A new focus on mine safety improvement in a ...

International Journal of Mining Science and Technology 27 (2017) 617–625

Contents lists available at ScienceDirect

International Journal of Mining Science and Technology journal homepage: www.elsevier.com/locate/ijmst

Organization: A new focus on mine safety improvement in a complex operational and business environment Komljenovic Dragan a,⇑, Loiselle Georges b, Kumral Mustafa c a

Institut de Recherche d’Hydro-Québec (IREQ), 1800, boul. Lionel-Boulet, Varennes J3X 1S1, Canada Hydro-Quebec TransEnergie, 5250 Armand-Frappier, St-Hubert J3Z 1G3, Canada c Department of Mining and Materials Engineering, McGill University, Montreal H3A 0E8, Canada b

a r t i c l e

i n f o

Article history: Available online 10 May 2017 Keywords: Occupational safety and health Safety culture Organizational performance Risk analysis and management

a b s t r a c t The daily operations in the mining industry are still a significant source of risk with regard to occupational safety and health (OS & H). Various research studies and statistical data world-wide show that the number of serious injuries and fatalities still remains high despite substantial efforts the industry has put in recent years in decreasing those numbers. This paper argues that the next level of safety performance will have to consider a transition from coping solely with workplace dangers, to a more systemic model taking organizational risks in consideration. In this aspect, lessons learned from the nuclear industry may be useful, as organizational learning processes are believed to be more universal than the technologies in which they are used. With the notable exception of major accidents, organizational performance has not received all the attention it deserves. A key element for reaching the next level of performance is to include organizational factors in low level events analyses, and approach the management as a risk control system. These factors will then appear not only in the event analysis, but in supervision activities, audits, change management and the like. Many recent event analyses across various industries have shown that organizational factors play a key role in creating conditions for triggering major accidents (aviation, railway transportation, nuclear industry, oil exploitation, mining, etc.). In this paper, a perspective that may be used in supervisory activities, self-assessments and minor events investigations, is presented. When ingrained in an organizational culture, such perspective has the highest potential for continuous safety improvement. Ó 2017 Published by Elsevier B.V. on behalf of China University of Mining & Technology. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

1. Introduction The problem regarding the occurrence of major technological accidents in modern society has captured a lot of attention in last decades at all the levels (citizens and civil society, organizations, universities, research institutions, regulatory and legislative bodies, etc.). Numerous studies, books and high quality refereed papers have been published on this topic. Many innovative technical measures and pieces of legislation or regulation have been introduced in order to prevent and reduce those risks. Despite an accumulated knowledge from both the past experience and research works, major and catastrophic accidents across various high-reliability-at-risk industries (nuclear, aviation, petrochemical, transportation, mining, etc.) continue to occur. They can cause human fatalities, injuries and suffering, significant destruction, substantial environmental pollution and huge financial losses. ⇑ Corresponding author. E-mail address: [email protected] (D. Komljenovic).

The number of such accidents still remains unacceptably high, and the consequences are enormous. Subsequent official analyses have shown that the majority of accidents were preventable. Some recent catastrophic events sustain well this statement [1–5,53]. Were these ‘‘out-of-the-blue” events, or did one miss some information that was available in low level events, but lost in an organizational ‘‘blind spot”? The business and operational environment considerably changed for the majority of organizations. One of the peculiarities of this change comes from the integration of various industrial, technical, political, economic, environmental and financial pressures with regulatory adjustments which ensue from it [1,6–24]. The operation of these sectors, which were relatively autonomous and independent, became more complex as the number of stakeholders increases, including the advent of new technologies and interrelations between entities that are not anymore isolated and independent. A direct consequence of these changes is the nature of the events which continue to occur. While the accidents which arose previously found generally their cause in known and

http://dx.doi.org/10.1016/j.ijmst.2017.05.006 2095-2686/Ó 2017 Published by Elsevier B.V. on behalf of China University of Mining & Technology. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

618

D. Komljenovic et al. / International Journal of Mining Science and Technology 27 (2017) 617–625

assumed factors, modern events find their origin in unforeseen interactions between elements without visible links. The linear story-telling of events is thus less suited for improvement in conventional and public safety [1,9,10,14–17,21,24]. This diagnosis is not limited to major accidents but also applies to other types of events (such as process disruptions or bankruptcies) [18,19,23,25]. In this paper, a discussion is presented upon the evolution of the nature of the causal factors, and approaches and tools developed and used in the nuclear industry to take into account the complexity of its operational environment. It builds up further on previous studies, but focuses in detail on the role of the organization, and safety culture in ensuring a safe workplace in the mining industry [17]. This paper aims at providing some new insights which may contribute to the body of knowledge in this area particularly in the field of mine safety. This experience can be transposed to other industries as well.

2. Classic view of event: failure of a weak link One is accustomed to simple story-telling of significant events and accidents. It is natural to identify a barrier which, if it had worked adequately, would have prevented the undesired event. The barrier analysis allows to identify the less than adequate performance of defenses and to propose specific corrective actions. Even more elaborating methodologies, such as management oversight and risk tree (MORT) or systems-theoretic accident model and processes (STAMP), stands on the identification of independent administrative barriers in complicated organizational systems, but not necessarily complex interactions [12,15]. Working on human performance fundamentals has allowed for improvement without digging in through events. Human performance fundamentals and error prevention tools did a lot to further reduce events and improve performance. Nevertheless, it did not question the sequential view of events. This view of an event supposes some linearity (a time line) which could be representative of reality to a certain extent. Even if some aspects were not reflected in the analysis, the identification of some barriers remained good enough for corrective actions. Today, for most situations, such a linear approach is insufficient to allow a complete and useful understanding of the stakes and challenges regarding safety. It is less the fault of the model than the complexification of many industrial environments. Also, in some fields, e.g. nuclear, aviation, one might have a good understanding of the performance of the elements and enough data to develop good models. In some new fields, one might not have data or even models e.g. nanotechnologies. As early as 1980s, Perrow introduced the contribution of the complexity and operator errors to industrial accidents [20]. This topic was further expanded through research works carried out by Rasmussen and his team in the second half of 1990s, and he argues that the analysis of modern and complex systems requires a system-oriented approach based on functional abstraction rather than structural decomposition [21]. Instead of focusing on action sequences and occasional deviations in terms of human error, the analysis should be performed by a model behavior shaping mechanism considering an array of influential factors. Perrow proposes the convergence of research paradigms of human sciences guided by cognitive sciences concepts [21]. Reason has also brought significant contributions regarding the understanding of human error [26]. A further contribution to a better understanding of accident creating mechanisms is provided through significant research works carried out by Leveson [15,16]. In her research, she questions assumptions and approaches related to accident causality models, definitions of safety and its relationship with reliability retrospec-

