengers and thereby jeopardizing their safety. However, apart from the scathing comments of Lord Justice Sheen and an order to pay a substantial part of the court costs (some £350,000), no further sanctions against the company were taken since it was not within the power of the court under the 1970 Merchant Shipping Act to deliver such sanctions. Nevertheless, public concern was by no means allayed and some members of parliament immediately called for the management of Townsend Thoresen to be brought to account for their failures.

The inquest2 Following the public inquiry Britain’s largest ever inquest was held at Dover Coroner’s Court into the death of 193 victims as a result of the capsizing of the ferry Herald of Free Enterprise. More than 1000 witness statements had been taken by the police before the inquest began on 7 September. After reading out the names of the victims, the coroner, Richard Sturt, instructed the jury that ‘the potential verdict you might have to consider – and perhaps the most controversial – is unlawful killing’. In order to arrive at such a verdict, he instructed the jury that they had ‘to be satisfied beyond any reasonable doubt that an act or omission by an individual caused subsequently one or more of the deaths and that the individual was guilty of gross negligence’. A change of the law in 1977 influenced the outcome of this case. Up to that time, if the coroner’s inquest found that a person was guilty of a criminal offence then the coroner was able to issue a warrant for the arrest of the person. After the 1997 Act, the jury was no longer allowed to name any person who might be found guilty

Appendix 1: Case studies in corporate manslaughter and the verdict was not allowed to attribute any specific criminal liability. Consequently, the coroner stressed that the purpose of the inquest was not to determine blame but to establish the facts of the case. He insisted that only actions by members of the crew of the Herald of Free Enterprise could have led to the deaths, and refused to call any directors of the company on the principle that they were too far removed from vessel operations for their evidence to be relevant to determining those facts. The families of the victims of the disaster were represented in court and lawyers acting on their behalf applied to the High Court for this ruling to be overturned. The objective was to provide the jury with the right to decide whether the company was guilty of corporate manslaughter. The appeal was ultimately rejected but, for the first time, it was ruled that under the right circumstances there was a possibility that a corporate body could be prosecuted on the grounds of manslaughter. In accordance with the ruling of the coroner, the Appeal Court judges ruled that ‘the directors were too remote from the disaster to take any direct responsibility. . . . the case against the corporation can only be made by evidence properly addressed to showing guilt on the part of the corporation’. Following this ruling, the coroner said ‘I (therefore) intend to direct the jury that the concept of corporate manslaughter is unknown at present to the law’. The coroner in effect chose to avoid the difficult area of proving corporate responsibility (the root causes of the accident) whilst concentrating on the more easily established individual responsibilities of members of the crew (the direct causes of the accident). In addition, he was uncertain that verdicts of unlawful killing could legitimately be arrived at by the jury in this case, since such a verdict at this time was highly unusual. The coroner therefore set out three conditions which needed to be met for the jury to deliver a verdict of unlawful killing:

• The act or omission of an individual must be a substantial cause of death. • That act or omission must have created an obvious and serious risk of physical injury. • That individual in his act or omission must have done so without giving any thought to the possibility of that risk or, having recognized the risk existed, decided to take that risk in any case.

The inquest jury arrived at the first verdict on 8 October 1987 and in spite of the reservations of the coroner this turned out to be a verdict of unlawful killing for all but one of the victims (one who died later). The coroner then sent the papers to the Prime Minister, the Minister for Transport and the Department of Public Prosecutions (DPP). The verdict was a surprise, but echoed the strong sentiments of the public regarding the culpability of the company. It was praised in many quarters. Private Eye magazine made a tongue-in-cheek observation when it stated in its edition of 24 October 1987 that: ‘The whole episode proved to the legal establishment how very unsafe juries can be and how the majesty of the law can be imperilled by a handful of ordinary people who are too easily swayed by sympathy at the thought of 200 innocent travellers unnecessarily killed’.

295

296

Appendix 1: Case studies in corporate manslaughter

The prosecution for manslaughter of P&O European ferries3 The charges A summons alleging corporate manslaughter was issued against P&O European ferries (Dover) on 27 June 1989. This was the first time in the UK that such a charge had been made against a company and the second time ever in the world. The only previous such charge had been made in 1964 against Northern Star Mining Construction, a mineral exploration company based in Vancouver, BC, Canada. In addition to the charges made against P&O European ferries, charges were also brought against a number of individuals including two former Townsend Thoresen directors, Wallace Ayers and Jeffrey Develin, the deputy chief marine superintendent, John Alcindor, a senior master, John Kirby, the captain and first officer of the vessel, David Lewry and Leslie Sabel, as well as the assistant bosun, Mark Stanley, who had been asleep at his post. At the same time it was fully understood by the Crown Prosecution Service (CPS) that they were entering unknown territory in respect of the current state of the law at that time. The decision to prosecute individuals was particularly controversial, but was probably based less on a desire to satisfy a public demand for justice than to ensure a successful prosecution of the company. A guilty verdict on an individual would necessarily lead to a guilty verdict on the company if the individual could be shown to have represented the company.

The appeal The response of P&O Ferries was that no useful purpose would be served by bringing such a prosecution. They appealed against the decision to prosecute on the basis that it was impossible to bring a charge of manslaughter against a company since the company was not a ‘natural person’. The appeal was rejected by Lord Justice Turner after a four-day hearing in the High Court.

The trial The trial of P&O Ferries opened on 10 September 1990, a full three and a half years after the tragic event. Jury selection was made from a panel of 145 members of the public who were questioned about their personal experiences in ferry travel. The company, together with the individual employees charged, all pleaded not guilty. As normal in such cases the judge warned the jury at the opening of the trial that they must not be influenced by anything they had read or heard about the accident prior to the trial. Curiously, this also included the findings of the Sheen Inquiry into the accident, which was specifically referred to by the judge commenting that it ‘pointed the finger at a number of individuals, some or all of whom may be before you in the court’. After some legal wrangling the defence were allowed to inform the jury that the Sheen Inquiry report did not specifically blame their clients. Prosecution, in opening their case, stated that: The crown’s case is that the capsizing was avoidable and that each of the defendants that you are trying, the seven humans and the company, is responsible for the deaths that occurred because their behaviour or conduct

Appendix 1: Case studies in corporate manslaughter was reckless and grossly negligent. The guilt of the company can only be established via the guilt of a directing mind. Hence, if you find one of those mentioned has committed the offence of manslaughter in the capacity of a person managing or directing the company, then the company likewise should be found guilty of the offence of manslaughter. The identification principle, as discussed in Chapter 2, meant that for the company to be proven guilty it was necessary for an individual to be identified who represented the mind and will of the company. In this case the judge insisted that the acts of the seven individuals on trial could not be ‘aggregated’ if none of the individuals was themselves grossly negligent. Thus, although the Sheen Report had referred to the company being ‘infected with the disease of sloppiness’ from top to bottom, this did not refer to particular individuals and could not therefore be used in evidence to prove corporate manslaughter. In addition, it was necessary to prove that one or more individual defendants had been reckless such that they had failed to recognize, or had recognized and disregarded, an obvious and serious risk that a ferry would sink with the bow doors open. Requiring this level of proof was to prove fatal to the prosecution case. During the first three weeks of evidence, the prosecution called for a number of P&O ships’ masters to testify that they had recognized the risk of a ferry sailing with the bow doors open. None of them was prepared to testify that this was the case. The effect was to uphold the defence’s claim that the risk inherent in the way the ferries were operated was not obvious even to sea-going professionals. If it was not obvious to those engaged at the ‘sharp end’ of ferry operations then it was hardly going to be obvious to those who worked on shore at the top of the company. In other words it was unreasonable to suggest that those who were sufficiently senior to represent the mind and will of the company should have known about the operational deficiencies. The judge summed this up by saying: It is the essence of the case for the prosecution that before we get to the relevant state of mind of any one defendant there must have been an obvious and serious risk of the vessel putting to sea with her bow doors opened in the light of the various alleged deficiencies. That there was no obvious risk was supported to some extent by the fact that no ferry accidents had occurred over the previous seven years, during which time there had been 60,000 cross-channel sailings of P&O vessels. However, although five incidences of ships sailing with the bow doors open had occurred, only one of these was known to the defendants. Furthermore, Department of Transport (DoT) regulations did not actually require warning lights to be fitted on the bridge of the vessel to indicate the position of the bow doors. The company was therefore not in breach of any maritime legislation, national or otherwise. The case thus rested to some extent on the interpretation of the words obvious and serious risk. The prosecution interpreted this to mean that the risk could be ‘foreseeable by a reasonable person’. Counsel for P&O Ferries maintained, however, that the correct definition

297

298

Appendix 1: Case studies in corporate manslaughter was a risk which was ‘perfectly evident or stared one in the face,’ to express it in colloquial terms. Mr Justice Turner veered towards the latter definition so that by this point in the trial the success or otherwise of the prosecution rested not so much upon legal and technical considerations as upon semantics. Towards the conclusion of the case, Mr Justice Turner summed up his position in a statement that ignoring an obvious and serious risk meant that: The defendant’s perception of risk was seriously deficient when compared to that of a reasonably prudent person engaged in the same kind of activity as that of the defendant . . . there is no evidence that reasonably prudent maritime superintendents, chief superintendents, or naval architects, would or should have recognized that the system gave rise to an obvious and serious risk of open-door sailing.

The judgement The case lasted for twenty-seven days before it inevitably collapsed and the judge directed the jury to acquit both the company and the other defendants, with the exception of the first officer of the vessel, Leslie Sabel, and the assistant bosun, Mark Stanley. In the end, the case against these two defendants was also dropped since the prosecution did not consider that it would be in the public interest to proceed further, and the jury was instructed to find them not guilty. The result was a serious failure to act in the public interest by making those at the very top of the company take the responsibility for this accident. Perhaps the only redeeming feature of the trial was that the first officer and the assistant bosun were not made to ‘carry the can’ for the more senior persons in the company on whose shoulders the ultimate responsibility for this tragic accident really rested. No more prosecutions of large companies for corporate manslaughter were to be brought for another decade.

A1.2

The Southall rail accident

Those who travel on high speed trains are entitled to expect the highest standard of care from those who run them. Great Western Trains failed to meet that standard. Mr Justice Scott Baker at the prosecution of Great Western Trains

The accident On 19 September 1997 the 10.32 high-speed passenger train from Swansea to London operated by Great Western Trains (GWT) went through a red danger signal at Southall, about nine miles from Paddington station. It collided with a freight train comprising empty hopper wagons operated by English Welsh and Scottish (EWS) Railways that was crossing the path of the passenger train. The accident resulted in

Appendix 1: Case studies in corporate manslaughter seven fatalities and 139 injuries. It occurred on a complex and busy section of track where four main lines were joined by cross-overs between the adjacent tracks. When the crossing movement of the EWS freight train occurred, the mainline sections which were temporarily occupied by the hopper wagons were fully protected against high-speed traffic by red signals on both the up and down mainlines. The problem arose because before the goods train was unable to clear the mainline, the high-speed passenger train ran through the red signal (having already passed a number of yellow cautionary signals) at a speed of 100 mph. The power car of the passenger train struck the empty hopper wagons a glancing blow and came to a standstill about 100 yards down the line. The first coach overturned, but the second coach impacted an electrification mast and was bent almost double. Most of the seven fatalities occurred in this coach. It was later revealed that the passenger train was fitted with the normal automatic warning system (AWS) train protection and also, unusually, with a new type of automatic train protection (ATP) system operating on a trial basis. Either of these systems would have stopped the train, except that on this particular day neither system was operational owing to faults which had developed and had remained uncorrected. The driver and passengers were therefore unprotected from the consequences of a red signal passed at danger. The accident was made the subject of a public inquiry in 1999 but, unusually, this was preceded by a prosecution for corporate manslaughter. However, in this appendix the public inquiry is described first, followed by an account of the trial, since information arising from the former is useful in understanding the latter.

The inquiry The government of the day ordered a public inquiry into the accident, to be chaired by Professor John Uff.4 Although this inquiry was set up relatively quickly it was subjected to a two-year delay for legal reasons associated with criminal prosecutions against the driver and GWT. The principal concern was that if staff were questioned at a public inquiry, then their evidence might later prejudice future legal proceedings to prosecute those responsible. The driver of the passenger train was fortunate enough to survive the crash, but was questioned by police almost immediately after the accident. He was later charged with manslaughter. In addition, charges of corporate manslaughter were brought against GWT. It was decided some twenty months later that the charges against the driver should be abandoned as he was judged unfit to plead and would be unable to pay a fine. Similarly, the corporate manslaughter charges were also dropped since no one individual responsible for disabling the protection systems could be identified. It was ruled by the judge, Mr Justice Scott Baker, that prosecution could only take place if a person deemed to be a ‘directing mind’ could be identified and charged. In the end no such person could be found. Later, GWT was charged under the Health and Safety at Work etc Act 1974 (HSW Act) for failing to protect the public. GWT pleaded guilty and was fined £1.5 million. More details of the corporate manslaughter trial are given below.

299

300

Appendix 1: Case studies in corporate manslaughter The public inquiry was finally held in 1999 and revealed that both protection systems on the GWT train had been disabled with the implicit approval of management. It further found that the rules for allowing a train to operate without the usual AWS detection operational were ambiguous and over the years had evolved considerably. When the AWS was initially developed it was only regarded as an aid to the driver which did not remove from him the ultimate responsibility for responding to signals. Initially, this policy was construed to mean that a train would be allowed to operate without the AWS. Later, the rules were modified so that if the AWS on a train failed, then the train had to be taken out of service for repairs as soon as practicable. Later changes modified the wording even further such that the train had to be taken out of service at the first suitable location without causing delay or cancellation. This was the rule in force at the time of the accident at Southall. In actual practice it had been interpreted to mean that a train without a functional AWS might be able to complete its journey, if it were deemed that a suitable location did not exist along the route. Of course this had the additional advantage to the company that the train need not be taken out of service, thus minimizing disruption to the running schedule. It also avoided the cost of paying claims made by passengers for late arrival. This is yet another example of cost externalization at the expense of safety as the modification of the rules meant that the driver might be required to complete a long journey responding visually to numerous cautionary and danger signals along the route, increasing the chance of an accident. At an earlier time, there had been a rule that the train would only be allowed to operate without AWS when a second person was present in the cab (the only qualification required for the second person being that he was not colour blind). Owing to concerns that this could cause distraction of the driver, and following staff cuts upon privatization of the railways, this rule was abandoned as impracticable since it was unlikely that a second person would be available at short notice. The inquiry made a number of other findings such as impedance of the driver’s view of the signals in the Southall area. The first cautionary double yellow signal which the driver had passed was obstructed by an over-bridge at Southall station. The next single yellow signal was not correctly focused and was only in the driver’s sight for about one second at the speed of the train. By the time the train had reached the red signal it was travelling at too high a speed to stop before it collided with the freight train in its path.

The causes The direct cause of the accident was the failure of the driver of the high-speed train to respond to a series of cautionary and danger signals. However, the root cause was an operational rule which allowed the train to be driven with the AWS train protection system disabled (the ATP system was only on trial and can be discounted). This left the train driver to negotiate one of the busiest routes in the country at high speed relying purely on visual recognition of signals to which a correct response had to be

Appendix 1: Case studies in corporate manslaughter made every time in order to avoid an accident. This was entirely unsatisfactory and it is almost certain that had the AWS had been working on that day, the accident would not have occurred. The operational rules, which had changed and evolved over time, allowed this train (and probably other trains at other times) to operate without the required protection system and clearly put passengers at unacceptable risk. The responsibility for allowing this unsafe mode of operation to exist can be placed firmly at corporate level. The modified rules for running without the protection system seem to be more concerned with ensuring smooth running of the service, thus maximizing revenue and minimizing compensation claims, than with maintaining passenger safety.

The corporate manslaughter trial5 The charges At the first hearing on 30 June 1999, the following charges were read out to the court before Mr Justice Scott Baker, the presiding judge. Against Great Western Trains Charges 1–7 for manslaughter were brought in respect of each of the persons killed: it was charged that GWT had permitted a train to go forward in an unsafe condition in that both train protection systems were inoperable and that they failed to either stop the train from proceeding on its journey or ensure a competent second person was present in the cab. GWT pleaded not guilty on all counts. Count 8 charged that GWT had failed in their duty of care towards the passengers and was therefore in breach of the HSW Act. To this GWT pleaded not guilty, but on later resubmission of the charge, GWT pleaded guilty (see below). Against the driver of the train, Larry Harrison Charges 9–15 for manslaughter were brought in respect of each of the persons killed: it was charged that the driver drove the train in a negligent manner which resulted in the accident and subsequent deaths. Driver Harrison pleaded not guilty on all counts. Count 16 charged that the driver failed in his duty of care towards the passengers and was therefore in breach of the HSW Act. To this charge, driver Harrison pleaded not guilty.

The judge’s ruling At the start of the trial, on 31 June 1999 at the Old Bailey, the Crown Prosecutor sought a ruling from the judge on the way the prosecution should proceed. Mr Justice Scott Baker in his ruling said that it would be unsafe for the CPS to proceed with prosecution of GWT on charges of corporate manslaughter. In order to arrive at this ruling, the judge had studied the legal precedents and made an interpretation of the law and evidence to be submitted in this case. He made the point that the case against

301

302

Appendix 1: Case studies in corporate manslaughter GWT on charges of manslaughter was completely separate from the same charges against the driver. It was also a separate case from that brought under the HSW Act against GWT and the driver for negligence. In his ruling, the judge emphasized the fundamental difference between a civil and a criminal charge. In a civil case, the main matter of concern is whether the accused was negligent and if so the amount of damages to be awarded. He pointed out that the degree of negligence is irrelevant in a civil case. In the case of criminal charges, the degree of negligence carries a much greater importance. In a criminal case, the consequences for the defendant are more serious and can result in an unlimited fine or even imprisonment. The judge noted that very few successful prosecutions for corporate manslaughter had ever taken place. He mentioned the example of the case of Regina v P&O Ferries in 1991 concerning the capsize of the cross-channel ferry the Herald of Free Enterprise (see above) where the prosecution for corporate manslaughter had failed. That case was dismissed on the instructions of the judge because no individual on the board of directors could be identified as the directing mind as far as management decisions influencing safety were concerned. In the context of the Southall accident, Mr Justice Scott Baker made the following statement: Since the end of the 19th century the ‘Corporation’ has penetrated private lives to an unprecedented level. This means they have social duties to the public which can be interpreted as the ‘directing mind’. If it can be established the extent to which this ‘directing mind’ is responsible for an event which results in a death then Unlawful Killing or Corporate Manslaughter will stand. The judge went on to describe other corporate prosecutions, all of which had failed, and in which the presiding judges had all demonstrated the main weakness of the law to be the identification principle. One of these judges had stated that ‘a corporation is an aberration with neither body or head and can only be pursued through an individual’. This essentially summed up the dilemma before the court in the case of the Southall accident. In order for the prosecution for corporate manslaughter to proceed then it was necessary to identify the senior person in GWT who must be shown to be the directing mind and who must also be shown to be negligent. In the case of GWT, Judge Scott Baker identified that person as Mr Richard George, managing director of GWT. Judge Scott Baker noted that the cause of an accident is not usually a single event but a number of events coming together in time. The events in themselves may be insignificant, but when brought together they are catastrophic. In the case of the Herald of Free Enterprise, the accident was caused by an aggregation of a number of separate operational and system failures, so it was not possible to identify one person as being responsible since no one person alone in their failures could have caused the capsize of the vessel. The judge considered that the Southall accident was caused by a system failure since GWT had failed to comply with the undertakings set out in its safety case in accordance with the Railways Safety Case Regulations. However, such a failure to comply could not on its own constitute a case for a criminal prosecution.

