Avoiding disaster Engineering, Technology and the Law

1
Avoiding disasterEngineering, Technology and the
Law

• M. G. Lay
• What should reasonably be expected

2
The unwitting witness

• The lecture will describe how normal producing
  organisations could be expected to operate,
• pre-disaster, and therefore,
• what could be expected of them,
• during a disaster,
• immediately after a disaster, and
• much later.
• and, hence, what could be expected of your
  witness a normal but unwitting participant in a
  disaster.

3
Organisational structure

• What is a normal, producing, organisation? From
  a structural viewpoint
• A producing organisation is a complex, operating,
  value-adding system
• comprised of a set of interlinked but
  self-contained processes (defined in Note to
  clause 4.1 of ISO 9000).
• A process is the transformation of an input into
  an output
• adding value during the transformation.
• The output from one process is usually the input
  to another process. However, for the final
  process, the output is the organisations product.

4
Organisational attitudes

• What is a normal, producing, organisation? From
  an attitudinal viewpoint, and despite the media
  and your particular clients, most organisations
  are
• competent and well-run,
• effectively managed with good systems,
• ethical law-abiding,
• as a first priority, focussed on their
  continuance,
• driven by strategies and required outcomes,
• continually learning and improving,
• risk adverse.

5
On the deck of the Titanic(disasters are not the
organisational norm)

• Thus, this lecture will
• focus on the simple elemental processes that are
  the building blocks of complex organisations,
• assume that people in such organisations will
  normally behave rationally and legally,
• discuss strategies rather than outputs,
• all in the context of a disaster about to happen.

6
Process expectations, 1(Organisations are
comprised of interacting processes)

• The expectations held for the output of each
  elemental process are developed from
• customer requirements
• the producer will have given the consumer advance
  assurances about the product to be supplied
• 1A. requirements not specified by the customer,
  but necessary for the use of the product
  (9001/Clause 7.2.1a)
• company policy and objectives
• the shareholders/owners wishes will be known
• and will usually relate to long term return on
  investment
• (continued)

7
Process expectations, 2(most organisations are
ethical and law-abiding)

• external requirements, which will include
• company law and related laws regulations
• OHS regulations
• accounting regulations
• environmental protection regulations
• the triple bottom line
• economic performance
• environmental performance
• social performance
• industry practice
• benchmarking

8
Managing processes(a producing organisation is a
complex system of processes)

• Three world-wide trends are that organisations
  are
• prepared to enter long-term partnerships, beyond
  conventional contracts.
• increasingly self-regulated
• despite the war stories, the alternative of
  regulation by government is too horrendous to
  even contemplate, let alone revisit
• the independent reviewer provides a middle ground
• qms makes self-regulation feasible
• committed to quality management systems (qms).

9
Quality management systems, 1

• Quality management systems (qms) are now the norm
  throughout Australian industry
• qms is a worldwide approach, with much
  international consistency and success,
• an organisation without qms must be suspected of
  major deficiencies. It should be asked
• why does it not use qms?
• which of its current problems could have been
  avoided by the proper use of qms?

10

• Mr A is an employee of Organisation B, where a
  disaster has occurred.
• Mr A, does Organisation B have a qms?

11
Quality management systems, 2

• In Australia, qms is governed by Standard
• AS/NZS ISO 90012000
• ISO is the International Standards Organisation
  and
• the Australian Standard is, properly, a direct
  copy of the ISO standard.
• The first Australian version was issued in 1987.
• The current version is the third edition.
• External formal certification via JASANZ
  accreditation is normal rigorous.

12

• Mr A is an employee of Organisation B, where a
  disaster has occurred.
• Mr A, a. does Organisation B have a qms? b. has
  it been certified?
• Is it in accordance with ISO 9001?
• In terms of clause 4.1 of ISO 9001, in which
  process did the disaster occur? (Answer process
  C)
• In the context of clause 4.1 of ISO 9001, please
  describe process C.
• In the context of clause 4.1c of ISO 9001,
  please describe the criteria and methods being
  used to ensure effective operation of process C.