tive versus prospective analysis and operator error. She argues and demonstrates that the past assumptions and beliefs related to those areas are not necessarily true in complex systems. The behavior of the latter is quite difficult or almost impossible to predict with a growing number of interactions. She stresses that safety, unlike reliability, is a system property, not a component property. Therefore, safety is an emergent property. The unsafe system behavior is defined in terms of safety constraints on the behavior of the system components. Thus, safety is perceived as a control problem rather than a failure or reliability problem. Several other authors share this vision [1,6,10,19,24]. It is an important statement for further analyses because it also involves an overall organizational performance. In this period, Reason also carried out important research works aiming at understanding the role of organizational performance in the occurrence of accidents [27,28]. He argues that there are two kinds of accidents: those that happen to individuals and those that happen to organizations. Individual accidents are larger in numbers. Organizational accidents are relatively rare and often catastrophic; and they occur within complex modern technologies. Organizational accidents are challenging events to understand and control. Retrospective event analysis and accident causation models assumptions are questioned in complex systems. It seems that one of their characteristics is a continuous drift to danger or failure which is almost impossible to capture in traditional of chain-ofevent analyses. In fact, the basic assumption that cause and effect shall be directly related is not always valid. This idea is also supported by other authors [1,6,8,10,11,17,23,24,29,30]. The role of operator error has also been thoroughly examined. The classic narrative that most accidents are caused by operators is questionable. The ‘‘reward-punishment” approach for reducing/eliminating accidents does not function in modern, complex systems [1,16,17]. Understanding human error seems to remain the final frontier for safety professionals, and is an ongoing challenge for the technical community. But it is not only those on the front line that are to blame, as will be discussed further below [1]. Mosey also identifies ‘‘managerial ignorance” as a recurrent element in accidents, noting the ‘‘failure to learn from the experience of the past” [2]. He states that organizations have no memories. Only people do, and they leave. Failing to learn from experience (or failing to properly record those lessons and ensure they remain part of the collective consciousness) is a major factor. Moreover, there are others such as ‘‘unofficial” messages from management, and acceptance of abnormalities (or ‘‘the insidious acceptance of slowly-degrading standards”). In fact, several authors argue that the individual human behavior is always influenced by the environment in which it takes place. Marais et al. discuss why safety related decisions do not always result in desired behavior, and how independent decisions in different parts of the organization can combine to have a negative, and often unforeseen, impact on safety [31]. The key is in positively changing this environment. Traditional event-based and risk models are quite ineffective in dealing with human error and decisionmaking in complex systems and environment [1,5,6,10,17,21,24,32,33]. A real reduction of accident frequency requires getting to the bottom of human and organizational performance issues. Katina has also suggested that there might be situations in which human performance, in relation to adhering to laws, principles, and theorems of systems theory, is affected through three conditions: (1) knowing systems theory but choosing to ignore it, (2) knowing systems theory but having poor execution and (3) not knowing systems theory [13]. There are also some studies which question the one-sided thesis that contemporary organizations rely on the mobilization of cognitive capacities [34]. The authors suggest that severe restrictions on


these capacities in the form of what they call ‘‘functional stupidity” are an equally important if under-recognized part of organizational life. ‘‘Functional stupidity” refers to an absence of reflexivity, a planned state of ignorance resulting from tolerating unanswered questions and avoiding challenges to the status quo. This management pathology occurs because it helps avoiding ambiguity and uncertainty that would require action, resources and disturb the course of normal activities. If ignorance gives confidence, nothing counteracts this way of going until an event happens caused by factors in the zone of ignorance. They argue that this type of pathology is prevalent in contexts dominated by economy in persuasion which emphasizes image and symbolic manipulation. This gives rise to forms of management that repress or marginalize doubt and block communicative action. In turn, this structures individuals’ internal conversations in ways that emphasize positive and coherent narratives and marginalize more negative or ambiguous ones. The traditional top-down/control organizational management in complex systems is also questioned by several other authors [22,27,30,35–38,52,54]. There are some works defining the framework of complexity leadership theory [37]. This framework includes three entangled leadership roles (adaptive, administrative and enabling leadership) that reflect a dynamic relationship between the bureaucratic, administrative functions of the organization and the emergent, informal dynamic of complex adaptive systems. As far as human and organizational performance is concerned, numerous authors also argue that one cannot assume that human decision-making is always rational [1,6,8,10,13,18,36,39,40]. In such situations, cognitive and motivational biases are likely to happen in the decision-making process. Those biases could negatively affect the desired outcomes including safety [1,13,29,31,39]. The above findings and statements have a deep impact on the safety, and this topic is discussed below.