Appendix 1: Case studies in corporate manslaughter This was only possible if gross negligence on behalf of one or more identified individuals could be shown. Judge Scott Baker described three possible ways in which a criminal prosecution could proceed: 1. failure of a duty to ensure the safety of the seven passengers who were killed, or 2. identification of the ‘directing mind’, a senior individual in GWT, who was negligent, or 3. identification of a number of individuals in GWT who collectively were a ‘directing mind’ and who were also negligent. He adjudged that it was not possible to prove gross negligence in the case of (1), since the risk of a freight train crossing the path of the high-speed train would need to have been foreseen with knowledge of the consequences and the course of action needed to prevent the accident (proper train protection). In the case of (2), for Mr George to be the directing mind, he would need to have direct responsibility for ensuring that the train protection systems were working and would have to understand fully the risk of not having them working. The mere fact that he held the position of managing director did not automatically mean that as an individual he had a duty of care towards the passengers. To settle the matter, the question was quite simple: had Mr George directly ordered the train to proceed, knowing the risk to passengers? Of course this could not be proven. In the case of (3) the answer was also simple: it was not possible to proceed against people who could not be named. Even if they were named, their actions would have to be aggregated as if they were one person, making the proceedings even more difficult. In the judge’s opinion, therefore, all three options were unsafe and it was therefore unsafe to proceed with the prosecution on counts 1–7 of corporate manslaughter. He made the following statement: Judges interpret the law. Parliament makes the laws which we interpret. Following the Herald of Free Enterprise Disaster the Law Commission issued Report 237 on the strengthening of the laws concerning corporate responsibility. The recommendations were that the laws concerning corporate negligence should be strengthened and addressed by Parliament. This request has gone unheeded for more than 3 years. Until the laws are changed Judges’ hands are tied.

Prosecution response The response of the prosecution was to request an adjournment until Friday 2 July 1999, during which period the judge’s statements would be considered. When the court reconvened, counsel for the Crown Prosecution drew attention to a statement concerning corporate manslaughter: There are many who say the state of the law is unsatisfactory in relation to corporate manslaughter. This is the responsibility of Parliament which has failed to act upon the Law Commission report 237. In light of the weaknesses

303

304

Appendix 1: Case studies in corporate manslaughter in the law and the clear ruling of the Judge the Crown Prosecutor has decided to ask the Attorney General to address the matter of the lack of suitable laws pertaining to corporate responsibility. Consequently, the CPS did not intend to offer evidence in respect of counts 1–7, on corporate manslaughter. However, this depended on reaching an understanding with GWT that they would change their plea on count 8, breach of the HSW Act, to guilty. The case had been in preparation for nearly two years and had already delayed the commencement of the public inquiry, which had finally been set for 20 September 1999. Since it was the responsibility of this inquiry to consider the reasons why the accident occurred, it was contended that the public interest would not be well served by prolonging the trial. The counsel for GWT then rose to confirm that GWT would plead guilty in respect of count 8. They stated their conviction that the prosecution’s attempt to press charges for criminal manslaughter was not appropriate in law since a director could not be prosecuted unless he personally directed the action which was negligent. In respect of the driver of the train, the prosecution offered no evidence on counts 9–15. Medical reports indicated that the driver had been psychologically damaged by the accident and its consequences and his ongoing medical condition precluded his presence at a protracted court case. In any case, it was considered that he had been instructed to drive a defective train and any failure on his part really pointed to the failure of GWT to provide a safe system of working. With regard to count 16 against the driver, a breach of the HSW Act, the prosecution did not intend to proceed but wished to leave the charge on file, meaning that if more evidence could be found the case could be reopened. However, the counsel for driver Harrison argued that this was not fair to their client. He had been required to drive a defective train and the absence of any train protection system placed a heavy burden upon him. In addition, there had been confusing changes in working practices and evidence supported poor sighting of two of the signals to which he was required to respond. The judge agreed with defence counsel for driver Harrison; he was found not guilty in respect of count 16 and was discharged.

Sentencing Sentencing of GWT on count 8, breach of the HSW Act, took place on 27 July 1999. Mr Justice Scott Baker in his verdict found that GWT was guilty of a ‘dereliction of duty’ and said that the public had a right to expect a higher standard of care. The judge said that: GWT failed to meet that standard and in my judgment they failed to meet it by a greater extent than they have been prepared to admit. As a result the company was fined a record £1.5 million. This was the highest fine ever against a company for a breach of health and safety law since a fine of £1.2 million had been imposed on Balfour Beatty following the collapse of three tunnels during the building of the Heathrow rail link. Mr Justice Scott Baker said the fine

Appendix 1: Case studies in corporate manslaughter imposed ‘was not intended to nor can it, reflect the value of the lives lost or the injuries sustained in this disaster. It is, however, intended to reflect public concern at the offence committed’. In his judgement, Mr Justice Scott Baker criticized GWT’s chief executive Mr Richard George for his absence from the three-day court hearing. He said to defence counsel: I am surprised that neither Mr George – who it is said is in personal charge of safety at GWT – nor any other director of the company came to court to express personally remorse for GWT’s breach of the Health and Safety Act, and to allay any impression of complacency that may have been conveyed to the victims, their families and the public . . . . He is the man in charge of safety and he has not taken the trouble to come to court . . . one would have thought he would have come if your clients are really concerned about this matter. He did, however, acknowledge defence submissions that the company regretted its responsibility for the disaster. The Attorney General for England and Wales is the chief legal adviser of the Crown and represents the Queen and the Government in court. Although prosecutions are the responsibility of the DPP and the CPS, the Attorney General has supervisory powers over prosecutions and represents the Crown in judicial proceedings where there is a public interest. He may, under the Criminal Justice Act 1972, refer an appeal to the House of Lords on behalf of the prosecution. The House of Lords then clarifies the points of law but does not make a decision in the court case being appealed. As a result of the judge’s ruling in the prosecution of GWT, the Attorney General asked the Court of Appeal for a clarification of the law regarding corporate manslaughter, the salient points of which are given below.

The Attorney General’s submission to the House of Lords6 The submission was made at the Court of Appeal Criminal Division on Tuesday 15 February 2000 before Lord Justice Rose (the vice president), Mr Justice Potts and Mr Justice Curtis. The report of the Attorney General’s submission to the House of Lords summed up the then current legal situation in the UK regarding prosecution of companies or individuals for gross negligence manslaughter. It referred to the various precedents and previous court cases in an attempt to answer questions arising from the ruling given by Mr Justice Scott Baker at the Central Criminal Court on 30 June 1999 arising from the prosecution of GWT described above. Mr Justice Scott Baker had ruled that it is a ‘condition precedent to conviction for manslaughter by gross negligence for a guilty mind to be proved and that where a non-human defendant (e.g. a company) is prosecuted it may only be convicted via the guilt of human beings with whom it may be identified’.

305

306

Appendix 1: Case studies in corporate manslaughter In the case of the prosecution of GWT, the Attorney General submitted that Mr Justice Scott Baker was wrong in his ruling and requested the House of Lords Court of Appeal (Criminal Division) to consider two questions: 1. Can a defendant be convicted of manslaughter by gross negligence in the absence of evidence as to that defendant’s state of mind? 2. Can a non-human defendant be convicted of the crime of manslaughter by gross negligence in the absence of evidence establishing the guilt of an identified human individual for the same crime? It would be necessary for both questions to be answered in the affirmative for the judge in the trial of GWT to be proved wrong. The Attorney General stated that the case made by the prosecution against the defendant was that it had a duty to take reasonable care for the safety of its passengers and it was in grossly negligent breach of this duty. The case of the Attorney General was presented by the same prosecuting counsel as acted in the case in the High Court, Mr Lissack QC. For question 1, Mr Lissack referred to the case of Regina v Adomako, where a defendant could be found guilty of manslaughter in the absence of evidence as to his state of mind. [This was a landmark case which arose from a fatality on 4 January 1987 at the May Day Hospital, London, where a patient underwent surgery for a detached retina. The defendant, Dr John Adomako, was a locum anaesthetist and in the course of an eye operation failed to observe that the tube inserted in the victim’s mouth had become detached from the ventilator so that the anaesthetic circuit was disabled. The mistake was not noticed until the patient suffered a cardiac arrest which subsequently led to his death in July 1987. As a result the anaesthetist was charged with manslaughter. The jury was asked to decide whether the breach of duty should be characterized as gross negligence and therefore a crime. By a majority verdict the jury convicted the defendant of manslaughter despite no recklessness or indifference (state of mind) being proved, and a six-month suspended sentence was imposed.] To secure a conviction it would be necessary for the jury to determine the extent to which the defendant’s conduct departed significantly from the standard of care which could be expected. Then and only then could the conduct be judged criminal. Only gross breaches would give rise to criminal liability. Counsel for the defendant, GWT, Mr Caplan QC, accepted that the state of mind was not necessary to prove gross negligence, but suggested that it may be relevant if the jury is to decide whether the breach is criminal. He pointed out that in the Adamoko case, the presiding judge, Lord Mackay, had said that it was perfectly acceptable to use the word ‘reckless’ in such cases. Mere indifference on its own was not sufficient, but the defendant must be proved to have been indifferent to an obvious risk of injury of death or to have foreseen such a risk but still have been determined to take the risk. The conclusion of the Law Lords was that the answer to question 1 had to be ‘yes’, but allowing for the fact that the state of mind of the defendant might still be relevant to the jury’s deliberations. A defendant who is found to be ‘reckless’ (and to prove this it is necessary also to prove the state of mind) may be found to be grossly negligent to a higher degree.

Appendix 1: Case studies in corporate manslaughter Question 2 proved to be considerably more difficult and complex to resolve. Defence and prosecution counsel presented many arguments and counter-arguments referring to numerous precedents and relevant court cases. A general point was made by Mr Lissack that the distinction between large and small companies in their susceptibility to prosecution for manslaughter was unjust. He suggested that the requirement to prove an offence of gross negligence manslaughter should be the same in relation to the body corporate as to a human being. The identification principle, whereby the mind and will of senior directors and managers act as the embodiment of the company, had been developed in order to prevent injustice. The principle had been adopted so that the law would not be brought into disrepute. This would happen if any act, misdemeanour or state of mind of an individual employee became attributed to a company which could then be prosecuted when it was in fact blameless. The leading case referred to by Mr Lissack which demonstrated this principle was Tesco Supermarkets Ltd v Nattras (1972), already discussed in Chapter 2. The Law Lords in effect agreed with Mr Justice Scott Baker at the trial. They ruled that Mr Lissack’s submissions were incorrect and that ‘the ‘‘identification principle’’ remains the only basis in common law for corporate liability for gross negligence manslaughter . . . . It follows that, in our opinion, the answer to question 2 is ‘‘No’’’. The Attorney General was therefore unable to prove that the judge at the trial of GWT for corporate manslaughter was wrong in his ruling. This was the last such trial of its kind in advance of specific legislation to deal with the offence. The situation has now been changed by the introduction of the UK Government’s new legislation, the Corporate Manslaughter and Corporate Homicide Bill, passed in July 2007 and in force from April 2008. The subject of legislating specifically for corporate manslaughter together with possible future difficulties is dealt with in Chapter 2.

References 1. Mr Justice Sheen (1987). The Merchant Shipping Act 1984: MV Herald of Free Enterprise, Report of Court No. 8074, London: HMSO. 2. Regina v HM Coroner for East Kent, ex parte Spooner (1989) 88 Cr.App.R. 3. P&O European Ferries (Dover) Ltd (1991) 93 Cr.App Rep. 72 4. Uff, J. (2000). The Public Inquiry into the Southall Rail Accident, Sudbury: HSE Books. 5. Regina v Great Western Trains Company Ltd [1999] LTL C7800570, Central Criminal Court, Old Bailey, London. 6. Attorney General’s Reference No. 2/1999 under section 36 of the Criminal Justice Act 1972 [2000] EWCA Crim 10 (15 February 2000), Case No. 1999 07474 R2 in the Court of Appeal (Criminal Division), Royal Courts of Justice, London.

Disclaimer The information provided in this appendix is of a general nature only and is provided ‘without responsibility’ by the writer. The information is not a substitute for legal advice, which should always be taken in any particular case.

307

Appendix 2: Case studies in corporate accidents

Introduction This appendix presents a series of case studies describing historical corporate accidents. Each case study has been chosen to provide examples of failures of the main strategies to prevent corporate accidents which are described in Chapters 4–9 in Part II of the book. The conclusion of each of these chapters makes reference to the relevant case studies. It should be noted that several of the accidents described involve failures of more than one preventive strategy. The case studies have been chosen to represent the widest possible spread of industries and of locations in the UK, USA and internationally. The units of measurement quoted here are those which are used in the reference documents. The illustrative value of the case studies is summarized in the table below.

Organizational Learning

•

•

Corporate Social Responsibility

Safety Management

Regulation

Case Study

Understanding Risk

No.

Safety Culture

Example of failure of Strategy to prevent Corporate Accidents

A2.1

The loss of the space shuttle Columbia

•

A2.2

The Davis-Besse nuclear power incident

•

A2.3

Fire and explosion at the Conoco-Phillips refinery

A2.4

Children’s heart surgery at Bristol Royal Infirmary

•

A2.5

The Tokai-Mura criticality accident

•

A2.6

The disposal of the Brent Spar oil storage facility

•

A2.7

The Tylenol incident

•

• •

• •

•

•

•

Appendix 2: Case studies in corporate accidents

A2.1 The loss of the space shuttle Columbia It is the view of the Columbia Accident Investigation Board that the Columbia accident is not a random event, but rather a product of the space shuttle Program’s history and current management processes.1

Background The US space shuttle programme followed on from Project Apollo, the dramatic US missions to the moon carried out during the 1960s, and was intended to further scientific research in space and the development of increasingly larger outposts in Earth orbit. To keep the costs of these trips to a minimum it was necessary to develop a fully reusable vehicle. The space shuttle is operated by the US National Aeronautics and Space Administration (NASA) and is rightly described as one of the most complex machines ever built and operated. It comprises the orbiter, space shuttle, main engines, external tank and solid rocket boosters, all of which are assembled from more than 2.5 million parts, 230 miles of wire, 1060 valves and 1440 circuit breakers. At launch it weighs approximately 4.5 million pounds and accelerates to an orbital velocity of 17,500 mph in just over eight minutes. Whilst in orbit, the shuttle must protect its crew from the vacuum of space, at the same time enabling astronauts safely to conduct scientific experiments, deploy and service satellites, and dock with the International Space Station. At the end of its mission, the shuttle uses the Earth’s atmosphere as a brake to decelerate from orbital velocity to a hypersonic glide during re-entry and a safe landing at 220 mph, dissipating in the process all the energy it gained on its way into orbit. The space shuttle Columbia was the first manned orbiter of its type. It made the first four orbital test flights of the space shuttle programme. As the first of its kind, Columbia differed from later orbiters in being built to earlier standards and weighing slightly more. Its payload was insufficient to make it suitable for International Space Station missions and it was therefore reserved for science missions and to service the Hubble Space Telescope.

The accident The launch for mission STS-107 on 16 January 2003, at 10.39 a.m. Eastern Standard Time (EST) was the space shuttle programme’s 113th flight and Columbia’s twentyeighth flight. The countdown and launch had apparently proceeded without incident except that, unknown to the crew and ground staff, a large piece of hand-crafted insulating foam became detached from an area where the orbiter attaches to the external fuel tank and struck the leading edge of Columbia’s left wing. The flight itself was virtually trouble free and the foam strike had no apparent effect on the planned progress of the sixteen-day mission, which proceeded to meet all its objectives. On 1 February, the deorbit burn to slow Columbia down for re-entry into Earth’s atmosphere was conducted normally and the flight profile throughout the re-entry phase was standard. At 270 seconds after ‘entry interface’ (an arbitrarily determined

309

310

Appendix 2: Case studies in corporate accidents altitude of 400,000 feet where the orbiter begins to experience the effects of Earth’s atmosphere), the first indications occurred that something was abnormal. The breach in the leading edge of the left wing caused by the foam strike on ascent allowed superheated air (in excess of 5000F) to penetrate the wing cavity. This breach widened, destroying the insulation protecting the leading edge support structure and leading to melting of the thin aluminium wing spar. Entry of superheated air began to destroy the interior of the left wing. When Columbia was passing over the coast of California in the early hours of 1 February, it was seen from amateur videos that pieces of the orbiter were already being shed. The end occurred over Texas, when the forces imposed upon the structure from the denser levels of the atmosphere caused the already compromised left wing to fail so that the orbiter lost control and fell to earth at a speed of over 10,000 mph. The accident resulted in total loss of the space shuttle and its seven-member crew.

The investigation A detailed investigation1 into the accident was carried out by the Columbia Accident Investigation Board (CAIB). The board reported that the space shuttle project had arisen from a series of political compromises resulting in a vehicle which was incapable of meeting the high expectations placed upon it during the intensive efforts of NASA to secure funding. Although technically ambitious, the final design was inherently vulnerable such that NASA’s organizational ability to deliver safe operation was exceeded. As a result, the early promises of reliability and cost efficiency were never achieved. As an example of this, the budget ceiling placed upon the space shuttle project forced the designers to abandon the idea of a fully reusable two-stage vehicle. Instead, as a costcutting measure, they were forced to adopt the concept of strap-on booster rockets using solid fuel instead of the inherently more controllable liquid fuel boosters. Once a solid fuel booster rocket is ignited there is no possibility of control or shutoff and combustion must continue until the fuel is exhausted. It was not perhaps by chance that it was the design of the solid fuel booster rockets, through unrelated failures, that led to the loss of both the Challenger (in January 1986) and Columbia orbiters. The opening comments of Chapter 7 of the CAIB report, The Accident’s Organizational Causes, are revealing: In the Board’s view, NASA’s organizational culture and structure had as much to do with this accident as the External Tank foam. Organizational culture refers to the values, norms, beliefs, and practices that govern how an institution functions. At the most basic level, organizational culture defines the assumptions that employees make as they carry out their work. It is a powerful force that can persist through reorganizations and the reassignment of key personnel . . . the attitudes and decision-making of Shuttle Program managers and engineers during the events leading up to this accident were clearly overconfident and often bureaucratic in nature. They deferred to layered and cumbersome regulations rather than the fundamentals of safety. The Shuttle Program’s safety culture is straining to hold together the vestiges of a once robust systems safety program.