13
Quality management systems, 3

• In an organisation, qms operates at both
  strategic and operational levels
• The core methodology is plandocheckact
• qms does not imply
• uniformity
• voluminous documentation
• qms does imply
• a focus on process management
• understanding requirements
• self-regulation

14

• Is the qms in accordance with ISO 9001?
• In terms of ISO 9001, in which process did the
  disaster occur? (Answer process C)
• In the context of clause 4.1 of ISO 9001, please
  describe C.
• In the context of clause 4.1c of ISO 9001,
  please describe the criteria and control methods
  being used to ensure effective operation of
  process C.
• a. In the context of clause 4.1e of ISO 9001,
  were you monitoring, measuring and analysing
  process C? b. Was the associated documentation
  controlled in accordance with Clause 4.2.2?

15
Quality management systems, 5(a documented
process control regime)

• Control mechanisms are required for document
• approval,
• availability,
• legibility and identification,
• distribution, storage and retrievability,
• review and up-dating,
• change management and status definition,
• obsolescence disposition.
• Clause 4.2.4

16
Quality management systems, 4 (external process
expectations and requirements were discussed
earlier)

• Qms requires the relevant portions of an
  organisations process expectations and
  requirements to be explicitly
• established,
• determined given local relevance, and
• adopted,
• by the Organisation.
• ISO 9001/clause 7.2.2

17

• a. In the context of clause 4.1e of ISO 9001,
  were you monitoring, measuring and analysing
  process C? b. Was the associated documentation
  controlled in accordance with Clause 4.2.2?
• In the context of clause 7.1 of ISO 9001, what
  product was being produced at the time? Answer
  product D.
• In the context of clause 7.2.1 of ISO 9001, which
  requirements was product D meeting? Answer
  requirements E.
• In the context of clause 7.2.2 of ISO 9001, had
  requirements E been reviewed?
• How do requirements E compare (benchmark) with
  those in use by similar organisations?

18
Quality processes, 1(an organisation is a set of
independent but interlinked processes)

• With qms understood, we return to our core
  discussion of the processes occurring within an
  organisation. Reiterating
• the processes used must all be
• identified,
• their method of operation defined, and
• their interactions determined.
• qms is about the control of
• the individual processes, and
• their interaction.
• the control method and associated criteria must
  be defined.

19
Quality processes, 2(the two classic
performance measures)

• Process control requires objectively measuring
  and analysing process performance with respect to
  process
• effectiveness
• outputs compared with expectations,
• an external measure
• efficiency
• outputs compared with inputs
• an internal measure

20
Quality processes, 3(the expectations held for
each process are developed from external, company
and customer requirements)

• Effectiveness measures will include feedback on
  how each of the above three sets of expectations
  
• external, company, customer
• are met.
• Efficiency measures relate to
• profitability
• sustainability

21
Organisations using qms, 1

• As well as having a process control regime, an
  organisation purporting to operate under qms must
  have documented, implemented and maintained a
• quality policy and set of quality objectives,
• quality manual for operating the qms,
• set of quality procedures, and
• record of events and actions.
• particularly with respect to conformity with
  procedures and defined processes.

22

• In the context of clause 7.2.1 of ISO 9001, which
  requirements was product D meeting? Answer
  requirements E.
• In the context of clause 7.2.2 of ISO 9001, had
  requirements E been reviewed?
• How do requirements E compare (benchmark) with
  those in use by similar organisations?
• In the context of clauses 4.2.1de of ISO 9001,
  what documents records exist concerning the
  operation and control of Process C?
• In the context of clause 8.2.4 of ISO 9001, what
  do the records say about the conformity of
  process C product D?

23

• How do requirements E compare (benchmark) with
  those in use by similar organisations?
• In the context of clauses 4.2.1de of ISO 9001,
  what documents records exist concerning the
  operation and control of Process C?
• In the context of clause 8.2.4 of ISO 9001, what
  do the records say about the conformity of
  process C product D?
• a. Is your Company committed to qms? b. Is it
  being properly applied?
• a. How would you describe your Companys approach
  to non-conformances? b. Do you self-regulate?
  c. Is it effective?