3. A new source risk in the 21st century: the organization The understanding of events changed for one main reason: the nature of its contributory factors. The main source of risk today is the organization itself [6–11,15–19,21–24,28,30,32,33,39–44]. Indeed, one can notice that many industrial accidents have essentially organizational components, such as company’s culture, safety culture, communication between groups, decision-making by people in authority, centralization and decentralization, organizational clarity, and several other attributes which are more a matter of collective than individual work. These new characteristics are consequences of the evolution of two things: (1) the type of barriers which insure a safe environment, and (2) the new interrelations and interdependencies between entities that were previously isolated and considered practically independent. Barriers enabling safety of the operational activities evolved with both the complexity of the tasks and the increased number of involved persons. The main consequence is the change of the redundant barriers into interdependent and interrelated ones. It makes difficult to anticipate weaknesses in these barriers, leading to failures. This trajectory is well pictured by the metaphor of the slices of cheese, where degradation propagates through holes in lines of defense. This picture is still adequate, but a sequential display of such an event is not so representative of the underlying reality anymore; lines of defense have no more the same redundancy. A more appropriate model would rather present the situation as a degradation of margins, which locally would be individually acceptable but which, collectively, have important consequences but which could not be anticipated by a local analysis. It also means that the aggregate effect of individual conse-

619

quences is superior to their simple sum. This would seem to suggest a need to understand ‘‘linchpins” within organizations– good and/or bad. This particularity leads to certain characteristics of complexity. Complexity of the operational and business environment asks for an organizational answer adapted to face new stakes and challenges [1,10,11,14,15,17–19,21,22,27,29,30,35–37,43,44].

4. New stakes and challenges: complex interfaces Enterprises are designed, operated and managed to provide optimal performance, reliable operation and functional safety. Meanwhile, the technological evolution and modern operational and business environment bring an important source of complexity. Some authors speak of ‘‘structural complexity” introduced through the heterogeneity of system components across different technological domains due to the increased integration among various systems, and the ‘‘dynamic complexity” which is manifested through the emergence of (even unexpected) system behavior in response to local changes in the environmental and operational conditions [24]. For example, the automation of several processes conveys more opacity in the system, with numerous control rules and new information technologies involved. Furthermore, internal and external pressures as well as high performance and competitiveness requirements continuously increase (‘‘do-more-and-better-with-l ess” paradigm) creating a stressful environment for both managers and workers causing a reduced performance and concentration down the path. Consequently, contemporary organizations rather become complex socio-technological-economic entities involving many interacting and interdependent elements with a hardly predictable long term behavior at micro and macro levels. The connections between their constituent elements are of different strengths and type such as physical, informational, geospatial, functional, procedural, financial, market, and societal [14,24,25]. Therefore, the management of those organizations also turns out to be more challenging due to significant uncertainties created through complexity. Contemporary mining enterprises also fall in this category [14]. In fact, several researchers and practitioners argue that modern organizations should be considered as complex adaptive systems (CAS) or complex adaptive systems of systems (CASoS), and that they should be analyzed, modeled and managed as such [1,11,13, 14,24,25,27,30,36,44–47]. The CAS or CASoS function is at various time scales (from less than one second to years or decades), and at multiple geospatial scales (from less than one millimeter to several kilometers or more). Several studies have shown that the complex systems cannot be reduced to simple mathematical laws and be modeled appropriately, given that this simplification and reductionism introduce supplementary uncertainty in the model [8,13,14,24,30 ,36,44–46]. Thus, a new interdisciplinary field called complexity science or complexity theory has emerged and evolved over the last few decades seeking to understand, predict, and influence the behavior of complex systems. It develops concepts, methods and tools that transcend specific applications and disciplines [11,13,14,24,30,36,45,47]. This approach may also be beneficial in modeling safety in complex systems. The CAS or CASoS are dynamic systems able to adapt in and evolve within a changing environment. They exhibit coherence under changes, via conditional action and anticipation, and they do so without a strong central direction. They are self-organizing, evolving, dynamic, non-linear, and rarely predictable with emerging behavior. It is important to highlight that there is no definite

620


separation between a complex system and its environment. Furthermore, the complexity is associated with the strength of linkages between several autonomous constituent elements of a system that yield interactions difficult to grasp and anticipate [13]. As discussed above, it creates an emergent system behavior which is influenced by uncertain cause-and-effect relationships and unscheduled discontinuities. One of the consequences of this complex context of modern organization is the necessity of increasing the technical training for the operator. This training is taken for granted during the commissioning phase, but invariably undergoes a dilution in time, the in-service training being reduced to certain aspects more critical to health and safety. Maintenance is another domain where training is often neglected. It is usually believed that the procedures of maintenance prove the quality of the tasks output. Such hypothesis is not unreasonable at the beginning of the operation of new equipment or system. However, experience shows that a degradation of conformity is observed with time, the staff developing local adjustments and the management taking certain liberties about the maintenance schedule. One slowly deviates from the manufacturer’s requirements without providing a new technical basis for changes. Indeed, a decrease in maintenance does not necessarily cause immediate decline in performance. These deviations are tolerated and even sometimes reinforced because of their short-term advantage. Here, one can see a rapid degradation of safety margin causing a ‘‘drift to danger” or a ‘‘drift to failure/system breakdown”. In the context of the complexity and the functional opaqueness of the system, it is difficult for the workers to anticipate its global behavior based on the behavior of its components in interaction. As the complexity is a matter of interactions between simple interdependent components/systems, humans, IT, etc. it brings unexpected reactions of the whole, often amplified by operator’s actions erroneously adapted to those situations [1,2,5,6,8–10,15– 17,20,29,32,33]. The emergent system behavior that occurs is influenced by uncertain cause-and-effect relationships and unscheduled discontinuities [17]. Those interactions create both significant uncertainties and overall opaqueness in the system, which consequently makes the operator dependent on indirect information reducing his capacity of immediate analysis and ulterior action. Consequently, the safety margin is reduced, and the system becomes more vulnerable to accidents. Such reality leads to the concept of coupling and complexity introduced by Perrow [20]. In this model, the various types of industries have their characteristics mapped on two axes: complexity and coupling as illustrated in Fig. 1. These peculiarities highlight the importance of an organized situational awakening, which can be described as the capacity to estimate in the short term the anticipated effects following actions, and to at least ensure that obvious anomalies are quickly detected and corrected. Many studies mention the importance of observing and carefully analyzing ‘‘warning flags” or ‘‘precursors” in order to prevent major accidents from happening [1,8,13,19,23,30,42,48]. Fig. 1 shows that mining is an industry with complex interactions but loose coupling. This statement does not always apply to the management of tailing dams or underground coal mining, which may have tight coupling as an attribute. The characterization of an industry on Perrow’s diagram (Fig. 1) also gives an indication of its organizational structure and work processes requirements. An organization operating in a complex and strongly coupled operational environment must pay attention to centralization and decentralization of the decision-making process [27,30]. Considering the unique and irreversible character of event initiators, some decision-making in the field cannot allow delays. The chain of authority has then to be modified for allowing a timely reaction, reflecting a global direction already known by the organi-