Appendix 2: Case studies in corporate accidents

Failure to learn lessons from the Challenger accident The loss of the space shuttle Challenger in January 1986, unlike that of Columbia seventeen years later, occurred seventy-three seconds after liftoff in an explosive burn of hydrogen and oxygen which caused complete structural breakup of the vehicle at an altitude of 46,000 feet, costing the lives of all seven astronauts on board. The subsequent investigation by the Rogers Commission2 revealed that a leakage of superheated gases had occurred owing to the brittle failure of an O-ring seal in the shuttle’s solid rocket motor. The hot gases quickly burned through the pressurized external tank containing the liquid hydrogen fuel supply, causing a massive leakage. It was later established that the O-ring failure had occurred because of the extremely cold weather conditions prevailing at the time of the launch. The Rogers Commission also found that Roger Boisjoly, a structural engineer for Morton Thiokol Inc., the firm that manufactured the rings, had raised this problem with NASA many months earlier. The warnings went unheeded because of a reluctance to accept any delay in the shuttle launch programme. At the commission hearings, Mr Boisjoly described the difficulty of communicating his concerns whilst working in an adversarial environment. Following the accident Mr Boisjoly found himself shunned by colleagues and managers; he subsequently retired from the company and was unable to work in the industry again. Today, in retirement, he is an expert and speaker on workplace ethics. The Rogers Commission also identified basic deficiencies in NASA’s safety systems and as a result issued a number of recommendations intended to remedy these. One of the main concerns was a lack of independent safety oversight at NASA. The commission had identified an undue influence of flight schedule pressures upon safety and without an independent body to take an overview of safety issues. As a result, the safety failures that contributed to the Challenger accident were likely to recur. It was recommended that: NASA should establish an Office of Safety, Reliability, and Quality Assurance to be headed by an Associate Administrator, reporting directly to the NASA Administrator . . . having direct authority for safety, reliability, and quality assurance throughout the Agency. The office should be assigned the workforce [sic] to ensure adequate oversight of its functions and should be independent of other NASA functional and program responsibilities. However, the body that was later set up to oversee safety did not meet the commission’s intent since it did not have direct authority and as a result safety, reliability and mission assurance activities across the agency did not have centralized funding, and it remained subject to other mission-related programmes for its existence. In 1990, a study by the US General Accounting Office (GAO) reported that ‘NASA did not have an independent and effective safety organization’. In 1996 a Space Flight Operations Contract was set up which was intended to release NASA personnel to focus on research and development by handing the

311

312

Appendix 2: Case studies in corporate accidents management of the many thousands of NASA contracts over to a single specialist contractor. The result of this, however, was that experienced NASA engineers were moved to different jobs, NASA increased its dependence on contractors for technical support, it spent much more time on monitoring contracts and management roles in NASA were filled by less experienced engineers. NASA’s in-house engineering and technical capabilities subsequently became eroded and the organization tended to rely more and more upon subcontractors to identify, track and resolve technical issues. At the same time, many safety responsibilities were effectively transferred from the government to the private sector and NASA’s in-house safety expertise was reduced proportionately. In 1999 a report by the Shuttle Independent Assessment Team effectively condemned the quality of NASA’s Safety and Mission Assurance efforts, noting that ‘the program had undergone a massive change in structure’ and was transitioning to ‘a slimmed down, contractor-run operation’. The team noted a number of pertinent comments:

• The shuttle programme was inappropriately ‘using previous success as a justification’ for accepting increased risk. • The shuttle programme’s ‘ability to manage risk was being eroded by the desire to reduce costs’. • The size and complexity of the shuttle programme and NASA/contractor relationships ‘demanded better communication practices’. • NASA’s safety and mission assurance organization was ‘not sufficiently independent’. • ‘The workforce has received a conflicting message due to the emphasis on achieving cost and staff reductions, and the pressures placed on increasing scheduled flights as a result of the Space Station’.

In addition, it concluded that there were failures of communication between the ‘shop floor’ and supervisors, deficiencies in problem-solving systems, potential conflicts of interest between programme and contractor goals, and a general failure to communicate requirements and changes across organizations. In general, the programme’s organizational culture was deemed ‘too insular’ (Challenger Accident Report,2 p. 181).

Defects in safety culture NASA is an organization that operates a risky technology with little or no margin for error and therefore requires effective systems to minimize the risk and limit the number of accidents. That this was not the case is made clear by the fact that a large number of known incidents had occurred where foam strikes (pieces of foam insulation being shed from the solid fuel rocket boosters) had impacted the orbiter on previous launches. This had become so common over the course of twenty-two years that it had become normalized as a maintenance problem rather than a safety problem. After the launch of Columbia, launch videos revealed that a foam strike had occurred in a manner never seen before, yet even so, programme

Appendix 2: Case studies in corporate accidents managers were not unduly alarmed. They had become conditioned by success: previous occurrences had not led to any problems. The CAIB report states that ‘shuttle managers did not embrace safety-conscious attitudes. Instead, their attitudes were shaped and reinforced by an organization that, in this instance, was incapable of stepping back and gauging its biases. Bureaucracy and process trumped thoroughness and reason’. The investigation team set itself the question: ‘how could NASA have missed the signals that the foam was sending?’ The answer was that detection of the dangers posed by foam was impeded by ‘blind spots’ in NASA’s safety culture. The complex structure of the shuttle programme hindered effective communication such that its safety culture failed to ask searching questions about risk. This was not limited to the question of foam strikes, but was a systemic flaw which penetrated the whole of the organization. Although NASA had a safety policy which required safety interests to be lodged high in the organization, and given enough authority and seniority to provide a high degree of independence, this did not happen in practice. The necessary degree of independence of safety oversight did not exist and safety was left to compete with the many other daily pressures placed upon programme and project managers. As a result, the signals of potential danger, anomalies and critical information which should, in principle, have surfaced in the hazard identification process, to be tracked with risk assessments supported by engineering analyses, did not do so. This was in spite of numerous recommendations made by outside experts over nearly two decades, including the Rogers Commission following the Challenger accident. In this respect the failure of safety culture embraces a failure of organizational learning, one of the important defences against corporate accidents. None of this is to say that NASA lacked effective safety practices at shop-floor level; these were quite acceptable. The problem lay with a comprehensive lack of safety integration at higher operational and systems safety programme level.

Conclusion The CIAB report noted safety culture deficiencies arising in the following areas:

• Information • •

passing upwards through the organization became simplified and abbreviated and any inherent signals such as those arising from foam loss were diluted to the point where problems were perceived as non-problems. The CIAB report states that ‘organizations interested in safety must take steps to guarantee that all relevant information is presented to decision-makers’. High-risk operations such as the space shuttle programme must inculcate a healthy fear of failure so that operations must be proved safe rather than inverting the burden of proof and assuming that no information about hazards means that the operation is safe. Mission managers must avoid becoming overconfident and conditioned by success so that they assume that because a problem has not arisen so far, it is less likely to arise in the future.

313

314

Appendix 2: Case studies in corporate accidents

• Managers •

and team leaders should encourage exhaustive debate on safety concerns that are raised, paying particular regard to ‘dissenting insights’ (employees not holding to conventional wisdom) so that signals are not lost in background noise. The CIAB report uses the telling phrase ‘prove to me that Colombia has not been harmed’ as an example of such an attitude. Extra precautions need to be taken to retain control of safety during any process of adding organizational structure and complexity such as occurred during the transition from NASA management of contracts to management by a single management contractor.

The general conclusion stresses the importance of safety integration in complex technical operations managed by equally complex hierarchical management structures. This safety integration must be put in place, coordinated and overseen independently at a high level in the organization. This oversight needs to be able to step back from the ongoing routine of day-to-day operations to make safety judgements which are not biased by other considerations such as economic performance and project or other programme performance criteria.

A2.2 The Davis-Besse nuclear power plant incident The Nuclear Regulatory Commission (NRC) was unaware of the extent to which various aspects of FirstEnergy’s safety culture had degraded – that is, FirstEnergy’s organization and performance related to ensuring safety at Davis-Besse. This degradation had allowed the incident to occur with no forewarning because NRC’s inspections and performance indicators do not directly assess safety culture (US General Accounting Office Report3).

The incident The Davis-Besse nuclear power plant is a pressurized water reactor (PWR) located on Lake Erie at Oak Harbor, Ohio, USA, and operated by a company called FirstEnergy. In February 2002 the plant owners began a refuelling outage that involved entering the reactor pressure vessel (RPV) head, an 18 foot diameter, 6 inch thick, 80 ton cap that is bolted to the top of the vessel. The RPV houses the reactor core and the control rods and regulates the reactor power output. This vessel also forms part of the primary containment preventing radioactivity entering the secondary containment building and potentially the surrounding environment. During the process of investigating the cracking of a number of the RPV head penetration nozzles, boric acid corrosion products were found. Boric acid is used in nuclear power plants to control the fission rate of uranium. Removal of the deposits revealed severe wastage of the pressure vessel head material and the presence of a pineapple-sized hole. Ultrasonic testing indicated that the remaining thickness of metal was only three-eighths of an inch. In fact, the only remaining metal comprised the stainless steel

Appendix 2: Case studies in corporate accidents cladding on the inside surface, this having been subjected to an internal pressure of 2000 psi. This thin layer of cladding, which had a slight bulge and showed evidence of cracking, was all that had prevented the release of radioactive steam into the containment building. The corrosion had probably taken place over a number of years and was widely considered to be the most serious incident to have occurred in a nuclear power plant since the Three Mile Island disaster of 1979. Prior to this discovery, the US NRC had, during 2001, called upon FirstEnergy to shut down the reactor in order to inspect the penetration nozzles. The NRC is the regulator for the nuclear industry and along with the operators of nuclear power plants shares the responsibility for ensuring that nuclear reactors are operated safely. The reason for the inspection was that six other nuclear power plants built by the same reactor supplier as Davis-Besse had experienced leaking and cracked penetration nozzles and three of those six had experienced extremely serious circumferential cracking of control rod penetration nozzles, potentially leading to a loss-of-coolant accident. FirstEnergy had not carried out an inspection and was therefore directed by NRC in September 2001 to shut down and examine the nozzles by 31 December 2001 at the latest. However, FirstEnergy supplied evidence to NRC that the reactor could continue operating safely and requesting that the inspections be delayed until the next planned outage in February 2002 to replace fuel rods. NRC, in a controversial compromise, allowed the Davis-Besse plant to continue in operation based on their safety submissions.

The investigation When the extensive corrosion was finally discovered an independent ‘lessonslearned’ task force was set up by NRC to ‘conduct an independent evaluation of the NRC staff’s regulatory processes related to assuring reactor vessel head integrity in order to identify and recommend areas of improvement applicable to the NRC and/or the industry’.4 In short, the task force was to investigate the potential failures of regulation and operation which had allowed such a critical situation to develop and examine a number of serious issues which had arisen concerning:

• the justification for NRC’s allowing the reactor to continue to operate for another three months until the planned outage • NRC’s ability to exercise adequate oversight of the safety of the operations • FirstEnergy’s ability to manage the plant safely. The task force’s recommendations5 were extensive and detailed, but included two findings of particular significance to this case study concerning the failure of the regulator to respond adequately to the potentially catastrophic situation at Davis-Besse.

Regulatory failure First of all, NRC failed to understand the potential seriousness of corrosion deposits on the RPV head which had been noted on this and other similar reactors.

315

316

Appendix 2: Case studies in corporate accidents The deposits occurred as a result of small leakages of primary coolant (containing dissolved boric acid) on to the pressure vessel head. Evaporation of coolant at the temperature of the metal left traces of dry boric acid crystals, a layer of which built up with time. It was believed, however, that significant corrosion of the carbon steel head material would not occur during operation since the temperature was of the order of 500F, but might occur during outages when the metal was cool and boric acid in the liquid phase would be present. However, this would only occur for a small proportion of the time during the life of the reactor. The main regulatory failure was therefore a lack of appreciation by inspectors of the potential effects of boric acid corrosion.

Rule-based criteria Secondly, NRC rules allowed reactors to continue in operation with leakages of primary coolant so long as that leakage did not exceed 1 gallon per minute (gpm). If the leakage exceeded this limit then it would be necessary for the plant to shut down to effect repairs. Measured rates of leakage at the Davis-Besse plant had varied from time to time from 0.06 gpm to as high as 0.8 gpm, but were generally between 0.15 and 0.25 gpm, so that according to the rules it was unnecessary to order a shutdown. The main point to be made here is that the criterion on which a shutdown would be decided was entirely rule based rather than risk based. This meant that a leak of less than one gallon per minute was not considered to be of safety significance and the rule precluded further investigation. In principle, there was no need to investigate leaks smaller than this and it thus followed that neither was there any need to consider the potential consequences of small leakages. The task force also found that the operators of the plant had failed in their duty to detect and prevent the severe corrosion of the vessel head. The management of the plant failed to ensure that plant safety issues received appropriate attention; in particular, outstanding recurrent primary coolant leaks were not repaired owing to overstretched engineering resources and an unwillingness to limit power generation.

Failure of regulatory independence One aspect of the failure of regulation was not explicitly recognized by the NRC Lessons Learned Task Force. This was related to the fact that the task force was mainly comprised of NRC employees and its ‘independence’ depended solely on those employees not having been directly involved with the Davis-Besse incident. Although their investigations were painstaking and thorough, their deliberations were hindered by the fact they were thoroughly immersed in the prevailing culture of the regulatory organization and the norms of the relationship with the ‘client’. Thus, their efforts were almost entirely taken up with the technical issues surrounding the problem, which were the direct cause of the corrosion, to the exclusion of the human and organizational issues which were the root cause. Interestingly,

Appendix 2: Case studies in corporate accidents although the task force did not refer at all to safety culture, it did identify a number of problems related to safety culture, such as:

• a mismatch between production and safety shown by FirstEnergy’s efforts to • • • • •

address symptoms (such as regular cleanup of boric acid deposits) rather than causes (finding the source of the leaks during the outages) a lack of management involvement in or oversight of work at Davis-Besse that was important for maintaining safety a failure by senior FirstEnergy managers to ask questions about vessel head inspections and cleaning activities a lack of timely and effective corrective action to prevent indications of leakage from recurring in the reactor coolant system long outstanding acceptance of degraded equipment inadequate engineering rigour.

Report on the regulator’s performance In May 2004 the US GAO made a report3 to the US Congress on nuclear generation identifying that the NRC needed to resolve more aggressively and comprehensively issues related to the Davis-Besse nuclear plant’s shutdown. The report identified that ‘NRC was unaware of the extent to which various aspects of FirstEnergy’s safety culture had degraded – that is, FirstEnergy’s organization and performance related to ensuring safety at Davis-Besse. This degradation had allowed the incident to occur with no forewarning because NRC’s inspections and performance indicators do not directly assess safety culture’. The recognition of this failing by NRC came after the Davis-Besse plant had been shut down and the NRC was able to acknowledge its shortcomings in this respect.6

Conclusion The NRC panel which eventually oversaw the efforts of FirstEnergy to restart the Davis-Besse plant required the company first of all to assess its own safety culture before allowing the restart to commence. It was only by March 2004 that NRC considered that the safety culture at FirstEnergy was adequate to allow the plant to start up. FirstEnergy was also required to conduct an independent assessment of its safety culture annually over the course of the next five years. Although NRC recognizes the importance of safety culture to safe operation, it does not attempt to regulate the safety culture of its licensees, nor has it any performance indicators that are routinely applied at installations to assess safety culture. Rather, it believes that if a plant has a poor safety culture then this will emerge during inspection activities by identifying issues including ‘the adequacy of human performance, establishment of a safety conscious work environment and the robustness of the problem identification and resolution program’.6 Whether such an approach is adequate remains to be established. Outside the USA, organizations such as the International Atomic Energy Agency and its member nations have developed guidance and procedures for assessing safety

317

318

Appendix 2: Case studies in corporate accidents culture at nuclear power plants (see Chapter 4), and today the regulatory authorities of several countries including the UK assess plant safety culture or require plant operators’ own assessments of their safety culture.

A2.3 The fire and explosion at the Conoco-Phillips Humber oil refinery Effective management of change systems, which consider both plant and process modifications, are essential to prevent major accidents. Particular care is needed to ensure that ‘quick fix’ modifications, during the commissioning and early operation phases of new plant, are covered (HSE Report7).

Background The Humber refinery operated by Conoco-Phillips is located on the south bank of the estuary of the River Humber, in the east of the UK. It is one of a number of refineries and chemical plants which have been built along the estuary. It is situated 1.5 km north-west of the town of Immingham (population 11,000), an industrial seaport, but with a village, South Killinghome (population 1100) located only 500 m from the refinery boundary. Approximately 750 staff are normally employed on the site, together with a number of contractors who undertake maintenance and other work as required. At the time of the incident the operator of the plant was Conoco Ltd, a subsidiary of the US Corporation Conoco Inc., which merged with Phillips Petroleum in 2003. The site is controlled by the Control of Major Accident Hazards Regulations (COMAH) Regulations 1999 implementing EU Council Directive 96/82/EC, known as the Seveso II Directive (see Chapter 6). The competent authority with responsibility for regulation is the Health and Safety Executive (HSE) and the Environment Agency (EA). A refinery has been operated on the site since 1969, but in the meantime has undergone a series of major expansions resulting in a current refining capacity of 225,000 US barrels of crude oil per day. It produces a range of products including liquefied petroleum gas (LPG), gasoline, diesel and aviation fuels. Along with most refineries the main risks arising from such a site are fire and explosion hazards stemming from a loss of containment of highly flammable liquids and gases. In view of the proximity of the site to other refineries and chemical plants, there is always the possibility of a knock-on or domino effect resulting from an accident.