Fig. 1. Interactions/coupling and complexity [21].

zation members (system behavior is too complex to enable a centralized real-time control). Thus, organizations should have enough flexibility to be applicable in many different and unanticipated situations. Such ‘‘on-the-spot” decision-making must be supported by transverse (cross-functional) functions. The latter involves a participation of several ad hoc specialized units which can act in unison to realize an analysis by considering all the relevant aspects while facing an unforeseen situation [17].

5. Human and organizational performance model To grasp and understand the impact of human and organizational performance as contributing factors to accidents in complex systems, it is necessary to have an adequate organizational and human performance model. It must be coherent, adapted and universal. The advantage of such a higher-level model consists in enabling to share taxonomy, which is common to event analyses, supervision, planning and even safety and organizational culture. Indeed, operating experience can benefit immensely from a model that can be used in all activities, a must in pre-job briefings for the infrequent evolutions. The strength of the model resides also in its capability to depict events as complex interactions with several potential influences and accident scenarios without limiting itself to a unique sequence. It goes beyond the simple approach of redundant barriers, which gives a very linear reading of the events. To err is human: the basic premise of human performance is that everyone is willing to perform adequately and tries to fulfill his/her tasks to meet expectations. However, mistakes happen and this cannot be avoided. These errors are basically predictable and controllable in many ways. Thus, their frequency can be reduced. An improvement in human performance means reducing the factors favorable to error occurrence. Given that they cannot be eliminated, one should limit their consequences [32,33]. Fig. 2 provides an illustration of the elements that exist before a typical event occurs. Breaking the linkages may prevent events. It essentially means interrupting a series of inadequate behaviors at individual and organization levels leading to a ‘‘drift to failure” through a continuous degradation/reduction of safety margin. For events involving human performance, the most interesting aspect is the error itself, not as a cause of an event, but as the


621

Fig. 2. Anatomy of an event, improved model [32].

occurrence of the event ‘‘error” itself. In fact, both success and failure paths share the same mental processes, and only the outcome differs. An error is considered as such because of the unwanted result it brings. The human error which generates an event is only a symptom for which the cause must be found. In this context, an analysis must determine why the event happened (‘‘direct cause”), and why it was not prevented (‘‘fundamental cause”). That fundamental cause should question and target the organization (expanded fundamental causes). The direct cause is associated to preventive barriers, mitigating barriers and error precursors [1,17,32,33,43]. Yet, it is known that in complex system. The function of a preventive barrier is to preclude errors or lapses. Procedures, training, qualification, work practices are all preventive barriers and aim at reducing the number of errors. Mitigating barriers, on the other hand, aims at limiting the consequences that may follow an inadequate action. Steel cap boots or inflating air bags in cars are mitigating barriers to limit consequences of mishaps. Precursors are sneakier. They include subtle elements in the working environment, or invisible constraints within the task. Abnormal configurations or pressure to execute a task with tight deadlines are all conditions which have a direct or indirect negative influence on the cognitive processes required for the safe execution of a task [1,17,19,32,33,39]. Cognitive and motivational biases may play an important (negative) role in creating an unfavorable environment which could significantly degrade safety margins and lead to accident [31,39]. Within the concept of biases, cognitive bias refers to ‘‘a systematic discrepancy between the correct answer in a judgmental task, given by a formal normative rule, and the decision maker’s or expert’s actual answer to such a task”. Motivational biases, on the other hand, refer to a distortion in decision making with respect of desirability or undesirability of events, consequences, outcomes or choices [31]. Both the supervision and the organizational oversight are processes designed for validating that barriers are adequate and efficient. Such as mentioned above, people in position of authority ensure the adequacy of the measures in place to allow an orderly, secure and effective completion of the tasks assigned to the staff. This adequacy must be verified by an ongoing process to make sure that the required measures are well organized, that expectations

are communicated and met, and that nothing invalidates the organizational hypotheses. Supervision is the real-time twin of audit and oversight. If gaps are detected between expectations and observations, additional error prevention tools should be considered. The term ‘‘organizational” refers to the various factors that imply a collective behavior. Communications, organizational clarity, centralization of decision-making are examples of such factors. The weakness of one or several of these factors can compromise the quality of the activities and their products [17]. 6. Importance of a model for evaluating deviations As noted earlier, the notion of deviation or anomaly can vary significantly from an organization to another. However, this concept implies inevitably a model of conformity (to define noncompliances). For example, a lost time accident will initiate a formal causal analysis. The expectation then may be to identify failures and improvement opportunities under the influence range of supervisors. One shall thus ask the analysts to evaluate conformity in terms of procedure adherence, use of protective equipment, fitness for duty and employee’s motivation. This first evaluation can be then completed by the evaluation of the qualification and the staff training, the profile of the actors (individual capacity to realize the tasks which are assigned to them) or the workload. Such an approach implicitly considers an occupational incident as a possible although unwanted situation. Indeed, it does not question the organization and represents an implicit model which does not exclude such events because it is already expected to handle such situations. One calls that ‘‘the first loop learning”, because the event does not indicate a loss of control (given that it was considered possible), and does not significantly challenge the organization. On the other hand, ‘‘the second learning loop” involves investigating why an event was not prevented and what the organizational (fundamental) cause of the mishap is studied by Loiselle et al. [17,35,43]. This part is a real challenge for management as it requires introspection and is often perceived as a self-blaming exercise. Nevertheless, this activity is inevitable for adequate root cause identification.

622


7. Ways to improve organizational performance for improved safety Although most of the endeavor to improve safety has focused on event analyses and human performance improvement in the field, the last twenty-five years also produced a lot of thinking on another level of complexity, namely organizational culture and particularly safety culture. Culture of an organization can be compared to behavior of an individual. One can get a lot of information from observations made during work activities. These observations will detect the same strengths and weaknesses that one may find during an event analysis. At the higher level, one can make cultural observations, for which the visible attributes can be related to conditions that contribute to organizational weaknesses. These organizational weaknesses will multiply the probabilities of error precursors and inefficient barriers and, in turn, increase the risk of occurrence of incident/accident. The complexity of the operational and business environment requires a new way of thinking and managing modern organizations [1,10,11,14,19,22,23,30,36,37,44]. Taking the complexity into account is a necessity, not an option, nor a decision [6]. The traditional approaches of management of complex organizations in a complex environment have reached their limits, and new ways of thinking in this regard are necessary. This issue is discussed by several scholars and practitioners [1,14,21,22,27,29,30, 34,36,37]. Based on the current state-of-the-art and practice, below is a discussion of potential ways on how organizations can cope with the complexity and remain performing, ensure safety and be economically viable. The Institute of Nuclear Power Operations (INPO) published a key reference identifying main attributes helping operators of nuclear generating stations to achieve the excellence in their integrated risk management [42]. These basic principles are well adaptable and applicable in other industries. They involve the following characteristics: (1) Behaviors The INPO compiles the expected behaviors representative of effective integrated risk management elements and attributes. They are listed for four organizational levels—individuals, supervisors/managers, senior managers, and corporate executives—for each element of integrated risk management. Additional behaviors are also described for integrated risk management governance. (2) Organizational characteristics for effective integrated risk management Principles, policies, practices, oversight, and training are established and maintained to ensure that a comprehensive risk management strategy is in place over the life cycle of the nuclear asset. (3) Integrated risk management warning flags The warning flags are provided to help individuals and managers identify potentially adverse conditions within their organizations that could affect integrated risk management. These warning flags are grouped by defenses that are relied on to minimize riskrelated events. Managers are encouraged to reflect on these warning flags and use them to stimulate discussion in a variety of management forums. These warning flags can be used as the basis for conducting situational or organizational self-assessments. For example, some warning flags/precursors of accidents include, but are not limited to: leadership, or lack of, time pressure (real or perceived), unofficial messages from supervisors or corporate offices, acceptance of abnormalities, sense of invulnerability,

inadequate identification of risks, insidious degradation of standards, etc. [1]. Other authors propose similar concepts and principles. It seems that there exists a common understanding that the quantification of the risks of major mishaps does not allow their meaningful ‘‘prediction”. In fact, it is basically impossible to accurately determine very low probabilities. One may easily miss several orders of magnitude. Instead, risk assessment is aimed at supporting effective risk management [8,13,19,48]. The risk assessment and risk management in those cases involve the surveillance of warning signals, precursors, near-misses, and the analysis of low level events, as well as the reinforcement of the system (increasing its resilience and robustness), and a thoughtful response strategy. It also implies a careful examination of organizational factors such as the incentive system, which shapes human performance and affects the risk of errors [19]. Cox claims that the robust and adaptive methods provide genuine breakthroughs for improving predictions and decisions in such cases contributing to an improved safety [49]. To confront possible major mishaps, one generally needs to balance risk-based approaches, cautionary/precautionary principle (robustness, resilience), and discourse-based approaches [7,13,23,24,48,49]. In addition, organizations should put in place a continuous improvement process based on various feedbacks from internal and external sources as well as any other relevant sources (e.g. internal and external audits and/or operating experience). This way, one may create conditions for a learning organization which increases its resilience and robustness to unanticipated and surprising events [13,22,24,35,36,38]. This attribute is also called ‘‘Antifragility” by some scholars [23,48]. The key words here are adaptability and co-evolution of organizations with a complex and continuously changing internal and external operational and business environment. It is worth highlighting that this philosophy has already been adopted from the beginning by the nuclear power industry through the concepts of fundamental safety principles and defense-indepth [5,41,50,51]. Additionally, a strong, healthy safety culture will provide an environment in which the probability of major accidents and failures will be significantly reduced. Meanwhile, they will not be eliminated, due to the inherent sensitivity of any organizational culture to senior management influences [1]. Some suggestions for improving and managing human-performance risk are to frequently talk about risk, carry out gap analysis between expectations and observation of field behavior; actively solicit divergent opinion to avoid intentional blindness; discuss antecedents for people’s behavior, including unofficial corporate messages; never allow doubt and uncertainty to go unchallenged; demand proof that a system is sufficiently safe to operate; beware that if a root cause investigation concludes with only a finding of negligence; and expand the scope of defence-in-depth strategies to include complex systems [1].

8. Mining case study The arguments discussed in this paper are now analyzed in light the official MSHA report on Upper Big Branch (UBB) Mine Accident. On April 5, 2010, a massive coal dust explosion occurred at the Upper Big Branch Mine-South (UBB), killing 29 miners and injuring two. This tragic explosion was the largest coal mine disaster in the United States in 40 years [2,40]. The Upper Big Branch Mine-South (UBB) is an underground bituminous coal mine located in Raleigh County, West Virginia. Coal at UBB was mined from the Eagle coal seam. The average thickness of the seam was 1.37 m, including sandstone partings. In 2009, the mine produced 1,235,462 raw tons