The accident The accident occurred as a result of a failure of a six-inch-diameter gas pipe at the saturate gas plant (SGP). The plant comprises three distillation columns, the first of which is the de-ethanizer W-413, where hydrocarbon gases methane, ethane and propane are separated from the incoming saturate liquid feed. A simplified process

Appendix 2: Case studies in corporate accidents Water injection point B Boiler feed water

Point of failure

P-4363

X-452/3 Water

Feed drum D-457

Overhead condenser

Feed heater

P-4347 Static mixer

Fuel gas Reflux drum D-487

X-450A/B Hydrocarbon reflux

Water injection point A

Saturated Boiler feed gases water

Re-boiler Sour water

W-413 De-ethanizer

Sour water

X-451

Liquid product

Figure A2.1

Simplified process diagram of the saturate gas plant.

diagram of the unit is shown in Figure A2.1 The six-inch-diameter pipe which failed carries gas from the de-ethanizer vessel to the overhead condenser and is designated P-4363. Into the top of this pipe was fitted water injection point B as shown on the diagram. This water pipe was not part of the original design of the process, but had been connected to what was originally a small one-inch vent pipe on the top of P-4363, 670 mm upstream of a bend. The water connection had been fitted shortly after commissioning in order to wash away salts or hydrates which were accumulating as solids in the overhead condenser, causing a back pressure to develop. The original designed water injection point A, spraying boiler feed water into pipe P-4347, had been found to be ineffective in removing deposits. However, water injection point A utilized a static mixer to ensure that the water droplets were dispersed into the gas stream. The water injection point B fed straight into the top of the pipe with no dispersion. Water was fed in at this point continuously from the early 1980s up until 1995, from which time it was used intermittently. However, from 2000 onwards the water injection point B was put back into continuous use. The gases that pass through the SGP contain high concentrations of hydrogen sulphide and this causes deposits of black iron sulphide to form on the internal services of carbon steel pipes. This deposit is called a ‘passivation’ layer and protects the pipework from internal corrosion. However, where water is added, as at the injection point B on P-4363, this protective layer is washed away, rendering the pipework susceptible to corrosion by the gases passing through it. In addition, the presence of droplets of liquid water in the gas stream causes erosion of the carbon steel to occur immediately after the injection point. This phenomenon of

319

320

Appendix 2: Case studies in corporate accidents corrosion/erosion is well known in the industry and can cause severe thinning of the pipework at points where it is susceptible. A serious fire and explosion occurred at the location of the SGP on 16 April 2001, which was Easter Monday, a day when many of the employees of the company were on holiday. This almost certainly resulted in fewer casualties than would have otherwise occurred. There were in fact only 180 people on site compared with the usual 800, and most of these were in buildings owing to the fact that the explosion occurred during shift changeover time. At 14.20 hours there occurred a catastrophic failure of pipe P-4363, just downstream of the water injection point described above and at the pipe bend where it drops down to the overhead condenser. This pipe contained gases at high pressure, 90 per cent of which comprised a highly flammable mixture of ethane/propane/butane. The escaping gases formed a cloud which ignited after about thirty seconds, causing a massive explosion and fire. Eyewitnesses recalled seeing the leak as a jet of vapour issuing from the pipe and directed downwards prior to its ignition. This was followed by a loud bang and a fireball estimated to be about thirty metres in height. When the emergency teams arrived at the site of the explosion, they observed a continuous yellow jet flame burning fiercely and emerging about two-thirds of the way up the de-ethanizer. About ten to fifteen minutes after the initial explosion there were further large releases of gas resulting in a second fireball. As the flames impinged on other sections of pressurized pipework and equipment these in turn became weakened and failed, adding additional fuel to the fires. It was later estimated that about 180 tonnes of flammable gases and liquids were released in total, together with about half a tonne of the highly toxic gas hydrogen sulphide, which was a component of the process streams. Eventually, access was gained to the valves isolating the releases of flammable gases by emergency workers in protective suits shielded from the intense radiant heat by a water curtain. Damage to the SGP itself as a result of the blast was severe and much of the equipment in the locality was destroyed. In addition, the blast caused damage to site buildings as far away as 400 m from the seat of the explosion. Offsite damage occurred within about one kilometre of the site, this being concentrated in the village of South Killinghome, mainly with properties sustaining broken windows and cracked ceilings. On site, three people in a building 175 m from the blast were slightly injured and some contractors working on scaffolding were blown over and suffered minor injuries. Fortunately, nobody was killed or seriously injured as a result of the incident and those with injuries all made a full recovery. Debris from the explosion was scattered over a wide area including material thrown on to the A160 dual carriageway which hindered access by emergency services vehicles. The refinery was shut down for some weeks following the explosion.

The investigation An investigation into the accident was undertaken by the HSE,7 which quickly determined that the immediate cause of the accident was the failure of pipe P-4363 due to the effects of erosion/corrosion on the internal surfaces immediately downstream

Appendix 2: Case studies in corporate accidents of the water injection point B. The wall thickness of the pipe had been reduced over time to a point where it could no longer resist the internal pressure in the pipe. The normal thickness was 7–8 mm and this had been reduced to about 0.3 mm owing to the effects of the corrosion. When the pipe failed a virtually full bore release of the contents of the pipe and associated equipment took place which ignited, leading to the explosion and fire. As described above, the water injection point B was not part of the original design and had been added during commissioning to enhance the removal of solid deposits from the overhead condenser. Water had been connected to a one-inch vent pipe which discharged directly into the gas stream as a free jet without any means of dispersal. As far as could be ascertained, no hazard analysis of this plant modification had ever taken place which might have revealed that there was a high risk of erosion/corrosion occurring over time. In its report on the accident, HSE stated that ‘the modification had the hallmarks of a ‘‘quick fix’’ to solve the symptoms of the immediate problem of fouling’.7 The investigation report reveals that a management of change (MoC) procedure was not brought into operation as part of the safety management system at the site until 1999. This new procedure required that any changes made to the original design must be made the subject of a technical change document which was studied by a hazard analysis group to determine whether any additional risks would be introduced. However, it appears that the MoC procedure was not retrospective since it did not capture the earlier modification. The lack of an effective MoC procedure at the time, which would have analysed modifications such as this for hazards and risk, was the first line of defence against the sort of failure which tragically occurred in this instance.

Inspection regime The second line of defence against the failure of P-4363 was the inspection regime which the company had in place to ensure that pipework and equipment continued to be fit for purpose. An inspection of the two overhead condensers X-452/3 in 1994 had revealed heavy corrosion of the heat exchanger shell and tubes and both items of equipment had been replaced as a result. At the same time, an inspection of the water injection point B to P-4363 took place as a result of a previous failure at the water injection point A on P-4347 and a recommendation was made for more frequent inspections at P-4363. As the HSE report notes, ‘the company’s safety management system failed to capture these key details’,7 and this recommendation was not followed up. One of the main problems which led to insufficient attention being paid to the modification to the original design was that it was never included in the inspection department’s database of plant and equipment. A pipework inspection survey in 1996 using computerized diagrams of the plant to target susceptible pipework did in fact capture the water injection point B and the downstream elbow which subsequently failed, and noted this down for thickness measurement. Unfortunately, in the event, very few thickness measurements were taken during this survey and the injection point and elbow at P-4363 were excluded because of a lack of access due to scaffolding having been removed. The pipework at this point was therefore left to corrode until it reached the point of failure.

321

322

Appendix 2: Case studies in corporate accidents One possible reason why the company’s inspection arrangements were not able to capture the water injection modification was that from an early date they had relied upon the offsite expertise of the Corporate Corrosion Group in the USA, with an onsite metallurgist only being used to solve day-to-day problems. Nevertheless, prior to the accident a number of audits of the company’s procedures including their inspection arrangements had taken place and these had identified some deficiencies, which if they had been rectified in time might have revealed the corrosion problem at P-4363. One of the main findings of an audit by the HSE, The Management of Health and Safety with Reference to Control of Corrosion in 1996, was a lack of formal arrangements by the company for auditing its own safety management system, in particular the risk control systems. However, the HSE audit also noted that the company ‘had a well-developed safety management system with the leaders of the organisation showing commitment to securing high standards of health and safety at work’. A later audit of company procedures against applicable regulations was undertaken by an outside body, the United Kingdom Accreditation Service (UKAS) in 2000 and this identified a number of concerns. Following the accident, the HSE considered that ‘between 1996 and 2001, Conoco-Phillips were failing to manage safety to the standards they set themselves’.7 Significantly, in the year 2000, the company decided to implement a new risk-based inspection system and in late 2000 issued a new documented inspection strategy specifically including pipework. This computerized system did in fact manage to capture the potential for failure of line P-4363, because of the water injection point B, but incredibly the risk came out low because it was believed that the water injection line was no longer in use. In fact, the injection was in continuous use and if this information had been input to the risk-based inspection database, the pipe thinning factor so generated would have indicated a high risk. Under the new system it was planned to inspect the pipe in July 2001, but it failed before such an inspection was possible.

Key lessons Key lessons from the incident were highlighted in the HSE report as follows. First line of defence: management of change Effective management of change systems, which consider both plant and process modifications, are essential to prevent major accidents. Particular care is needed to ensure that ‘quick fix’ modifications, during the commissioning and early operation phases of new plant, are covered. Second line of defence: inspection systems Systematic and thorough arrangements are necessary for the effective management of corrosion on major hazard installations. Such arrangements should ensure that any available information on relevant corrosion degradation mechanisms is identified and acted on. Adequate resources, including relevant expertise, should be applied to ensure that adequate standards are achieved and maintained.

Appendix 2: Case studies in corporate accidents The direct cause of the accident was the failure due to erosion/corrosion of the elbow following the water injection point B at P-4363 due to a modification to the original design which was not effectively captured by the company’s safety management system. The root cause of the accident was deficiencies in the company’s safety management system, in particular the lack of systematic arrangements for effectively managing corrosion at all points on the plant which were susceptible. This was compounded by a lack of effective communication within the safety management system such that sharing of information and data between different subsystems did not take place. This communication should actively involve all employees in order to prevent major accidents such as that which occurred here. On 16 December 2004 at Grimsby Crown Court, Conoco-Phillips pleaded guilty to breaches of sections 2 and 3 of the Health and Safety at Work etc Act 1974 and was ultimately fined £800,000, plus £95,000 for other offences.

A2.4 Children’s heart surgery at the Bristol Royal Infirmary, 1984–1995 We have already referred to that aspect of the culture of the NHS which tends to be defensive and secretive, and to old-style attitudes of paternalism and selfprotection. This is not fertile ground for a patient-centred service in which communication, openness and honesty are essential to the restoration and maintenance of trust. We have no doubt that, as an organisation, the NHS and those who work within it must embrace a culture of openness (from The Report of the Public Inquiry,8 Learning from Bristol).

Background The Bristol Royal Infirmary (BRI) and the Bristol Royal Hospital for Sick Children (BRHSC) are teaching hospitals associated with the Medical School at Bristol University looking after the needs of patients in that area of south-west England. During the 1980s the (then) Department of Health and Social Security (DHSS, a centralized UK government body overseeing health services across the UK) set up a series of specialized supraregional services (SRSs), funded centrally, where resources and expertise would be concentrated on particular types of medical procedures. One of these procedures designated as an SRS was paediatric cardiac surgery (PCS), but limited to this type of surgery on newborn and infant children up to one year of age. Over the previous twenty years major surgical advances had been made in the treatment of very small babies suffering from congenital heart disease (CHD), which appears in six to eight children per 1000 on average. The tragic situation of babies born with this condition often requires immediate intervention since they are living at the very edge of survival. By the 1980s treatment usually required open heart surgery involving the stopping of the heart while the circulation to the rest of body is maintained by means of a heart–lung bypass machine. The enormous

323

324

Appendix 2: Case studies in corporate accidents difficulty involved in conducting operations of this type can be understood when it is realized that the heart of a small baby undergoing such an operation is about the size of a walnut.

The UK National Health Service The intricacies of this case study require an understanding of the changes which took place in the National Health Service (NHS) from the 1980s onwards. An important milestone in the development of the NHS in this period was the publication of the Griffiths Report9 in 1983. It identified that the NHS had no coherent system of management at local level and led to the introduction of a new general management structure, accountable to the district health authority and supported by line management within hospitals. This replaced the old system of district management teams. It was intended to provide greater overall strategic direction and budgetary control and to devolve responsibility through a clear line management structure. An important element of this change was the need to involve doctors in the day-to-day management process. A model was adopted based on an approach used in the USA involving the appointment of ‘clinical directors’ who were in effect lead consultants representing groups of doctors and acting on their behalf. At the same time the clinical director was expected to exert leadership by initiating change and agreeing doctors’ workloads and resource allocation with the unit general manager as well as acting as the budget holder. The two important posts within a hospital became the clinical director and the general manager; the former looked after the doctors while the latter looked after the rest. The quality of clinical care was not an area into which the general management of a hospital would often venture. One of the problems left by the Griffiths reorganization was that hospitals, although they had a management structure similar to a commercial enterprise, were not constrained by the same economic sanctions. For instance, a hospital would not go bankrupt if it failed to keep abreast of technical advances and adopt modern methods of working. In 1989, a government white paper Working for Patients10 aimed to correct this situation by making the NHS more efficient. The changes introduced brought about a purchaser–provider split, creating an internal market through which the money would follow the patient, thus rewarding activity. It also involved the formation of NHS trusts and accordingly, from April 1991, the Bristol hospitals became United Bristol Healthcare NHS Trust (UBHT). From the 1990s onwards attitudes towards the quality of clinical care began to change, with greater expectations arising from patients. Up to this time, quality and performance, as in other professions such as teaching and social services, were the sole concern of the professionals involved. It was sufficient for doctors to meet their own professional standards. This amounted to doing the best for their patients based largely on professional judgement. There were no agreed standards or benchmarks against which doctors’ performance could be appraised. It was also understood that general management did not become involved in the area of clinical performance, this being the realm of the professionals. However, by the mid-1990s, quality assurance had gained increasing importance in the healthcare industry and,

Appendix 2: Case studies in corporate accidents accompanied by quality audit, was seen as a valuable management tool. By 1993 the scope of healthcare audits had expanded to include clinical audit, with management encouraging healthcare professionals to review the care that they were giving to patients. Amongst the medical profession, however, there were, initially at least, reservations about the benefit of audits and much concern about the use to which the results of clinical audits might be put. Consequently, the introduction of audits had a limited influence on doctors’ professional competence; audits tended to be seen as something to which nurses and managers were subjected. As a result, the prevailing attitude of many doctors remained unchanged: professional judgement would define acceptable standards of clinical care.

Children’s mortality rates at UBHT At the UBHT, the general manager of the trust was Dr Roylance and the medical director was Mr James Wisheart (a cardiac surgeon), who was also associate clinical director of cardiac surgery from 1990 to 1992 until this role was taken over by Dr Dhasmana from 1992 to 1995. Information about patients, their operations and the outcome had traditionally been recorded in personal logs kept by doctors describing their own surgical activity. These logs and the compilations of data derived from them pre-dated the information provided to clinical audits which began to take place from the 1990s onwards. At Bristol, Mr Wisheart produced an annual statistical summary up until 1992 and copies of this were supplied to individual consultant cardiac surgeons. Dr Bolsin was a consultant anaesthetist at the BRI. In 1989 he began, on his own account, to gather data about PCS activity at Bristol. He was concerned about the length of operations and the amount of time that children were on bypass compared with his previous experience. The data showed a mortality rate for 1989/90 of 37.5 per cent for PCS on children less than one year old, compared with a national UK figure by this time of 18.8 per cent. He discussed this with other colleagues both within and outside the hospital. In 1990, Dr Bolsin wrote to Dr Roylance (with copies of the letter to the chair of the health authority, Mr McKinley) referring to mortality rates for open heart surgery for children under one at the hospital as being ‘one of the highest in the country’. Following this letter, Dr Bolsin was called to the office of Mr Wisheart and, it is alleged, he was ‘rebuked’ about involving ‘outsiders’ in what should be dealt with as a professional matter (Mr Wisheart denied knowledge of Dr Bolsin’s letter or of this meeting at the inquiry which later followed). In 1991, a meeting took place between the cardiac anaesthetists at UBHT and the President of the Association of Anaesthetists at which Dr Bolsin’s concerns were aired. At this meeting Dr Bolsin was advised that he should not be the vehicle for criticism of the PCS and should ‘keep his head down’. Later in 1991, Dr Bolsin prepared the minutes of an audit meeting of cardiologists, surgeons and anaesthetists. It is claimed that in the minutes he referred to a mortality problem as ‘reaching crisis proportions’ compared with national statistics. Dr Bolsin reported that he was informed subsequently that his minutes were not representative of the meeting and would not be circulated. In 1992 for the first time he took his concerns outside the hospital, to Dr Phillip Hammond, who was a trainee general

325

326

Appendix 2: Case studies in corporate accidents practitioner and medical columnist for the Daily Express (and later a BBC presenter). He was also a contributor to Private Eye magazine, which published a series of six articles in 1992 criticizing the PCS services at the BRI. (Dr Bolsin claimed at the inquiry that he was not aware that Dr Hammond had written these articles.) The articles brought the problems for the first time to the attention of the public and to concerned parents of children undergoing operations. Parents who contacted the hospital were reassured that in fact the ‘results were good’. Dr Bolsin then approached the Department of Health, ‘who were reluctant to get engaged in what (they) saw as a dispute between doctors’.8 Any decision ‘whether to urge suspension of the [PCS] service’8 which could have been taken at this point by the Department of Health was therefore deferred. However, as a result of the UHBT’s board becoming aware of problems in cardiac surgery, Dr Roylance was asked by the board’s chairman to set up an independent external inquiry into the PCS unit as a matter of urgency. At this time it was claimed by Mr Wisheart that the problems were limited to one particular procedure, the neonatal arterial switch operation, known to be a high-risk procedure. In September 1994 Mr Ashwinikumar Pawade was appointed as consultant paediatric cardiac surgeon, with effect from May 1995. The neonatal switch operation programme had been ended in 1992 after it had resulted in the deaths of five babies; the programme had, in the words of Dr Dhasmana ‘ended in failure’. However, in late 1994 it was agreed by the ‘paediatric cardiac club’8 (the group of cardiac surgeons at BRI) that Dr Dhasmana should resume carrying out the procedure. In late December 1994, a switch operation on eighteen-month-old Joshua Loveday was scheduled to take place even though serious doubts had been expressed whether such an operation would be wise. At a clinical meeting in early 1995, which included Dr Bolsin, the operation was discussed. It was decided that in spite of the reservations, the decision whether to proceed was a clinical matter and since the case was urgent the operation should go ahead. Dr Bolsin dissented from the decision on what Mr Wisheart allegedly considered were ‘institutional reasons’ with ‘political consequences’. On 12 January 1995 Mr Wisheart informed the Department of Health that the operation had not been successful and Joshua Loveday had died. The Department of Health (aware already of the concerns) advised Dr Roylance that ‘it would be extremely inadvisable to undertake any further neonatal or infant cardiac surgery’. The Department of Health requested that Dr Roylance expedite the proposed internal inquiry.

The independent and General Medical Council inquiries The independent inquiry (led by Professor Marc de Leval, Professor of Cardiothoracic Surgery, Great Ormond Street Hospital, and Dr Stewart Hunter, consultant in paediatric cardiology, Freeman Hospital, Newcastle) identified that there was a problem with the PCS outcomes and that there had been reticence among surgeons to face up to this. It described Mr Wisheart as being one the ‘high-risk’ surgeons involved. It concluded that complex PCS cases must await the arrival of the new cardiac surgeon with a proven track record at a major centre. Mr Wisheart must cease treating PCS cases except in certain very limited circumstances.

Appendix 2: Case studies in corporate accidents In March 1996, television’s Channel 4 presented a programme in its current affairs series Dispatches about the Bristol heart surgery affair. The concern generated by the programme prompted the General Medical Council (GMC) to open investigations into the events reported from Bristol. In October 1997, the GMC Professional Proceedings Committee began hearings to examine allegations against Drs Roylance, Wisheart and Dhasmana. It was the longest running disciplinary hearing in the GMC’s history, lasting for sixty days, and investigated fifty-three operations at BRI in which twenty-nine patients died and four were left brain injured. At the conclusion of the hearings, Dr Roylance and Dr Wisheart were found guilty of failing to respond to concerns over the standard of heart operations performed on children. In June 1998 Dr Roylance and Dr Wisheart were erased from the medical register and Dr Dhasmana was banned from performing heart surgery on children for three years.