of coal using longwall mining. At the time of the accident, the mine had four sets of drift openings and a fan shaft. They used an atmospheric monitoring system (AMS) on the conveyor belts for firedetection and for individual conveyor belt status reports. An AMS operator monitored the system from surface. Underground employees used a ‘‘leaky feeder” radio system installed at all active sections and along the primary and secondary escape ways for two-way communications. Underground employees would report their locations periodically to the dispatcher for tracking purposes. These employees were also tracked using wireless radio frequency identification (RFID) tags and a network of RFID tag readers. At the time of the accident, the tracking system was installed to just in by crosscut 101 of the North Glory Mains. Initially, the preventive and mitigating barriers were not adequately implemented and/or maintained. Corrective action program (CAP) weaknesses led to understating assessed hazards (‘‘flawed controls” in Fig. 2). The basic training in noncompliance, hazard recognition, and prevention of accidents, roof control, ventilation and new tasks was less than adequate. Tests for dust and methane were not consistently carried out. Those barriers, required for worker’s health and safety protection, were not effective. Precursors, local factors that facilitate committing errors, were also abundant (‘‘error precursors” in Fig. 2). For example, conditions like not performing adequate pre-shift, on-shift, or weekly examinations were observed frequently. Numerous existing hazardous conditions were not identified, hence not corrected. Multi-gas detectors were repeatedly not energized, leading to inadequate air measurements. Log wall shearers were not kept in safe operating conditions (worn bits on the face ring). Cleaning and rock dusting (90% of samples were non-compliant) were not satisfactory. Clogged water sprays hindered particle detection. Finally, there was a significant accumulation of loose coal, coal dust, and float coal dust. Validation processes (audits and CAP) did not report safety problems. Employees were discouraged from listing hazards, hence not correcting them. For instance, there were numerous noncompliances to approved ventilation plan (‘‘initiating action” in Fig. 2). As for supervisory activities, it was noted that advance notice was given to personnel of MSHA presence on site. Correcting and fixing hazards was a priority only prior to MSHA visits. False measurements were recorded on numerous times. Hazardous conditions were not corrected or even posted as hazards. As far as the decision making is concerned even if for safety concerns it should be a decentralized, the right of workers to participate in their own safety was not recognized (‘‘latent organizational weaknesses” in 0). Thus, most good and sound practices discussed in previous section were not respected which opened ways to the disaster. Since so obvious violations of basic regulations and rules, the UBB accident has also initiated a more in depth analysis from the U.S. nuclear regulatory body, U.S. Nuclear Regulatory Commission (NRC), regarding weaknesses in safety and organizational culture attributes expected in an organization with a good safety culture [40]. Table 1 presents a synopsis of this analysis against the U.S. NRC safety culture attributes (or lack of them in the current case). The same table is further expanded in order to identify dominant cognitive and motivational biases such as presented by Montibeller and Winterfeldt, which has contributed to the violation of safety culture principles, conducting to significantly reduced safety margins, and finally led to this accident through a” drift to failure” [17,31]. The above analysis helps identify the main cognitive and motivational biases which contributed to the accident occurrence: cognitive biases are mainly overconfidence, omission of important

623

variables, myopic problem representation; and motivational biases are including desirability of options/choice, groupthink, affect influenced, confirmation biases, desirability of options/choice, and undesirability of a negative event or consequence. Montibeller and Winterfeldt identify several debiasing approaches/techniques that could be relevant for further analyses [31]. The issue of debiasing approaches in the mining industry may be an appropriate research topic in the future as a contributing factor for improving its safety at both individual and organizational levels. Furthermore, one should ask what mining (and other) organizations can learn from this catastrophe. Such as discussed by the U.S. NRC, this accident reinforces the need for, and importance of, promoting a positive safety culture by routinely evaluating an organization’s safety culture activities and initiatives and by making enhancements and adjustments to ensure that an organization remains proactive and appropriately focused on this important area [40]. This case study points to the following key lessons: (1) Senior management dictates the tone for the balance between safety and corporate performance. These two items are not mutually exclusive and can and must successfully coexist. However, a strong safety culture demands a safety first approach to business. (2) No single event led to this catastrophe. Instead, it resulted from a series of events that were precipitated by a work environment in which workers were not encouraged to raise safety concerns and managers may have been discouraged from halting production in order to address an unsafe condition. (3) This disaster may have been avoided had there been a more robust, positive safety culture in which workers and managers were encouraged to raise concerns. As far as this catastrophe is concerned, the conditions that led to the explosion were the result of a series of basic safety violations and were entirely preventable. The root cause of this tragedy is deeply linked to violations of safety standards, unlawful policies and practices implemented by the owner, which resulted in the conditions that caused the explosion. This catastrophe clearly represents an ‘‘organizational accident” [29].

9. Conclusions Initiatives in human and organizational performance are percolating from the nuclear power industry and high risk organizations, where they have been used successfully in the last decades, to other types of industries. The classical view and analysis of major accidents is questioned nowadays in the context of highly complex technological systems operating in a complex operational and business environment. One argues that those systems should be considered as complex adaptive systems. This complexity and underlying interdependencies are not always adequately taken into consideration. Thus, new approaches should be elaborated for improving the understanding of conditions leading to such undesirable events. In this paper, it is shown that the role of organizational performance appears as a determining factor in creating unfavorable conditions leading to a ‘‘drift to failure” through eroding safety margins throughout organizations. One of dominant aspects in this context concerns various motivational biases mainly at the management level overwhelmingly focusing on the performance and efficiency, and neglecting safety. This is a worrying observation in complex systems where the opacity and hidden connections between their components and sub-systems have a great potential

624


Table 1 Analysis of UBB accident and cognitive and motivational biases involved. NRC safety culture [40]

Evidence of weak safety culture [40]

Cognitive/motivational bias [31]

Description of bias [31]

Leadership safety values and actions in which leaders demonstrate a commitment to safety in their decisions and behaviors

PCC/Massey leadership illegally provided notice to miners of MSHA inspections in advance

Desirability of options/choice (motivational)

This bias leads to over- or underestimating probabilities, consequences, values, or weights in a direction that favors a desired alternative Voicing untrue opinions or keeping silent due to social pressure Oversimplified problem representation is adopted based on incomplete mental model.