The public inquiry On 18 June Mr Frank Dobson, government Minister for Health, announced in parliament that, following the disciplinary proceedings of the GMC against the three doctors concerned, an independent public inquiry would take place into children’s heart surgery at the BRI. The inquiry was established under section 84 of the National Health Service Act 1977 to investigate the deaths of twenty-nine babies undergoing heart surgery at the BRI in the late 1980s and early 1990s. It was chaired by Professor Ian Kennedy, Professor of Health Law, Ethics and Policy at University College, London. The public inquiry hearings took place between October 1998 and July 2001. Phase 1 of the inquiry focused upon events at Bristol, identifying the problems that needed to be addressed. It took evidence from 577 witnesses including 238 parents, in writing, and received nearly a million pages of documents including the medical records of over 1800 children. Evidence was taken over ninety-six days. Phase 2 focused upon the future in the light of the conclusions of phase 1 and examined specific topics such as what factors influence the performance of the NHS, including the culture of the NHS, its leadership, training, development and regulation of professionals, and empowering the public and patients, as well as children and children’s healthcare services. Written submissions were obtained on each topic and a public seminar was held. Evidence was taken both from people working in the NHS and from those in other industries, particularly those where a workforce of professionals was being managed.

Recommendations The report of the inquiry8 extends to 540 pages and makes many recommendations, including:

• Patients and the public should be more involved in decisions about their treatment and care. • Child-centred healthcare should be developed, led by a national director for children’s services.

327

328

Appendix 2: Case studies in corporate accidents

• Unsafe practices in the NHS need to be rooted out, so that it is able to learn from its errors. • Clinical negligence litigation, which surrounds medical incidents in legal secrecy, should be abolished. • Appraisal, continuing professional development and revalidation for all • • • •

healthcare professionals should be introduced to ensure their skills are maintained. Consultant contracts should show more accountability to the trust hospital that employs them. National standards of care need to be created, both in clinical care and for hospitals. Clinical performance should be subject to more openness so that patients have access to information about the relative performance of hospitals, services or consultants. Good and failing hospitals should be identified by an independent external monitoring service.

The inquiry was one of the most far-reaching ever to have been undertaken into the NHS, addressing issues such as clinical safety and accountability, professional culture and the rights of patients. Both the GMC hearings and the report of the inquiry had a huge influence on the confidence of the public in the medical profession and on the morale of the profession in the UK. It heralded a major change in the relationship between doctor and patient and led to the GMC committing itself to a process of reform, including its own governance, revalidation of doctors’ competence on a five-yearly basis and ‘fitness to practice’ reforms.

Organizational culture The inquiry revealed the existence of a ‘club culture’8 operating among doctors, with patients not being properly informed about their treatment and a low priority being given to clinical safety and to children’s services compared with adults. The whole culture of the hospital encouraged secrecy about the performance of doctors, information about which was deemed to be the property of the doctor concerned and therefore not available for outside scrutiny or monitoring by the NHS. The inquiry found that the culture in the hospital engendered ‘old-style attitudes of paternalism and self-protection’,8 which were not conducive to patient safety. It found that ‘dissatisfied and damaged patients, frustrated by poor communication, having failed in their search for explanations, defeated by the culture of defensiveness, resort to the media or the law, or both’.8 The usual result of this recourse is to search for a culprit with the subsequent allocation of blame. The report appreciates that a culture of openness is not an easy course to take, but concludes that: For a culture of openness to succeed, those who work in the NHS must be confident that they will be supported by the organisation at all levels. Openness must be valued and rewarded. Otherwise, healthcare professionals

Appendix 2: Case studies in corporate accidents will understandably be reluctant to embrace it. What this means, crucially, is that blame and stigma should not be the response of managers or colleagues. Adopting the words used by Professor Marc de Leval:11 ‘while regretting them, we must all learn ‘‘to treasure mistakes’’, because of what they can teach us for the future. This calls for an extremely mature organisation and, equally, a mature society. It means an abandonment of the easy language of blame, in favour of a commitment to understand and learn . . .. The workforce must feel that they will be safe if they wish to raise and have discussed matters of concern. Managers must put in place mechanisms to facilitate this process’.8

Whistleblowing This case study also raises the controversial question of whistleblowing in an organization, where and when it is justified and how it should be managed. The role of the whistleblower (Dr Bolsin) in this scenario was crucial to the final outcome of the situation at Bristol. In the event it took years of increasingly desperate efforts by Dr Bolsin to draw attention to the unsatisfactory morbidity statistics before any action was taken, a period during which babies continued to die from operations which had not been competently undertaken. Dr Bolsin, as a result of his actions, subsequently found himself, like many other whistleblowers mentioned in this book, ostracized by his profession. Unable to find work in the UK he was eventually forced to emigrate with his family to Australia, where, at the time of writing, Professor Bolsin is director of the Department of Perioperative Medicine, Geelong, Victoria.

Conclusion One of the important outcomes of the inquiry was the formation of the National Patient Safety Agency (NPSA) in July 2001, a few weeks before the Bristol inquiry reported. It was created to coordinate the efforts across the NHS nationally in reporting, and more importantly, in learning from mistakes and problems that affect patient safety. Its website12 claims that ‘as well as making sure errors are reported in the first place, the NPSA is trying to promote an open and fair culture in the NHS, encouraging all healthcare staff to report incidents without undue fear of personal reprimand. It will then collect reports from throughout the country and initiate preventative measures, so that the whole country can learn from each case, and patient safety throughout the NHS can be improved’.12 Other initiatives which arose from the Bristol inquiry included:

• the formation of the Commission for Health Improvement (later known as the • •

Commission for Healthcare Audit and Inspection, CHAI), shortened to the Healthcare Commission, which inspects and monitors NHS performance renegotiation of the consultant contract and the introduction of annual appraisal for doctors the Health and Social Care Act 2001, containing measures to introduce patient advocacy services to trusts

329

330

Appendix 2: Case studies in corporate accidents

• the appointment of Professor Aynsley-Green, of Great Ormond Street Children’s Hospital, as the National Director of Children’s Services • plans for the reform of medical negligence compensation • the NHS Reform and Health Care Professions Act 2002, providing guidance to

primary care trusts and strategic health authorities in introducing new regulatory structures for the healthcare professions and improved protection for the public.

The government’s formal response to the inquiry,13 published in January 2002, unveiled further measures to meet the Bristol recommendations, including plans to publish death rates for individual cardiac surgeons, the precursor of league tables of consultant performance in a wider range of specialties. The government’s response concludes: ‘Bristol was a turning point in the history of the NHS. We are determined that some good can come from the tragedy that took place there’.13

A2.5 The Tokai-Mura criticality accident There was no hardware failure that contributed to this event. Had the system been operated as designed, the criticality accident would not have happened. The Government of Japan initiated a criminal investigation for possible wrongdoing (NRC Review of the Tokai-Mura Criticality Accident14).

Summary The accident occurred at the nuclear fuel processing facility belonging to the Japan Nuclear Fuel Conversion Co. (JCO, a subsidiary of Sumitomo Metal Mining Company Ltd) in Tokai-Mura, Japan (140 km north-east of Tokyo) on 30 September 1999. The accident took place during the gradual addition to a dissolution tank by the plant operators of a quantity of uranium oxide enriched to about 18.8 per cent U-235, a highly fissionable material. The concentration was much greater than the usual 3–5 per cent which is used for commercial light water reactor fuel. Uranium of this high enrichment grade was being produced for the experimental Joyo fast breeder reactor. Because of the high concentration of U-235, a critical mass built up in the tank. This became sufficiently moderated within the unsafe geometry of the vessel to produce a nuclear fission reaction which continued for about twenty hours after the initial neutron pulse. It was the only criticality accident to have occurred which led to measurable radiation exposure to members of the public, although the doses received were well below allowable annual exposures to workers.

Background This accident was the most recent, and one of the most severe, of about sixty criticality incidents which have occurred worldwide since the inception of the nuclear age was marked by the Trinity series of atom bomb tests in the Nevada desert in 1945. The first fatality recorded due to a criticality incident occurred at the Los Alamos Omega Site on

Appendix 2: Case studies in corporate accidents 21 August 1945 during the laboratory testing of the fissile core prior to assembly into one of the first two atomic weapons. It involved the accidental creation of a critical assembly comprising a 6.2 kg nickel-plated plutonium sphere and neutron-reflecting tungsten-carbide blocks. A laboratory technician, Harry Daghlian, working alone, had stacked the reflecting blocks around the Pu sphere. While moving a block to take measurements he accidentally dropped it into the assembly, causing a ‘superprompt’ criticality event. He removed the block by hand to bring the chain reaction to a halt, but in so doing received a 510 rem radiation dose,* from which he died twenty-eight days later. It is unlikely that such an experiment would be permitted today and most criticality incidents during processing have tended to involve fissile materials in solution rather than in solid form. Most criticality events do not result in fatalities, of which there have been twenty-one since 1945. It is reported16 that twelve of these accidents occurred during research reactor accidents, and of the twenty-one deaths, seven occurred in the USA, ten in the Soviet Union, two in Japan, and one each in Yugoslavia and Argentina. Most accidents do not, however, result in death. From these data it can be assumed that nine (21 – 12) of the fatalities were due to accidents during processing of fissionable materials during the nuclear fuel cycle, the end product of which is the nuclear fuel rods for atomic power stations. These fatalities include the accident at JCO where two workers died. There may have been more military criticality incidents but, if so, details of these are not known.

Risk assessment From this information, a measure of the risk from criticality accidents to workers in the nuclear processing industry can be estimated. There are about 500 civil nuclear fuel cycle facilities worldwide, including nearly 200 milling facilities which do not handle fissionable materials. Assuming the sixty accidents since 1945 are spread over sixty years amongst the remaining 300 processing facilities, this amounts to about one accident per year or about 0.0033 accidents per facility per year. On this basis a facility might expect to have a criticality accident once every 300 years. Since the number of fatalities known from the Los Alamos report is nine, then the fatal accident frequency

*

The ‘absorbed dose’ of radiation (on inert materials) is measured in units of gray (Gy) (SI units: 1 Gy = 1 J kg–1) or rads (1 rad = 100 erg g–1 = 100 Gy). Since the biological effects of radiation are not adequately described by the ‘absorbed dose’ (i.e. 1 rad in tissue from neutrons is far more damaging than 1 rad in tissue delivered by gamma rays), a ‘dose equivalent’ is used measured in rem or sieverts (Sv) (1 Sv = 1 J kg–1 = 100 rem) and calculated using a quality factor to account for the effect of different types of radiation. For X-rays, gamma rays and electrons, the quality factor is 1, for slow neutrons it is 3, for fast neutrons 10 and for alpha particles 100. Thus, rem = rad  quality factor. International guidelines specify that the occupational exposure of any worker shall not exceed an effective dose of 20 mSv per year averaged over five consecutive years, or an effective dose of 50 mSv in any single year. The estimated average doses to the relevant critical groups of members of the public (attributable to industrial or other practices) shall not exceed an effective dose of 1 mSv in a year, equivalent to a risk of death or serious hereditary disease of 3.3  10–5 per year).15

331

332

Appendix 2: Case studies in corporate accidents rate is 9/(300  60) or 0.0005 per facility year (5  10–4) from this type of accident alone. If the number of workers exposed is on average 100 per facility (some of the facilities are quite small, even down to laboratory size) then the individual worker fatality risk is 5  10–4/100 or 5  10–6 per year from this type of accident. Using HSE limits for annual risk (see Chapter 6) the risk from a criticality event therefore lies above the lower limit of acceptability of 1  10–6 and is therefore in the as low as reasonably practicable (ALARP) region. It is about one half of the risk (1  10–5) which would be considered to be the limit for workers in industry in general. Since this is only one particular hazard that confronts workers in the nuclear fuel cycle industries (i.e. there are many other ordinary industrial hazards, not necessarily radiological in nature) the level of risk is probably significant. Note that the average number of workers exposed has been estimated since these data are not readily available.

Criticality hazards A criticality hazard is one which is peculiar to nuclear facilities but is extremely important in terms of radiological protection of workers and the public. In a controlled way, a criticality forms the basis of the operation of nuclear fission reactors and in an uncontrolled way is the basis for nuclear weapons. The fission process occurs when a uranium atom (or an atom of other fissionable elements) is split by a neutron impact with the nucleus to form atoms of elements of smaller atomic weight. During the fission process, penetrating gamma radiation is released, highly radioactive materials called fission products are created and two or more neutrons are released from the nucleus. At the same time, energy is produced in the form of heat. The extra neutrons which are released as a result of fission are lost into the surroundings, absorbed by nonfissile material or go on to impact with another fissile nucleus to create a further fission reaction. The latter is the basis of the self-sustaining nuclear chain reaction which can lead to a criticality. If on average each fission reaction produces one neutron which goes on to cause a further fission then the situation is said to be ‘just critical’. In a nuclear reactor the chain reaction is stabilized by the use of control rods inserted into the reactor to absorb excess neutrons and by a moderator which slows down the neutrons to allow fission to take place. The temperature is controlled by absorbing the heat produced into a circulating cooling medium (often water or carbon dioxide gas), which is then used to produce steam in a conventional boiler.

Critical mass For an uncontrolled fission reaction to occur (a criticality) it is necessary to assemble a critical mass of fissionable material. If the material present is less than this critical mass, then more neutrons will escape than can go on to cause further fissions and the chain reaction will not be initiated. The amount of material needed to form a critical mass depends upon the relative proportions of fissionable elements present (usually uranium or plutonium isotopes) as well as the presence of moderating materials such as water, oil or other hydrogen-containing molecules in the close vicinity. Moderating materials convert fast neutrons into slow neutrons, increasing the chance that

Appendix 2: Case studies in corporate accidents fission takes place. Also important for the formation of a critical mass is the shape of the fissionable materials present, in particular the ratio of the surface area to the volume of material. The greater the ratio the more chance that neutrons will escape without causing further fission. Thus, the sphere is the shape most likely to allow a critical mass to form, having the lowest surface area to volume ratio, while a slab, rod or cylinder shape is less likely to form a critical mass. Other factors which can influence whether a critical mass is formed are the presence of other atomic nuclei which can reflect a neutron back into the critical mass, absorption of neutrons by elements such as boron and cadmium which can reduce the chance of fission, and the density of the fissionable material itself. The more tightly packed the atoms then the greater the density and the more likely that fission will be sustained.

Criticality safety Criticality hazards are likely to occur during the nuclear fuel cycle where fissionable products are prepared either from fresh uranium ore, using various enrichment processes such as centrifuging to increase the ratio of fissionable U-235 to U-238, or during spent nuclear fuel reprocessing. In the latter process, fuel rods which have been removed from nuclear reactors are dissolved in hot nitric acid to form nitrates of fissionable and other elements in solution. A wet process is then used to separate out the highly radioactive fission products from the more valuable uranium and plutonium products. Uranium and plutonium are then separated from each other by solvent extraction, finally being converted to the solid oxide form for long-term storage. The overall objectives of nuclear fuel reprocessing are to reduce significantly the volume of highly radioactive waste (fission products) from a nuclear reactor which needs to be stored, and to recover uranium and plutonium, which are potentially recyclable as nuclear fuel. Whether the fissionable material is in solid form or in solution during processing, a criticality hazard exists necessitating the avoidance of accumulating a critical mass of material in one place. Avoidance of criticality of fissile materials in solution is usually assured by one or other of two approaches:

• By limiting the concentration of the fissile component to less than required to •

form a critical mass. When this is achieved, the process is described as being ‘safe by concentration’. By careful design of equipment geometry to ensure that even if a high concentration of fissile material occurs, any chance of criticality is prevented on the basis of the limiting shape of the material (see above). When this is achieved, the process is described as being ‘safe by shape’.

Clearly, the second approach to criticality safety is superior to the first. The first approach, ‘safe by concentration’, depends upon the avoidance of human error during the processing of the material. The second approach, ‘safe by shape’, ensures that criticality is avoided even if the concentration of fissile material is allowed to rise to what would be a critical level in less favourable geometry equipment. Safety is assured by means of the original design of the equipment. Occasionally, a combination of both approaches is used and although equipment is designed to be

333

334

Appendix 2: Case studies in corporate accidents geometrically favourable for a range of concentrations of fissile material, it does not necessarily protect against very high concentrations.

‘Prompt’ critical There are many ways in which a fissionable concentration of material can occur in unfavourable geometry equipment. One of these is by the unintentional or erroneous addition of a high concentration of fissionable material to the equipment, such as occurred at Tokai-Mura, Japan, on 30 September 1999. Other, more common mechanisms are as a result of the unintentional transfer of fissionable materials from the aqueous phase (low concentration) to the solvent phase (higher concentration) in unfavourable geometry equipment designed for the aqueous phase. Such an accident occurred at the Windscale (now Sellafield) works of British Nuclear Fuels Ltd (BNFL) in August 1970.17 A solvent layer was allowed to build up in a head tank only designed to contain low concentrations of plutonium in the aqueous phase. The equipment was ‘safe by concentration’, but as the solvent layer built up on top of the aqueous contents of the tank a gradual extraction of plutonium from the aqueous into the solvent phase occurred. Eventually, a critical mass of plutonium was accumulated (involving as much as 2.5 kg of plutonium) and a criticality excursion occurred. This caused alarm systems in the building to be activated, initiating a full evacuation. In this case there were no injuries or fatalities and there was minimal radioactive contamination outside the active plant containment. When such an event occurs, the material concerned is often referred to as going ‘prompt critical’, since the nuclear chain reaction takes place over a period of milliseconds. Whatever the reason for the occurrence of a criticality, the sudden pulse of neutrons released from the critical mass causes a brief blue flash to be observed owing to the ionization of the surrounding atmosphere. In addition, the release of considerable amounts of energy usually causes the criticality to be brought to a sudden halt as a result of the change of shape of the critical mass, this often being dispersed or blown apart into the local environment. Equipment in the region of the criticality is bombarded with highenergy neutrons forming small quantities of fission products, which can result in the equipment and building becoming highly radioactive and posing a long-term radiological hazard upon entry.