Groupthink (motivational)

Myopic problem representation (cognitive) Problem identification and resolution in which issues potentially affecting safety are promptly identified, fully evaluated, and promptly addressed and corrected commensurate with their significance

‘‘. . .when a worker told [the] foreman about the air reversal, [air moving the opposite direction of where it should have been in order to properly vent the mine] ‘He didn’t say nothing, he just walked away.’”The pre-shift, on shift examination system—devised to identify problems and address them before they became disasters—was a ‘‘failure”

Omission of important variables (cognitive) Confirmation biases (motivational) Undesirability of a negative event or consequence (motivational)

Personal accountability in which all individuals take personal responsibility for safety

In the weeks preceding the disaster, investigators found that one UBB foreman’s hand held methane detector had not been turned on, even though he filled in examiner’s books as if he had taken gas readings

Myopic problem representation Omission of important variablesDesirability of options/choiceUndesirability of a negative event or consequence (motivational)

Idem

Work processes in which the process of planning and controlling work activities is implemented to maintain safety

‘‘In instances in which a section boss did halt production because of a dangerous condition, such as wholly inadequate ventilation, he was instructed to write only ‘downtime’

Myopic problem representation Omission of important variablesUndesirability of a negative event or consequence (motivational)

Idem

Environment for rising concerns in which a safety-conscious work environment is maintained where personnel feel free to raise safety concerns without fear of retaliation, intimidation, harassment, or discrimination

Witness testimony revealed that miners were intimidated by UBB management and were told that raising safety concerns would jeopardize their jobs. As a result, no whistleblower disclosures were made in the 4 years preceding the explosion, despite an extensive record of PCC/Massey safety and health violations”

Affect influenced (motivational)

Emotional predisposition for, or against, a specific outcome that taints judgments Idem

Continuous learning in which opportunities to learn about ways to ensure safety are sought out and implemented

PCC/Massey inadequately trained their examiners, foreman and miners in health and safety especially in hazard recognition, performing new job tasks and required annual refresher training

Myopic problem representationOmission of important variablesDesirability of options/choiceUndesirability of a negative event or consequence (motivational)

Idem

Effective safety communications in which communications maintain a focus on safety

‘‘Workers at UBB were treated in a ‘need to know’ manner. They were not apprised of conditions in parts of the mine where they did not work. Only a privileged few knew what was really going on throughout UBB”

Myopic problem representationOmission of important variablesDesirability of options/choiceUndesirability of a negative event or consequence (motivational)

Idem

Respectful work environment in which trust and respect permeate the organization

‘‘Miners also mentioned disrespectful written messages they received” from [a senior manager]. Others, were intimidated by [a manager’s] ‘‘nasty notes”

Myopic problem representationOmission of important variablesUndesirability of a negative event or consequence (motivational)

Idem

Questioning attitude in which individuals avoid complacency and continuously challenge existing conditions

‘‘Testimony revealed that UBB’s miners were intimidated to prevent them from exercising their whistleblower rights

Myopic problem representationOmission of important variablesDesirability of options/choiceUndesirability of a negative event

Idem

of producing catastrophic events/accidents through initially small perturbations. An improved model of accidents analyses is proposed that takes into account this new context. Considering evolution of the industrial environment characteristics, these approaches can be used as a more global methodology for analyses of accidents and low level events, and for their inclusion in a general frame of organizational

Overconfidence (cognitive)

Myopic problem representationOmission of important variablesUndesirability of a negative event or consequence (motivational)

Decision-makers provide estimates for a given parameter that are above the actual performance An important variable is overlooked There is a desire to confirm one’s belief, leading to unconscious selectivity in the acquisition and use of evidence

culture. Recent major accidents illustrate the presence of these factors and the advantages to recognize their harm and the potential consequences of organizational failures, which can be detected in a preventive way with an analysis process of low level events. The Upper Big Branch Mine-South accident which happened in 2010 has been studied for demonstrating the use of the proposed model. It further expands findings of the official investigation with


considering the above discussed factors that are not systematically considered. Studying more in depth the issues of complexity, organizational and human performances as well as the impact of cognitive and motivational biases in decision-making on mine safety represents a relevant subject for future research works. The further development and improvement of the proposed accident model is also suggested. References [1] Mosey D. Looking beyond operator–putting people in the mix. Nucl Eng Int Mag, 24 November 2014. [2] MSHA Investigation. Fatal Underground Mine Explosion. Upper Big Branch Mine-South, Performance Coal Company. Montcoal, Raleigh County, West Virginia. ID No. 46-08436; 2011. [3] National Commission on the BP Deep Water Horizon Oil Spill and Offshore Drilling. Deep Water The Gulf Oil Disaster and the Future of Offshore Drilling, Report to the President. Washington D.C.; 2011. [4] National Transportation Safety Board. Aircraft Accident Report. Descent Below Visual Glidepath and Impact With Seawall, Asiana Airlines Flight 214, Boeing 777–200ER, HL7742. San Francisco, California, July 6, 2013. [5] Toronea M, Ciurea C. Nuclear safety culture attributes and lessons to be learned from past accident. Int Nucl Safety J 2014;3(3):1–7. [6] Arstad I, Aven T. Managing major accident risk: concerns about complacency and complexity in practice. Saf Sci 2017;91:114–21. [7] Aven T. Implications of black swans to the foundations and practice of risk assessment and management. Rel Eng Syst Safety 2015;134:83–91. [8] Aven T. Risk, surprises and black swans, fundamental ideal and concepts in risk assessment and risk management. London and New York: Routhlege, Taylor & Francis Group; 2014. [9] Carrillo RA. Complexity and safety. J Saf Res 2011;42(4):293–300. [10] Dekker S, Cilliers P, Hofmeyr JH. The complexity of failure: implications of complexity theory for safety investigations. Saf Sci 2011;2011(49):939–45. [11] DixonT Homer. Complexity science, shifting the trajectory of civilization. Oxford Leadersh J 2011;2(1):2–15. [12] Johnson WG. Accident/incident investigation manual. U.S. Energy Research and Development Administration, Division of Safety, Standards, and Compliance; 1975. [13] Komljenovic D, Gaha M, Abdul-Nour G, Langheit C, Bourgeois M. Risks of extreme and rare events in asset management. Saf Sci 2016;88:129–45. [14] Komljenovic D, Abdul-Nour G, Popovic N. An approach for strategic planning and asset management in the mining industry in the context of business and operational complexity. Int J Min Min Eng 2015;6(4):338–60. [15] Leveson NG. Engineering a safer world, systems thinking applied to safety. Cambridge (MA): The MIT Press; 2011. [16] Leveson NG. Applying system thinking to analyze and learn from events. Saf Sci 2011;49:55–64. [17] Loiselle G, Komljenovic D, Kumral M. From operational hazards to organizational weaknesses: changing the focus for improvement. In: Proceedings of 3rd international symposium on mine safety science and engineering, Montreal, Canada. [18] Olson E, Miller S, Wohar ME. ‘‘Black Swans” before ‘‘Black Swan” evidence from international LIBOR-OIS spreads. J Int Money Finance 2012;31(6):1339–57. [19] Paté Cornell ME. On ‘‘Black Swans” and ‘‘Perfect Storms”, risk analysis and management when statistics are not enough. Risk Anal 2012;32(11):1823–33. [20] Perrow C. Normal accidents: living with high risk technology. New York: Princeton University Press; 1984. [21] Rasmussen J. Risk management in a dynamic society: a modeling problem. Saf Sci 1997;27(2):183–213. [22] Schneider M, Somers M. Organizations as complex adaptive systems: Implications of Complexity Theory for leadership research. The Leadersh Quart 2006;17:351–65. [23] Taleb NN. Antifragile, things that gain from disorder. New York: Random House; 2012. [24] Zio E. Challenges in the vulnerability and risk analysis of critical infrastructures. Rel Eng Syst Safe 2016;152:137–50.

625

[25] OECD Reviews of Risk Management Policies. Future Global Shocks, Improving Risk Governance (preliminary version). OECD; 2011. [26] Reason J. Human error. New York: Cambridge University Press; 1990. [27] Rzevski G. A practical methodology for managing complexity. Emerg Complex Organ 2011;13(1–2):38–55. [28] Reason J. Managing the risk of organizational accidents. Burlington: Asgate Publishing; 2006. [29] Marais K, Saleh JH, Leveson NG. Archetypes for organizational safety. Safe Sci 2006;44:565–82. [30] Rzevski G, Skobelev P. Managing complexity. Billerica (MA): WIT Press; 2014. [31] Montibeller G, Winterfeldt D. Cognitive and motivational biases in decision and risk analysis. Risk Anal 2015;35(7):1230–51. [32] Department of Energy, DoE. Human performance improvement handbook. Washington DC: DOE Standard; 2009. [33] IAEA. Managing human performance to improve nuclear facility operation, Vienna; 2013. [34] Alvesson M, Spicer A. Stupidity based theory of organizations. J Manage Stud 2012;49(7):1194–220. [35] Argyris C, Schön D. Organizational learning II: theory, method and practice, Reading. Mass: Addison Wesley; 1996. [36] Stacey RD, Mowles C. Strategic management and organisational dynamic; the challenge of complexity to ways of thinking about organizations. 7th ed. London: Pearson; 2016. [37] Uhl-Bien M, Marion R, MeKelvey B. Complexity leadership theory: shifting leadership from the industrial age to the knowledge era. The Leadersh Quart 2007;18(4):298–318. [38] Wahlström B. Organisational learning–reflections from the nuclear industry. Safe Sci 2011;49(1):65–74. [39] Kahneman D. Thinking, fast and slow, farrar, straus and giroux. New York; 2012. [40] US NRC. Safety culture communicator, case study 4: April 2010 Upper Big Branch Mine Explosion – 29 Lives Lost, Washington DC; 2012. [41] IAEA. Safety standard series, No. SF-1, fundamental safety principles. International Atomic Energy Agency, Vienna; 2006. [42] Institute of Nuclear Power Operations, Excellence in Integrated Risk Management; The elements, attributes, and behaviors that exemplify excellence in integrated risk management INPO 12–008, Rev. 1, August 2013. [43] NERC. Cause analysis methods for NERC. Regional Entities, and Registered Entities; 2011. [44] OECD Global Science Forum. Application of complexity science for public policy. New tools for finding unanticipated consequences and unrealized opportunities, Erice, Italy; 2009. [45] Ouyang M. Review on modeling and simulation of interdependent critical infrastructure systems. Rel Eng Syst Safe 2014;121(1):43–60. [46] Bukowski L. System of systems dependability–theoretical models and applications examples. Rel Eng Syst Safe 2016;151:76–92. [47] National Infrastructure Simulation and Analysis Center (NISAC). Sandia National Laboratories, Complex Adaptive Systems of Systems CASoS; 2016. [48] Aven T. The concept of antifragility and its implications for the practice of risk analysis. Risk Anal 2015;35(3):476–83. [49] Cox LAT. Confronting deep uncertainties in risk analysis. Risk Anal 2012;32 (10):1607–29. [50] IAEA. Basic Safety Principles for Nuclear Power Plants 75-INSAG-3, Rev. 1, INSAG-12, A report by the International Nuclear Safety Group, International Atomic Energy Agency. Vienna; 1999. [51] IAEA. Defense in Depth in Nuclear Safety, INSAG-10, a report by the International Nuclear Safety Group, International Atomic Energy Agency. Vienna; 1996. [52] Katina PF. Systems theory-based construct for identifying metasystem pathologies for complex system governance. Virginia: Old Dominion University; 2015. [53] Transportation Safety Board of Canada, Railway Investigation Report R13D0054. Runway and Main-Track Derailment Montreal, Maine & Atlantic Railway, Freight Train MMA-002 Mile 0.23. Sherbrooke Subdivision LacMégantic, Quebec; 2014. [54] Verma S, Chaudhari S. Highlights from the literature on risk assessment techniques adopted in the mining industry: a review of past contributions, recent developments and future scope. Int J Min Sci Tech 2016;26(4):691–702.