The accident at Tokai-Mura The Tokai-Mura criticality incident is described in detail in the report of the Criticality Accident Investigation Committee, the Nuclear Safety Commission (NSC) of Japan, which is most readily available in translation as an attachment to a US NRC document.18 The event was unusual in that the nuclear fission reaction continued for a further twenty hours after the initial neutron pulse had occurred. In addition, this was the only known criticality incident which posed a hazard to the public, who had to be evacuated from the vicinity. The JCO plant was normally used for converting enriched uranium hexafluoride to uranium dioxide to provide the fuel for light water reactors, but it also occasionally produced purified uranyl nitrate solution for the JOYO experimental fast breeder reactor. Uranyl nitrate for the JOYO plant was being

Appendix 2: Case studies in corporate accidents prepared on the day of the accident. It is noteworthy that this was the first time the preparation had been carried out for a period of three years and that only one of the operators (the supervisor) had any experience of undertaking the operation previously. The approved method of preparation was to dissolve a limited amount of uranium oxide powder together with nitric acid in a batch dissolution column, followed by its transfer as pure uranyl nitrate solution to a buffer column for mixing. The resulting solution was then and only then supposed to be transferred to a precipitation vessel surrounded by a water cooling jacket to remove excess heat generated by the exothermic chemical reaction. The dissolution column itself was designed to be ‘safe by shape’ and acted as a buffer to control the amount of material transferred to the precipitation vessel. For criticality safety it was important to ensure that each batch contained less than 2.4 kg of uranium, since the precipitation vessel was not safe by shape. However, the original operating procedure as approved by the regulatory body had been amended a number of times over a period of years. On the day of the accident three operators were working in the plant to a procedure which had changed considerably from the original approved procedure for the dissolution process. This involved dissolving the uranium oxide powder with nitric acid in batches in a ‘bucket’, the contents of which were then added directly to a much larger and geometrically unsafe storage tank. The reason apparently was to produce a more uniform (homogenized) product. On this occasion the solution was added in batches, not to this storage tank, but to the even larger unfavourable geometry precipitation vessel surrounded by a water jacket. Water, as described above, is an effective moderator used in nuclear plant to promote fission by slowing down the neutrons. Four bucketfuls of solution had been added to the precipitation vessel on the previous day. Three bucketfuls of solution were then added on the day of the accident, by which time it is estimated that a mass of 16.8 kg of uranium with an enrichment level of 18.8 per cent had accumulated in the vessel (bearing in mind that the prescribed limiting amount was 2.4 kg). On the final addition a critical mass was achieved which, owing to the surrounding water jacket, caused a criticality excursion to occur in the vessel. The three workers carrying out the operation received high doses of gamma and neutron radiation, of 1–4.5, 6–10 and 16–20 Gy equivalent18 by each worker, respectively, where 10 Gy is equivalent to 1000 rads. This is far in excess of the international limits on radiation exposure. The 50 per cent lethality level of exposure is estimated to lie between 400 and 500 rads. This level of exposure would occur at a distance of about 10 feet from a solution criticality of approximately 1017 fissions. The two workers exposed to the highest dose (one who had been pouring the solution and one who held the funnel) suffered severe radiation sickness and died about three months and seven months later, respectively. There was no explosion, although fission products were progressively released inside the building. The criticality phase was therefore divided into two periods: an initial energetic criticality event stage with a rapid release of neutrons and gamma radiation followed by a secondary stage where a quasi-steady criticality state was sustained relatively slowly over about twenty hours. The total number of nuclear fissions was estimated18 to have been 2.5  1018. As the solution inside the precipitation tank boiled

335

336

Appendix 2: Case studies in corporate accidents vigorously owing to the heat produced, this caused the formation of voids and a temporary cessation of the criticality state. Then, as the liquid cooled, the voids disappeared and the criticality commenced again, and so on. The nuclear chain reaction was only brought to an end when the cooling water which jacketed the precipitation vessel was drained away. This water had acted as a neutron reflector sustaining the nuclear chain reaction. The tank was finally brought to a subcritical condition through the addition of a boric acid solution, which acted as a neutron absorber. The shutdown operations exposed twenty-seven workers to some radioactivity, with a maximum dose of 48 mSv received.19 In the meantime 150 residents within a 350 m radius of the factory were evacuated, and some 310,000 people living within 10 km of the site were advised to stay indoors for about eighteen hours as a precautionary measure.19 It is estimated that about 200 members of the public living outside the facility were exposed to doses varying from 24 mSv (one person) to less than 5 mSv (180 people), the remainder receiving doses of 5–15 mSv.14 The highest neutron dose rate measured at the site boundary was about 4 mSv/hour during the second continuous stage of the criticality.19 The main hazard remaining after the criticality state was ended was gamma radiation resulting from the fission products generated in the precipitation vessel.

Causes of the accident The Report of the Japanese NSC18 identified the direct cause of the accident to be workers adding a quantity of 16.6 kg of enriched uranium into the precipitation tank (which exceeded the 2.4 kg critical mass limit) by following an inappropriate procedure. The report also identified a number of features which were the underlying or root causes of the accident. The US NRC, which made a visit to the site and carried out a review of the incident, concurred with the views of the Japanese investigators. The investigation by the government of Japan identified that there were three general root causes of the accident, these being a failure of the safety culture at the company and failures of safety management and regulatory oversight by the Japanese NSC. 1. Safety culture: the culture of the company had been influenced by international price competition, which had adversely affected the business of the company. This in turn had led to a set of measures being implemented to improve management efficiency and involving personnel reductions. The Japanese report18 identified ‘a decline of the ethical awareness of employees as the result of the company’s pursuit of efficiency in management’. The NRC report identified the deviations in operating procedures which had taken place over a number of years leading to the defective procedure used on the day of the accident. These procedural changes had not been submitted by the management of the company to the regulator as required because ‘the company knew that the regulator would not approve’ them.19 The new procedure was introduced to improve production efficiency. Although manufacturing and quality assurance management were aware of the changes, they had not been communicated to safety management. This whole attitude signifies a defective safety culture. The NRC report also notes that

Appendix 2: Case studies in corporate accidents ‘there was no procedure verification and validation process nor were there operator training and qualification checks required by management before authorizing restart of a process that had not been operated for about 3 years’.14 The attitude of the company could also have been influenced by the fact that batch operation to produce uranyl nitrate ‘involved the small-scale manufacture of a specialty product on an infrequent basis’.14 2. Safety management: worker training and qualification for the tasks to be carried out lacked the fundamental knowledge of the potential consequences of actions which could result in a criticality. It is not necessarily sufficient to rely totally on operators carrying out a procedure to the letter to ensure the required level of safety. Violations of procedures will always take place and it is a management responsibility to ensure that these violations are quickly identified and corrected. In this case management was complicit in allowing operators ‘to deviate from approved procedures to improve production efficiency’.14 The NRC report goes on to state that ‘had the operators understood the difference between the safety limits for the 3–5 percent enriched uranium that they usually handled, and the 18.8 percent enriched material involved with this process they likely would not have taken the shortcuts that resulted in the criticality. The people most vulnerable to the consequences of a failure to implement significant safety controls must be provided with the appropriate safety information’.14 3. Regulation: there was inadequate regulatory oversight by the NSC and a failure to maintain an adequate safety margin. An earlier licensing review had concluded that there was ‘no possibility of criticality accident occurrence due to malfunction and other failures’.14 As a result of this no criticality alarms had been installed and ‘the facility was not included in the National Plan for the Prevention of Nuclear Disasters’.14 This complicated the response to the accident since there was confusion whether a criticality had occurred. This could have placed emergency workers in danger of being exposed to neutron radiation. In addition, the NRC report states that ‘the regulator had not conducted any inspections since 1992, when resources were redirected toward other priorities. No routine or periodic inspections were performed following start-up of the facility. As a consequence, the regulator had no established mechanism to monitor the facility’s performance or to provide a timely warning of impending performance problems or developing adverse performance trends’.14 The Japanese report18 also considered the corporate social responsibility and ethical awareness of business operators in the nuclear industry. The owners of JCO, Sumitomo Metal Mining Company, were asked to reflect on their own role as parent company. In particular, parent companies must be aware of the dangers of passing on risks to their subsidiaries, especially in times when economic pressures are mounting and there is a temptation to cut corners, with a negative impact on safety. The remoteness of parent companies from the actual day-to-day operations of subsidiaries accentuates this danger: ‘business operators are required to set up employee education and training systems to raise the safety consciousness of all personnel, create a risk management structure based on action guidelines and establish corporate governance’.18

337

338

Appendix 2: Case studies in corporate accidents As a result of the accident, the Japanese nuclear regulator revoked JCO’s operating licence. In October 2000, police in Japan arrested six officials from the JCO plant in Tokai-Mura. They were charged with ‘professional negligence’ in connection with the criticality accident. One of those arrested was Yutaka Yokokawa, the supervisor who was present at the accident and was himself hospitalized for three months because of radiation sickness. All the accused are reported to have admitted to the allegations of negligence and could face fines and a prison sentence of up to five years. JCO’s president, Hiroharu Kitani, was not apparently arrested, but the company itself may yet face trial. So far, JCO and its parent company, Sumitomo Metal Mining Co., reportably has paid out ¥12.66 billion in compensation to local residents and businesses, including ¥50 000 to anyone living within 350 m of the accident site, and ¥30 000 to each person who was forced to evacuate if they agreed to renounce future claims.

A2.6 The disposal of the Brent Spar oil storage facility Background In 1995 the Brent Spar oil storage facility in the North Sea, operated by Shell UK, became the centre of a widely publicized international controversy.20 It was important because it represented a defining moment in the history of corporate social responsibility. It demonstrated how the impact of public and customer consent could influence corporate activities when these became publicized, and how the financial fortunes of the company were highly dependent on the outcome. The Brent Spar floating oil storage facility was built in 1976 and spent most of its life anchored a short distance away from the Brent E oil production platform near the Orkney Islands, off the coast of Scotland in the North Sea. The facility was jointly owned by the Shell and Esso oil companies, but it was operated by Shell UK, which had the responsibility to decommission the structure when its useful life was finished. The dimensions of the Brent Spar facility were impressive, although would not be obvious to an observer since, like an iceberg, most of the structure was submerged. It was 147 m high and 29 m in diameter, with a displacement of 66,000 tons, as large as a passenger liner, having a storage capacity of 300,000 barrels of crude oil. Because of its size, manoeuvring such a structure in the restricted waters around the Orkney Islands was extremely difficult. The eventual construction of a pipeline from the Brent oilfield to the terminal at Sullom Voe in the Shetland Islands effectively made Brent Spar redundant as an oil storage facility from 1991 and a decision was made by Shell to decommission it. There were two main options for decommissioning:

• Onshore dismantling: this required the facility to be towed to a deep-water port

where the tanks would be decontaminated and made safe so that the platform could be dismantled and the construction materials recovered for scrap or reuse.

Appendix 2: Case studies in corporate accidents

•

The cost estimate for this option was estimated to be in the region of £40 million. The main risks of this option were to the health and safety of the workforce involved in decommissioning due to the usual mechanical hazards found in the engineering and salvage industry, as well as potential hazards due to exposure to contaminants remaining in the facility. Deep-sea disposal: this option would require the facility to be towed to the deep water of the North Atlantic beyond the continental shelf, where explosives would be used to breach the integrity of the containment, allowing it to sink to the seabed. The main risks of this option were the local environmental impact of the release of oil, sludge and other contaminants remaining in the facility. Two outcomes were possible. If the effect of the explosives was to cause the facility to disintegrate as it fell to the sea-bed then the contamination would be immediate and more widespread than if it descended to the sea-bed in one piece. In the latter case the contamination would be released over a longer period. The cost of this option was estimated to be between £17 million and £20 million. Several sites for disposal were considered by Shell.

Considered purely on cost grounds, the second option was obviously the most economic. Prior to implementing this option, Shell was required to carry out an environmental impact assessment and they commissioned a study of the three main sites proposed for disposal. In each case this involved remote operated vehicle surveys of the sea-bed topography, sediment analysis and a survey of sea-bed organisms and wildlife. The conclusion was reached that the 2000 m deep North Feni Ridge site in the North Atlantic was the most suitable site, on the basis that it included a narrow channel, whereas the others were located on a slope. An application was therefore made to the British Government for a licence for sea-bed disposal of the facility. This application was approved in December 1994.

The protests Almost immediately, the campaigning group Greenpeace began a high-profile protest against the decision by the UK Government to allow the deep-sea disposal of the Brent Spar facility to proceed as proposed by Shell UK. The objections rested on the basis that at the time of the decision no full or proper inventory had been made of the residual contaminants remaining in the tanks and therefore the full impact on the sea-bed environment and ecosystems of the disposal could not be properly ascertained. Furthermore, it was held that this decision created a precedent for the dumping of other structures in the future without full investigation of the consequences. Those opposing the plan cited the experience already gained from decommissioning and decontamination of other redundant offshore structures that had already taken place on shore. It had the advantage of being a known option, and was considered the better of the two alternatives, being the most feasible and well understood. In addition, Greenpeace was not convinced that the health, safety and environmental arguments put forward in the case for deep-sea disposal were the real reason for choosing this

339

340

Appendix 2: Case studies in corporate accidents option, but that the main consideration by Shell UK had been the lower cost of the option when compared with onshore dismantling. Greenpeace released an inventory of the contents of the facility based partly on Shell UK’s own assessment, claiming that the facility still contained over 5000 tonnes of crude oil and sludge contaminated by radioactive residues. Later, following an independent survey, Greenpeace admitted that it had overestimated the amount of crude oil, which was in fact nearer to the 100 tonnes of sludge estimated by Shell, of which 90 per cent was sand and only 10 per cent oil residues. Greenpeace later apologized to Shell for overestimating the quantities of crude oil remaining in the facility. Shell maintained that the ‘radioactive’ residues were in fact attributable to natural sources arising from accumulations of drill cuttings as a result of sea-bed drilling operations. The director of the Natural Environment Research Council (NERC) reporting to a parliamentary briefing in July 1995 estimated that the platform in fact contained 68,000 tonnes of concrete ballast chemically similar to rust, 100 tonnes of bituminous sludge, 30 tonnes of low-level radioactive scale, and small amounts of heavy metals and polychlorinated biphenyls. It was assessed by NERC that these contaminants would pose a negligible risk to the environment and marine life. On 11 June 1995, Shell began towing the Brent Spar facility to its disposal site in the North Atlantic. The Greenpeace vessel Altair shadowed the facility as it was towed north of the Shetland Islands and in the course of this Brent Spar was boarded by environmental activists transferred by helicopter from the accompanying Solo, a Greenpeace tug with a helipad. As a result of this publicity, the disposal plan for Brent Spar became widely known and gained the attention of the public and consumers of Shell products, particularly in northern Europe. The controversy took on a political dimension when in June at the Group of Seven economic summit in Halifax, Nova Scotia, German Chancellor Helmut Kohl broached his concerns with the British Prime Minister John Major and the subject was discussed at intergovernmental ministerial level. Although the British Government continued to support Shell in their deep-sea disposal venture, the company very wisely decided to revert to the alternative option of onshore dismantling. The Brent Spar was therefore towed to Erfjord fiord, a deep inlet on the west coast of Norway. An announcement was made by Shell in 1998 that following decontamination of the facility, much of the main steel structure would be utilized in the construction of new harbour facilities near Stavanger in Norway. The contaminants which were removed were eventually subject to onshore disposal and the relative risks of this, including hazards to those involved in decommissioning operations, compared with the deep-sea disposal option, remain a matter of conjecture.

Consumer boycott In Germany, Denmark, the Netherlands, Switzerland and the UK, consumers began to boycott Shell products when the protests were at their height. There were violent demonstrations in Frankfurt and Hamburg, and Shell employees were threatened. It has been estimated that the sales of Shell products fell by 15–20 per cent as a

Appendix 2: Case studies in corporate accidents result of the negative publicity. The consumer boycott of Shell products by the public clearly shook the company, and it is estimated that the costs to Shell in terms of lost revenue were of the order of £100 million. Arguments continue about the relative health, safety and environmental benefits and detriments of the different forms of disposal of redundant oil facilities. Clearly, there were mistakes and misunderstandings on all sides of the argument both during and after the incident, by the company, the protestors and the UK Government. The main point to be made in this case study is the powerful influence of media, public and consumer concern on the ethical behaviour of large companies when their behaviour is even perceived to be unethical. From this point on, the facts of the situation become less important than the perception of the harm being created. Companies therefore need to take account not only of the facts of a controversial situation, but also of the public perception of the consequences of their behaviour if they wish to maintain their reputation and competitive position. Lessons were learned by many big companies following the Brent Spar incident in 1995, which became a watershed in terms of the way public relations were conducted and had a major influence on corporate social responsibility.

Technical conclusions Following the Brent Spar incident the decommissioning of offshore oil and gas installations and pipelines for the UK North Sea area was brought under the control of the Petroleum Act 1998. In August the UK Department of Trade and Industry (DTI) published a set of Guidance Notes.21 For each installation to be decommissioned the owner is required to prepare a detailed programme describing the measures to be taken and the methodology for the handling and removal of radioactive and other materials, removal of debris from the sea-bed and subsequent environmental monitoring of the area. This included best practice in the handling of drill cuttings (rock fragments potentially contaminated with lubricant mud and low levels of radioactivity) and often accumulating around the base of installations. The Commission for the Protection of the Marine Environment of the North-East Atlantic (OSPAR Commission) was set up by the 1992 OSPAR Convention and is managed by representatives of the governments of fifteen Contracting Parties and the European Commission, representing the European Community. Its principal aim is to protect the environment of the north-east Atlantic. It deals with a wide range of maritime issues as well as concerns arising from the operation and decommissioning of North Sea oil and gas platforms. In 2003, OSPAR affirmed that the disposal of offshore oil and gas installations must be governed by the ‘precautionary principle’, taking account of the potential impact on the environment and recognizing that reuse, recycling or final disposal on land will generally be the preferred option. In February 2003, a major oil and gas industry association, the International Association of Oil and Gas Producers (OGP), published a report,22 comprising a state-of-the-art review of the technical challenges and other assessment issues considered in order to identify the best disposal option for disused offshore concrete gravity substructures (similar to Brent Spar) within the OSPAR maritime area.

341

342

Appendix 2: Case studies in corporate accidents The report notes that for gravity-based concrete structures ‘the dumping, and the leaving wholly or partly in place, of disused offshore installations within the maritime area is prohibited’,22 but adds that ‘. . . if the competent authority of the Contracting Party concerned is satisfied that an assessment . . . shows that there are significant reasons why an alternative disposal . . . is preferable to reuse or recycling or final disposal on land, it may issue a permit for . . . a concrete installation . . . to be dumped or left wholly or partly in place’.22 However, the part of the concrete platform for such alternative disposal options would only be the concrete substructure (the load-bearing structure supporting the topside facilities). No possibility exists for such disposal of the upper works. The initial method proposed for disposal of the Brent Spar facility is therefore now completely prohibited, but the question of disposal is still extremely relevant since there are twenty-seven such concrete platforms remaining within the maritime area of the OSPAR Convention. Many of these will reach the end of their useful life within the next few decades. This case study demonstrates not only how the ethical behaviour of one particular company, Shell UK, was influenced by consumer and public opinion, but also how a whole industry and the way it conducts its business can be irreversibly affected for the foreseeable future.

A2.7 The Tylenol incident, Chicago, Illinois, USA, 1982 The incident The first in a series of mysterious deaths in the Chicago area of Illinois, USA, occurred on 29 September 1982 when a twelve-year-old schoolgirl was taken to hospital, seriously ill after collapsing at home. She was later pronounced dead and doctors initially diagnosed that she had died from a stroke. On the same day a twenty-sevenyear-old postal worker was admitted to the Northwest Community Hospital in Chicago with laboured breathing and dangerously low blood pressure. After attempts at resuscitation he died in the emergency room, it was believed as a result of a massive heart attack. On the evening of that day two of the family members of the dead postal worker, who had gathered at his home, were also admitted to hospital where they later died. Doctors at the hospital, suspicious at the occurrence of three deaths from within the same family, became concerned that the fatalities might not be from natural causes. After consulting experts at the Rocky Mountain Poison Centre, the possibility was raised that they might have died from cyanide poisoning. Following laboratory testing of blood samples, cyanide was confirmed to be the cause of death of all four deceased, although at this time the source of the cyanide had not been ascertained. Very soon after the blood tests had confirmed cyanide poisoning, it was learned that the twelve-year-old girl who died had taken a Tylenol capsule immediately before she collapsed. Tylenol was a common and popular analgesic manufactured by McNeil Consumer & Specialty Pharmaceuticals, a subsidiary of the international health products manufacturer Johnson and Johnson. It was soon discovered that the three family members had also ingested Tylenol capsules before becoming

Appendix 2: Case studies in corporate accidents incapacitated. A bottle of Tylenol from the family home was removed for testing by the chief toxicologist of Cook County, Illinois, who discovered that the contents were contaminated with approximately 65 mg of potassium cyanide. This was estimated to be at least 10,000 times the average fatal dose. The manufacturer of the Tylenol capsules was immediately informed and steps were taken to withdraw the product from sale by means of a massive recall from retailers, wholesalers and hospitals. The recall could not, however, be completed before three more deaths occurred in the Chicago area from ingesting cyanide-contaminated Tylenol tablets, making a total of seven fatalities in all. A few days later, other contaminated Tylenol capsules were discovered by police in a batch of bottles found in a drugstore in the Chicago area. It was later confirmed that similar poisoned capsules had been placed in six drug stores, one bottle having been tampered with in each store. It appeared that random placement had been one of the objectives of the perpetrator, whose identity remained unknown. National news reporting on the tragedy, combined with loudspeaker addresses by the police through the Chicago suburbs, managed to induce widespread public panic. Hospitals, particularly in the Chicago area, were inundated with calls from members of the public who thought they might have been poisoned and many patients were admitted with suspected symptoms. However, no further deaths occurred, and the mass recall of the product was entirely successful in this respect.

The response The manufacturer of the products immediately carried out investigations to determine whether the cyanide had been introduced during the manufacturing process at the factory. It was quickly determined that the contamination had occurred after the product had been bottled and distributed. Investigations by the FBI, Food and Drug Administration (FDA) and law enforcement agencies soon revealed that a person or persons unknown had systematically removed bottles from the shelves of drugstores, filled a number of capsules with cyanide, and replaced the bottles so that they would be sold to the public. In the following months, two people came under suspicion and were arrested. One of these had submitted a $1 million ransom demand to Johnson and Johnson to prevent further poisoning incidents. However, to this day, nobody has ever been brought to trial and convicted of contaminating the Tylenol capsules. For Johnson and Johnson, the whole tragic episode proved to be a major crisis, but one which was not of their own making. The way they dealt with the crisis, however, was a landmark in terms of corporate response and set a benchmark for crisis management in the future. Many companies presented with similar crises in the past have reacted in a ‘knee-jerk’ fashion with an almost automatic denial that anything has gone wrong, the immediate focus of attention being directed towards limiting the financial and reputational damage. History has shown that this sort of response is counter-productive since in the end ‘truth will out’ and an admission of responsibility will need to be made. Any delay is likely to lead to additional

343

344

Appendix 2: Case studies in corporate accidents loss of reputation and financial damage. Rather than considering the immediate financial implications, Johnson and Johnson responded according to its declared ethical policy, set out in the Johnson and Johnson Credo, which defined the primary focus of the company to be the welfare of its customers: We believe our first responsibility is to doctors, nurses and patients, to mothers and fathers and all others who use our products and services.23 The recall of more than 31 million bottles of Tylenol cost the company more than $100 million, the company stock fell more than seven points in value and their analgesic product share of the market fell from 35 per cent to 8 per cent within a very short time. However, Johnson and Johnson, by acting rapidly and responsibly, was able to demonstrate its commitment to customer safety. As a result, their good reputation as a pharmaceutical supplier was maintained, thus allowing a more rapid financial recovery to take place. Within a few months the company had the Tylenol product back on the shelves in a unique tamper-proof and tamper-evident packaging in caplet form. Various sales incentives were offered, including free replacements of caplets for capsules and special coupons to try and build up the customer base. By December 1982, sales of Tylenol had recovered to 24 per cent of the market, nearly all being in caplet form.24 There was a later, probably copycat, incident of poisoning in New York four years later, which fortunately turned out to be an isolated occurrence.

References 1. Columbia Accident Investigation Board (August 2003). Report, Vol. 1, http://caib.nasa. gov/news/report/pdf/vol1/full/caib_report_volume1.pdf 2. The Rogers Commission (June 1986). Report of the Presidential Commission on the Space Shuttle Challenger Accident, http://science.ksc.nasa.gov/shuttle/missions/51-l/docs/ rogers-commission/table-of-contents.html 3. US General Accounting Office (2004). NRC Needs to More Aggressively and Comprehensively Resolve Issues Related to the Davis-Besse Nuclear Power Plant’s Shutdown, Highlights of GAO-04-415, A Report to Congressional Requesters, http://www.gao.gov/ new.items/d04415.pdf 4. US Nuclear Regulatory Commission (2002). NRC Task Force to Assess Lessons Learned from Davis-Besse Reactor Vessel Head Degradation, http://www.nrc.gov/reading-rm/doccollections/news/2002/02-060.html 5. US Nuclear Regulatory Commission (2002). Davis-Besse Reactor Vessel Head Degradation Lessons-Learned Task Force Report, http://www.nrc.gov/reactors/operating/ops-experience/ vessel-head-degradation/lessons-learned/lessons-learned-files/lltf-rpt-ml022760172.pdf 6. Meserve, R.A., Chairman, US Nuclear Regulatory Commission (2002). Safety Culture: An NRC Perspective, 2002 INPO CEO Conference, Atlanta, GA, 8 November 2002, http://www.nrc.gov/reading-rm/doc-collections/commission/speeches/2002/s-02-033.html

Appendix 2: Case studies in corporate accidents 7. Health and Safety Executive (2001). Public Report of the Fire and Explosion at the Conoco-Phillips Humber Refinery on 16 April 2001, Sudbury: HSE Books, http:// www.hse.gov.uk/comah/conocophillips.pdf 8. Report of the Public Inquiry into Children’s Heart Surgery at the Bristol Royal Infirmary 1984–1995, Learning from Bristol, http://www.bristol-inquiry.org.uk/ 9. Griffiths Report, NHS Management Inquiry Report (1983). London: DHSS. 10. Department of Health (1989). Working for Patients, Cm 555, London: HMSO. 11. de Leval, M. (1996). The Mannheimer Lecture, Gothenburg. 12. National Patient Safety Agency, http://www.npsa.nhs.uk/ 13. Learning from Bristol: The Government’s Formal Response to the Report of the Public Inquiry into Children’s Heart Surgery at the Bristol Royal Infirmary 1984, www.hcsu.org.uk/ index.php?option=com_docman&task=doc_download&gid=508 14. Division of Fuel Cycle Safety and Safeguards Office of Nuclear Material Safety and Safeguards, US Nuclear Regulatory Commission (April 2000). NRC Review of the Tokai-Mura Criticality Accident, http://www.nrc.gov/reading-rm/doc-collections/ commission/secys/2000/secy2000-0085/attachment1.pdf 15. International Atomic Energy Agency (1996). International Basic Safety Standards for Protection Against Ionizing Radiation and for the Safety of Radiation Sources, Safety Series No. 115, Vienna: IAEA. 16. Los Alamos National Laboratory Report, A Review of Criticality Accidents, a joint effort of the USA and the Russian Federation, summary at http://www.lanl.gov/news/index.php/ fuseaction/home.story/story_id/10540) 17. Hughes, T.G., BNFL (1972). Criticality incident at Windscale, Nuclear Engineering International (February). 18. Nuclear Safety Commission of Japan (1999). Report of the Criticality Accident Investigation Committee, 24 December 1999, available in translation as an attachment to US NRC Report, http://www.nrc.gov/reading-rm/doc-collections/commission/secys/2000/secy 2000-0085/attachment3.pdf, at NRC website, http://www.nrc.gov/reading-rm/doc-collections/ commission/secys/2000/secy2000-0085/2000-0085scy.html 19. International Atomic Energy Agency (1999). Report on the Preliminary Fact Finding Mission Following the Accident at the Nuclear Fuel Processing Facility in Tokaimura, Japan, Vienna: IAEA, http://www.nrc.gov/reading-rm/doc-collections/commission/secys/ 2000/secy2000-0085/attachment4.pdf 20. Owen, P. (1999). Decommissioning the Brent Spar, London: Taylor & Francis. 21. Guidance Notes for Industry on the Decommissioning of Offshore Installations and Pipelines under the Petroleum Act 1998, http://www.og.dti.gov.uk/regulation/guidance/ decommission.htm 22. International Association of Oil and Gas Producers (2003). Disposal of Disused Offshore Concrete Gravity Platforms in the OSPAR Maritime Area, Report No. 338, http://www.ogp.org.uk/pubs/338.pdf 23. Credo of Johnson and Johnson, http://www.jnj.com/our_company/our_credo/index.htm 24. Lewin, T. (1982). Tylenol posts an apparent recovery, New York Times (25 December), http://query.nytimes.com/gst/fullpage.html?sec=health&res=9E04E4DC1438F936A1575 1C1A964948260

345

Appendix 3: Safety management tables

The tables in this appendix are intended to demonstrate the use of the systems approach to safety management described in Chapter 7. This sample selection of hypothetical tables is reproduced here by kind permission of Po¨yry Energy Ltd [formerly Electrowatt-Ekono (UK)].1 The example is based on the exploration and drilling department of a hypothetical offshore oil and gas company. It commences with Table A3.1, a representation of the relevant parts of the organization. Most oil and gas companies have a management organization for exploration and drilling which outsources the actual work to specialist contractors. It is the management of these contractors by the oil and gas company which is the focus of the safety management system (SMS) analysis presented. The example assumes that a hazard and risk assessment has already been carried out by the hypothetical company and its contractors to identify the hazards arising Table A3.1 Company management structure (for hypothetical business process 01: exploration and drilling) Managing Director 01.01 Exploration Manager 01.02 Operations Geologist 01.03 Exploration Geologist 01.04 Operations Manager 01.05 Production Manager 01.10 Facilities Engineer 01.06 Drilling Manager 01.07 Drilling Materials Supervisor 01.08 Drilling Supervisor 01.09 Wire Line Supervisor Only the job functions in BOLD are developed in the following SMS tables.

Appendix 3: Safety management tables from the work and the level of risk. The main hazard arising from these activities is fire and explosion as a result of a blow-out or a release of flammable gas or liquids to the drilling platform. There are two methods of preventing this: by accurate prediction of likely pressure in the well by the geologists from data gathering, and the control of pressure by various means during the drilling, including the use of sufficiently high-density drilling ‘mud’ to suppress any release of gas. Table A3.2, the catalogue of activities, identifies all the main work activities for this business function by company staff, whether or not these are safety critical. The level of risk, or safety criticality, is indicated in the table by means of the rating factors 1–3, or if the activity is not safety critical, by the letter ‘n’. It is important to show all activities to demonstrate completeness. The business functions, job functions and activities are sequentially numbered for ease of reference.

Table A3.2 Catalogue of activities Business process: 01 Function

Exploration Manager

Subfunction

1

Seismic surveys

Drilling: exploration

Operations Geologist

Exploration Geologist

2

3

Activity

1

2

Results evaluation

3

Geology: Operations

1

Exploration geology

1

Safety criticality

Contractor hire

1

3

Seismic surveys: implementation

2

2

Controlling proximity to fixed installations

3

1

Contractor hire

1

2

Gas pressure prediction

2

2

Inspection of core samples

1

n

Reporting results

2

n

Legislative body: permission

1

3

Contractor (Geol.): select and hire

2

3

Vendors: select and hire

3

3

Documentation: well site geology manual

4

2

Interface with others

5

2

Geology: inspect samples

6

n

Examine wire line logs for presence of oil and gas

1

n

Synthesize information and gather data

2

n

Construct geological model

3

n

Safety criticality: 1 = high, 2 = medium, 3 = low, n = non-safety critical.

347

348

Appendix 3: Safety management tables Table A3.3 shows the details of the SMS model in terms of the three main parameters, means of control, implementation and verification of compliance. These are further decomposed to the subelements within the table. The table is an example of many tables which are developed for each activity, in this case an activity of the operations geologist, ‘interface with others’. For the ‘means of control’, the status is indicated, whether or not the ‘means of control’ is formalized, together with a brief description and any recommendations. The implementation method is shown together with the job function having ultimate responsibility. Verification of compliance is decomposed to (a) monitoring: whether the three essential components are present, these being feedback, decision and action, and (b) audit showing compliance responsibilities.

Table A3.3 Safety management systems: means of control, implementation and verification of compliance TABLE 01.02.01.05

Sub-function: Geology: Operations

Function: Operations Geologist

Activity: Interface with others Safety Criticality: 2

Means of control

Implementation Method

Ultimate responsibility

Status: No formal means

Responsibility: Operations Geologist

Responsibility: Exploration Manager

Description: advice provided includes gas pressure prediction/gas pockets based on regional experience. The requirements for the advice [but not necessarily the way the data is obtained] needs to be formalized

Method: receives reports on results, entered in Well Site Logbook and reported in Well Completion Report

Notes:

Recommendation: formalize method for providing information for drilling operations Verification of compliance Monitoring Feedback

Audit

Decision

Action

Compliance responsibility

Daily reports from rig to geologist, copies to Exploration Manager

Responsibility: Exploration Manager

Responsibility: Operations Geologist

Function: QA Manager

Notes:

Notes:

Notes:

Notes:

Appendix 3: Safety management tables Table A3.4 is an example of an SMS analysis table prepared for each safety critical activity with a checklist of questions which determine whether the requirements of completeness, adequacy and validation have been met. This is indicated with a ‘yes’ (Y) or ‘no’ (N) response to each question. The overall response is indicated at the foot of each column, the rule being that all questions must have a ‘yes’ response if the overall response is to be ‘yes’. The presence of an overall ‘no’ response indicates that the system does not meet the requirements and improvements will need to be made.

Table A3.4 SMS Analysis table SMS Analysis table Activity: 01.01.02.02

Safety Criticality: 2

Description: Gas Pressure Prediction Completeness

Adequacy

Validation

Is there a ‘means of control’ for the activity?

Y

Does the ‘means of control’ apply to all aspects of the activity?

Y

Is there a feedback to the responsible job function?

Y

Is the ‘means of control’ formally documented?

N

Is it formally documented who implements the activity?

N

Is the feedback formally documented?

N

Is there an approved procedure which describes how the SMS is used?

Y

Is the ultimate responsibility for implementation formally documented in the job description for the responsible job function?

N

Is the feedback centrally archived?

N

Audit

RESULT

N

RESULT

N

Has compliance with the SMS been verified by a third party?

N

Are the audit results reported to a higher level than the job function responsible for the SMS?

N

RESULT

N

349

350

Appendix 3: Safety management tables Table A3.5 Safety management system analysis summary (safety critical activities only) Activity

Description

01.01.01.01 01.01.01.02 01.01.01.03 01.01.02.01 01.01.02.02 01.02.01.01 01.02.01.02 01.02.01.03 01.02.01.04 01.02.01.05

Contractor hire Seismic surveys: implementation Controlling proximity to fixed installations Contractor hire Gas pressure prediction Legislative body: permission Contractor (geol.): select and hire Vendors: select and hire Documentation: well site geology manual Interface with others

Completeness

Adequacy

Validation

N N N Y N Y Y N Y Y

N N N Y N Y Y N N Y

N N N N N Y N N N Y

Table A3.5, the SMS analysis summary table, shows the results of the analysis in terms of overall responses for each safety critical activity based on the results obtained from each of the SMS analysis tables. Table A3.6, the summary of recommendations, is based on the SMS analysis summary table results and lists the main recommendations by referring to the relevant SMS analysis table for each activity. One of the principal advantages of the tabular method is that it not only provides a concise overview of the SMS, but

Table A3.6 Summary of recommendations Activity

Description

Recommendation

01.01.01.01

Contractor hire

Provide for safety review of contractors

01.01.01.02

Seismic surveys: implementation

Define means of control and operation

01.01.01.03

Controlling proximity to fixed installations

Provide formal system for logging of information and feedback to contractors

01.01.02.01

Contractor hire

Inclusion of safety review for potential contractors

01.01.02.02

Gas pressure prediction

Define formal systems for the identification of gas hazards with feedback

01.02.01.01

Legislative body: permission

None

01.02.01.02

Contractor (geol.): select and hire

Define experience required for well site geologist

01.02.01.03

Vendors: select and hire

Formalize control of contractors’ bids

01.02.01.04

Documentation: well site geology manual

Formalize method for providing information for drilling operations

01.02.01.05

Interface with others

Formalize method for providing information for drilling operations

Appendix 3: Safety management tables immediately indicates where there is a gap or a need for improvements to be made. The actual SMS does not comprise these tables but is the set of documents referred to in the tables, including the various management control procedures.

Reference 1. Po¨yry Energy Ltd [formerly Electrowatt-Ekono (UK)], Horsham, http://www. energy.poyry.com/general/

351

This page intentionally left blank

Index Aberfan mining disaster 146 Accident: causation, features of 221 investigation 12, 14, 197, 198, 209, 221, 224, 230 precursors 219-220 proneness 217 Active error 10-14, 218 Activity-based approach 204 Adaptive learning 211 Administrative penalties 166, 169 Advantage of globalization 21 Adventure activities licencing scheme 157 ALARP: assessment of 159 definition of 158 diagram 155-156, 160 principle 129, 134, 145, 155, 158, 162 risks 134 Alkali Act 1863 146 Alpha assessment 186 Amplification-attenuation model 138 Annualization of costs 163 Antecedent-behaviour-consequence (ABC) 192 Anthropomorphism 28 Anti-union legislation 67 Applied ethics 53-54 Approved Codes of Practise (ACOPs) 149 Asbestos 257-258 see also Cost externalization Asbestosis 258 As low as reasonably practicable see ALARP Association of Train Operating and Freight Operation 237 Audit 180, 183-185, 187, 189, 203, 329 implementation 189 Australian Capital Territories 42 Automatic train protection 299-300 Automatic warning system 299-301

Bankruptcy 26, 66 Barrier analysis 222 Behavioural psychology 190-191 Behavioural science technologies 194, 196 Better Regulation Commission (BRC) 170 Better Regulation Task Force (BRTF) 168-169 Bhopal gas tragedy 21 Blame culture 101-102, 210, 231-233 ‘Boids’ artificial life simulation 96 Boiler regulations 145 Brent Spar 48, 68, 255, 273-274, 338, 341 Bristol Royal Infirmary (BRI) 27-28, 88, 112-113, 243, 245, 323, 325-327 British Medical Association 100, 113 British Nuclear Fuels Ltd 334 British Standards Institution (BSI) 181 Broadly acceptable risk 155 Business reputation, protection of 51 By-products of industrial processes 23 Canadian Bill C-45, 43-44 Capitalism 22-24 modern face of 23 Causal factor chain 220 ‘Causation-based’ classification 233 ‘Cause and effect’ thinking pattern 224 Central Criminal Court 305 Challenger space shuttle, accident 14, 71-72, 112-113, 243-245, 310-311, 313 Channel Tunnel 152 Charity Commission 27 CHASE Audit and Evaluation programme 187 Chemical Industries Association (CIA) 103, 242 Chernobyl accident 99, 105, 128 Civil Aviation Authority 236

354

Index Civil Service Reform Act 1978 (CSRA) 241 Clapham Junction rail disaster 101, 103, 151, 289 Class culture 88 Classical approach 23, 84, 89, 90, 92-94, 97 see also Neo-classical economies Classical Darwinism 60 Clinical negligence litigation 328 Closest logical comparison 228 ‘Club culture’, 88-89, 113, 328 Coal Mines Act 146 Code of ethics 250-255 Code of Hammurabbi 51-52 Code of practice 147-149 Columbia Accident Investigation Board (CAIB) 112, 244, 309-310, 313-314 Columbia space shuttle, loss of 27-28, 71, 112, 243-245, 309 Commission for Health Improvement 329 Common cause failures 13-14 Common-law duties 31 Companies Act 5, 31-32 Company law 31, 73 Competence and training requirements 183 Confidential Incident Reporting System (CIRAS) 237 Confidential reporting system (CRS) 235-238, 267 Congenital heart disease 323 Conoco-Phillips Humber refinery, fire and explosion 141-142, 207, 224, 318 Control of Asbestos Regulations 258 Control of Major Accident Hazards (COMAH) Regulation 103, 136, 153, 318 Control measures, assessment of 135 Control of risk 269 Corporate accident: definition 7 emergence 88 freedom from 48 prevention 9, 69, 215, 277, 283, 287 Corporate accountability 28, 80, 285 Corporate behaviour 4-5, 17, 42, 55, 59, 61, 65, 74, 79, 250, 277, 278, 280, 282 Corporate capital punishment 48 Corporate citizen model 57, 256, 260, 261-262, 264

Corporate citizenship 57, 63, 65, 249, 255-256, 263-264, 266, 268-269, 271, 273 Corporate ethical behaviour 17, 51, 61, 65, 249, 277, 280-281 determinants of 65 motivation 61 policy 250 Corporate ethics 5, 17, 29, 50-51, 58-60, 75, 276, 278, 280-282 Corporate failures 3, 15, 18, 294 Corporate Homicide Act 5, 37, 40-41, 45, 279-280, 286 Corporate killing 34 Corporate legal liability 30 Corporate manslaughter: legislating for 37 trial 299, 301 Corporate Manslaughter and Corporate Homicide Act 5, 37-38, 40-41, 45, 279-280, 286 Corporate Manslaughter and Corporate Homicide Bill 290, 307 Corporate personality 20, 63-64 ‘Corporate personhood’, 4, 16, 20, 36, 46, 58, 60, 63-64, 79, 277-278 concept of 46, 58, 61, 64, 79, 277-278 ‘Corporate probation’, 47, 280 Corporate social responsibility (CSR) 15, 23, 51, 64, 68, 79, 81, 103, 186, 248-249, 254, 255-259, 264, 266, 267, 268-271, 273, 276, 278, 281, 337, 338, 341 examples of 271 Corporate structure models 256 Corporate veil 41-42, 47, 64 Corporate whistleblowing arrangements 242 Corporation tax 24 Corporatism 4, 18, 23-24, 28 dangers of 24 evolution of 28 Cost-benefit analysis (CBA) 145, 159, 162-164 Cost externalization 4, 24-25, 27, 51, 67, 79, 144, 248, 256-258, 288, 300 Cost of preventing a fatality (CPF) 159-160, 162 Court of Appeal 31, 158, 305-306 Criminal Justice Act 305

Index Criminal negligence causing death 43 Criminal penalties 168 Criticality hazards 332-333 Crown Bodies 147 Crown Prosecution Service (CPS) 30, 40, 296, 301, 304-305 Cullen Inquiry 151-152 Culpability spectrum 233, 235 Cultural expectations 88 Dangerous Occurrences Regulations 215 Darwinian competition 60 Davis-Besse nuclear power plant incident 96, 171, 314-317 Deep-sea disposal 67, 339 Defence Standard 00-56 152 Denunciatory penalties 48 Department of Health and Social Security 323 Department of Public Prosecutions 295 Department of Work and Pensions (DWP) 147 Depression (of the 1930’s) 23 Deviation statement 225 ‘Directing mind’ theory 41 Dissemination of information 236 ‘Doctors’ professional competence 325 Domino effect 130, 209, 216, 318 ‘Dread factor’, 139, 160 ‘Drive out fear’, principle of 110 DuPont STOP programme 196 Employers’ Liability (Compulsory) Insurance Act 146 Employment Medical Advisory Service 148 Employment tribunals 97 English Welsh and Scottish (EWS) Railways 298-299 Enron 50, 242, 267 Entrepreneurialism 25 Ergonomics 9, 13 ‘Error of commission’, 12 Espoused values 91 Ethical obligations 253 Ethical policy 55-57, 63-64, 67-68, 73-74, 249-252, 255, 260, 266, 268, 344

Ethical professional codes 69 Ethical testing 254 Ethics 51-53, 75, 113, 245, 266, 281, 327 definition of 51-52 and the law 53 Events and causal factor analysis 222 Factories Act, 1011-02 144, 146 Farmer curve 118-119, 127, 128 implications of the 119, 248 Fatal accidents due to gross negligence 37 FBI 242, 343 Federal Aviation Administration (FAA) 41, 236 Federal Office of the Special Counsel 241 Fiduciary duty 27, 31 Filipino society 87 Fire Precautions Act 146 FirstEnergy 171, 172, 314-315, 317 Fissile materials, avoidance of criticality of 333 Flawed decisions 220 FN curves 127-128, 157, 160-161 Food and Drug Administration (FDA) 343 Food Safety Agency 278 Fraud and serious crime squad 56 Freedom of Information Act 263 Freedom of speech 58 Free-market: ethos 103 ideas of classical economics 23 mechanism 25 ‘Game of life’ 95 Gamma and neutron radiation 142, 170, 335 Gap theory 223 Gender culture 87 Gender stereotypes in the workplace 88 General Medical Council 114, 326-327 Generational culture 88 Generative learning 211 Generic internal safety audit 188 Gestalt approach 84, 89-90, 94-97, 105, 108 Global Aviation Information Network (GAIN) 234-235 Globalization 19, 21, 266, 271, 278 Global reporting initiative 186

355

356

Index Global warming 62, 139 Goal-based approach 101-102 Government tax authorities 66 Great Western Trains (GWT) 17, 36, 279, 298, 301-307 Greenpeace 68, 269, 274, 339-340 Greenpeace vessel Altair 274, 340 Griffiths Report 324 Gross negligence manslaughter 33, 305, 307 Hampton report 165-166, 168, 172 Hare checklist 63 Hatfield rail accident 55-56, 282 Hazard: identification 113, 130, 141, 180, 182, 313 risk assessments 134 Hazard and operability (HAZOP) technique 207 Health Care Professions Act 330 Health and Morals of Apprentices Act 1802 145 Health and Safety Commission (HSC) 33, 147 Health and Safety (Directors’ Duties) Bill 33 Health and safety duties 32 Health and Safety Executive (HSE) 56-57, 99, 103, 117, 121, 125, 130, 136, 141, 147-157, 161-164, 178-179, 188, 207, 215, 225, 228-229, 271, 318, 320, 321-322, 332 booklet 178 Health and safety legislation 147 Health and safety protocol 42 Health and Safety at Work etc Act 5, 30, 32, 40, 45, 55, 56, 102, 129, 146, 147-149, 152, 157, 159, 270, 280, 282, 284, 299, 301-302, 304, 323 Health and Social Care Act 329 Heinrich pyramid 190, 230, 284 Herald Charitable Trust 287 Herald of Free Enterprise 36, 206, 244, 289, 290-292, 294-295, 302-303 Hidden Inquiry 151-152 Hierarchical and authoritative organization 110 Hierarchical management structures 37, 314 High-risk activities 180 Hillsborough Stadium 289

Hippocratic oath 69 HM Prison Service 39 Hospital Survey on Patient Safety Culture 100 House of Lords 35-36, 305-306 Hubble Space Telescope 309 Human error 9 ‘Human factors’ principles 9 Human malfunctions 14 Human performance evaluation 222 ‘Identification principle’, 8, 34 Individual ethical behaviour 59, 61, 64 Individual ethics 58 Individual risk 8, 116, 120-126, 128, 136, 155, 156, 158, 160-162 Industrial fatal accident 42 Industrial Revolution 20, 144 Information disclosure 234 Institute of Business Ethics 266, 268 Institute of Occupational Safety and Health 69 Institute for Research on Cultural Co-operation 92 Institution of Chemical Engineers 69, 71, 118 Interdepartmental Liaison Group on Risk Assessment 137 International Association of Oil and Gas Producers 341 International Atomic Energy Agency (IAEA) 83, 90, 99, 100, 105, 107, 152, 317 International Labour Organization 182-183 International Safety Rating System (ISRS) 185-186 International Space Station missions 309 International Standard OHSAS 18001 182 Japanese nuclear industry 8 Japanese Nuclear Safety Commission 142, 171 Japan Nuclear Fuel Conversion Company (JCO) 142, 170-171, 330, 331, 334, 337-338 Johnson and Johnson 264, 273, 342-344 JOYO plant 334 Just culture 232

Index Kegworth (M1) aircraft accident 289 Kepner-Tregoe method 210, 222 Keynesian theory 23 Killing by gross negligence 34 King’s Cross underground fire 289 Ladbroke Grove Rail Accident Inquiry Report 152 Laissez-faire capitalism 23-24, 144 Larkhill explosion 56-57 Latent error 9, 11, 15, 218 Law Commission 34, 39, 303 Learning opportunities 232 Learning organization 15, 64, 67, 81, 98, 108, 209-234, 276 Legal accountability 16, 48, 276, 279, 285 Legislative and Regulatory Reform Act 164, 169 Limited liability 25-26 principle of 3, 25, 66 London Underground Jubilee Line Extension 152 Los Alamos 330, 331 Lyme Bay accident 157 Maintenance errors, consequences of 11 Major Accident Prevention Plan 153 Management of change (MoC) procedure 207, 321 Management commitment 109, 197 Management error 3, 7-9, 11-19, 38, 282 Management of Health and Safety at Work 129, 181 Management Oversight and Risk Tree (MORT) 197-198, 222 Managerial and professional ethics 68 Manslaughter charges 8, 34, 35-36, 251, 279, 285, 286, 290, 299 Massachusetts Institute of Technology 213 McKinsey principle 97 Medical error 237 Merchant Shipping Act 291, 294 Merit Systems Protection Board 241 Meta-ethics 53 Military-style hierarchy 89 Mines and Collieries Act 146 Mission statement 110, 264 Mobile hunter-gatherer groups 86 Monetarism 256

Monetarist economics see Neo-Classical economies Monitoring 202-203 Morality and ethics 51, 59 Multi-causality 218, 286 Multi-layered approach 209-210 Multiple fatalities 8, 10, 57, 116-117, 120, 124, 126-128, 130, 136, 151, 155, 157-158, 161 see also Single-fatality accidents National Aeronautics and Space Administration (NASA) 27-28, 71-72, 112-13, 236, 244, 245, 309-314 National Coal Board 146, 158-159 National Health Service 28, 112-113, 239, 246, 323-324, 327-330 National Patient Safety Agency 329 National Plan for the Prevention of Nuclear Disaster 171, 337 Natural Environment Research Council 340 Neo-classical economies 4, 23-24, 249, 256, 258-260, 263 Nevada desert, atom bomb tests in the 330 No-blame culture 210, 232-233 Nolan Committee 239, 242 Non-corporate bodies 19, 26-28, 39 Non-discretionary monetary penalties 169 Non-profit organization (NGO) 19, 28 Non-renewable resources, depletion of 62 Normative ethics 53 Nuclear Installations Act 152 Nuclear Regulatory Commission 314 Nuclear Safety Commission 171, 334, 336-337 Nuclear Safety Directorate 152 Office of Fair Trading and the Financial Services 166 Office for National Statistics 121 Office of Rail Regulation 152 Offices, Shops and Railway Premises Act 146 Official Secrets Act 241 Offshore Installations (Safety Case) Regulations 103, 151

357

358

Index Ofgem 56-57 Onshore dismantling 273, 338 Optimising violations 233 Organizational change 28, 107, 111, 154 Organizational culture 63, 85, 89-90, 92, 94-99, 108, 212-214, 310, 312, 328 dimensions of 92 levels of 90 Organisational error 11 Organisational failure 11, 64, 230 Organisational learning 98, 209, 210-211, 215 models 211 Organisational values 251 OS&H management system 182-185 OSPAR Convention 341-342 P&O European Ferries (Dover) Ltd 290 Paddington rail crash 290 Paediatric surgery 323 Passenger fatality rates 123 Paternalism, attitudes of 113, 323, 328 Paternalistic (values) 65 Patient Safety and Quality Improvement Act 237 Pax World Fund 268 Penalties 5, 25, 30, 40, 42, 46-48, 72, 148-149, 166, 168-169, 279-280 Perceived risk 136-138, 140, 287 Performance deviation 225, 228 Personal liberty 30, 58 Personal protective equipment 194 Personhood, characteristics of 29, 61, 63 Petroleum Act 341 Piper Alpha accident 101, 103, 151, 244, 289 Plundering of natural resources 24 Pollution 23-24, 62, 146, 257, 274 Post-traumatic stress disorder 110-111 Precautionary principle 136-137, 341 Pressurised water reactor (PWR) 128, 171-172, 314 Private democracy 262 Private Eye magazine 295, 326 Professional codes 68-69, 74 Professional errors 245 ‘Professional negligence’, 338 Profiteering 51

Protected disclosures 242 Psychodiagnostic checklist 63 Public democracy 261-263, 266 Public Interest Disclosure Act 71, 239-240, 243 Public service organizations 74 Quality management 102, 180 Quantified risk assessment (QRA) 128, 130-132, 136, 154, 161

117,

Rail Safety and Standards Board 237 Railways (Safety Case) Regulations 103, 152, 302 Random errors 10 Reciprocal altruism 60 Reckless killing 34 Reckless violations 233 Regulation Task Force study 167 Regulatory guidance and best practise 149 Regulatory Reform Act 169 Remedial measure 102, 230, 232 Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 215 Responsible Care Scheme 103 Rio Declaration 136 Risk acceptance criteria 154 Risk assessment 102, 117, 124, 128-131, 134-137, 141, 150, 154, 165-166, 180-182, 188, 313, 331, 346 Risk-based: culture 84, 107 inspection 165 Risk homoeostasis 140-141 Risk matrix 117, 135 Risk perception 125, 137, 287 Risk reduction measures 118, 135, 137, 155, 160, 162 Robens Report 145-147, 153, 282 Rogers Commission 113, 244, 245, 311, 313 Roll-on/roll-off (RORO) car ferry 206, 290 Root cause analysis 221 Safeguards against accidents 220 Safety assessment principles 152

Index Safety critical activities 197 Safety culture 15, 27, 42, 62, 64, 73, 80-81, 83-113, 142, 154, 173, 177, 203, 206, 213, 220, 230, 276, 278, 280, 286, 317, 318 defects in 312-314 definition of 99-100 developing a 100 failure of 170, 336 Safety director, definition of 56 Safety Management Systems (SMSs) 153-154, 157, 177-178, 180-182, 185, 188-190, 197, 200-207, 249, 276, 283, 286, 346, 348-349, 351 analytical approaches to 197 auditing approaches to 185 behavioural approach to 98, 190 tables 346-350 Safety pyramid, see Heinrich pyramid Safety regulation 15, 30, 44, 57-58, 73, 80, 144-173, 276 Safety suggestion schemes 102 Sarbanes-Oxley Act 242, 284 Securities and Exchange Commission 17, 50, 73 Selfless motivation 62 Self-seeking motivation 62, 73 Senior management failure 39, 45-46 Shared leadership 104, 109-110 Sheen Inquiry 290-294, 296-297 ‘Shopfloor errors’, 9 Signal passed at danger 10, 12, 14, 299 Single- and double-loop learning models 209 Single-fatality accidents 8, 155 Socially responsible investment (SRI) 73, 268 Societal risk 116, 120, 126-128, 136, 151, 155, 157-158, 160-161 Sociopathic symptoms 63 Southall rail accident 36, 279, 290, 298 SPAD see Signal passed at danger Statutory Instruments 147, 149 Stockholder 66, 253 model 256, 258, 260-263 Strategic failure 285

Sumitomo Metal Mining Company 330, 337 System: analysis 203 error 10, 231 improvement 204 thinking 213-214 Test of gross disproportion 159 Three Mile Island nuclear accident 128, 138, 170-171, 315 Tokai-Mura accident 142, 170, 330, 334 Tolerability (of risk) 162 Total quality management 180 Trade Descriptions Act 35 Train protection system see Automatic warning system Transco 47, 56-57 Transnational companies 21 Transportation risk 122 Turnbull Report 284 Tylenol incident 264, 273, 342 Union Carbide India Limited (UCIL) 21 United Kingdom Accreditation Service 322 United Nations Global Compact 271 Universal Declaration of Human Rights 255 Unlawful Killing 302 US Air Force 222 US Aviation Safety Reporting System 236 US Department of Energy Guidelines 221 US General Accounting Office 172, 311 US Institute of Medicine 237 US Nuclear Regulatory Commission 96, 171, 176 US Strategic Air Command 222 Utilitarianism 53 Value of preventing a fatality (VPF) 159-160, 162-163 Verification of compliance 200, 202-204, 348 Vicarious liability 44-45 Victimisation 67, 71, 74, 238-242

359

360

Index Violation, definition of 233 Virtue ethics 52 Voluntary ethical codes of behaviour 258 Westray disaster 42 Whistleblower Protection Act (WPA) 241 Whistleblowing 71, 88, 157, 210, 234, 238-239, 241-245, 329 Worker individual risk 121

Workforce 8, 19, 23-24, 40, 56, 64, 66, 97, 101-102, 104-105, 109-110, 122, 136, 144, 165, 219, 257, 266, 269, 273, 281, 288, 311-312, 327, 329, 339 Workplace error, study of 8 World.Com 50, 242 World Health Organization 258 Zero risk

117