24
Organisations using qms, 2(top management
commitment)

• Top management shall provide evidence of its
  commitment to
• the development and implementation of a qms, and
• continually improving the effectiveness of the
  qms,
• by
• communicating to the organisation the importance
  of meeting customer, shareholder and regulatory
  requirements,
• establishing a quality policy,
• ensuring that quality objectives are established,
• conducting management reviews,
• ensuring the necessary resources are available.
• ISO 9001, Clause 5.1

25

• In the context of clause 8.2.4 of ISO 9001, what
  do the records say about the conformity of
  process C product D?
• a. Is your Company committed to qms? b. Is it
  being properly applied? c. How is the Companys
  support demonstrated? d. When was the last
  management review? e. Are you adequately
  resourced? f. How do your comments specifically
  apply to Process C?
• a. How would you describe your Companys approach
  to non-conformances? b. Do you self-regulate?
  c. Is it effective?
• a. What is your position in the Company? b. What
  are you responsible for? c. Who do you report
  to? d. Do they support your qms activities?
• What quality improvements were made in qms in the
  year before the disaster?

26
Organisations using qms, 3(top management
commitment)

• Top management must also ensure that the qms
• covers all functions and levels in the
  organisation,
• Clause 5.4.1
• has defined responsibilities and authorities,
• Clause 5.5.1
• has a manager with the right responsibility,
  authority and reporting channels, Clause
  5.5.2
• has regular reviews (particularly with respect to
  preventative and corrective actions).
• Clauses 5.6.12

27

• a. Is your Company committed to qms? b. Is it
  being properly applied? c. How is the Companys
  support demonstrated? d. When was the last
  management review? e. Are you adequately
  resourced? f. How do your comments specifically
  apply to Process C?
• a. How would you describe your Companys approach
  to non-conformances? b. Do you self-regulate?
  c. Is it effective?
• a. What is your position in the Company? b. What
  are you responsible for? c. Who do you report
  to? Do they support your qms activities?
• What quality improvements were made via qms in
  your area the year before the disaster?
• a. Who is responsible for Process C? b. When was
  it last reviewed, particularly with respect to
  preventative and corrective actions?

28
(Poor) alternatives to qms

• qms or crisis management
• process control or tinkering
• safety plans or insurance/litigation

29

• a. How would you describe your Companys approach
  to non-conformances? b. Do you self-regulate?
  c. Is it effective?
• a. What is your position in the Company? b. What
  are you responsible for? c. Who do you report
  to? Do they support your qms activities?
• What quality improvements were made in qms in the
  year before the disaster?
• a. Who is responsible for Process C? b. When was
  it last reviewed, particularly with respect to
  preventative and corrective actions?
• Despite your Companys commitment to qms, is
  there a tendency to put it aside in times of
  crisis?

30
Production and service, 1

• Processes under qms must
• be carried out under controlled conditions, which
  include
• work instructions
• suitable equipment
• monitoring devices
• include objective and impartial audits of the
  qms,
• which in turn must be formally reported
• include verification that actions required by an
  audit are undertaken

31

• a. What is your position in the Company? b. What
  are you responsible for? c. Who do you report
  to? Do they support your qms activities?
• What quality improvements were made in qms in the
  year before the disaster?
• Despite your Companys commitment to qms, is
  there a tendency to put it aside in times of
  crisis?
• a. Who was responsible for Process C? b. When
  was it last reviewed, particularly with respect
  to preventative and corrective actions?
• Did Process C have adequate work instructions,
  equipment and monitoring devices?
• a. How many quality audits were done on Process
  C? b. Please table the records. c. How many
  non-conformances were listed?

32
What is an audit?(audits have proved to be
invaluable tools)

• A qms audit is a systematic examination against
  defined criteria to determine
• whether activities and related results conform to
  planned processes,
• whether the processes are
• implemented effectively, and
• able to achieve the defined output expectations.
• A qms audit is analogous to a financial audit.

33
Production and service, 2(nonconfomances can
arise form operators or auditors)

• Within qms, process nonconformities must have
• been noted recorded,
• had their causes determined,
• had corrective actions determined and
  implemented,
• had the results of any closure action assessed,
• been reviewed for possible closure.

34
Quality processes, 4(diligence it is not enough
to observe a problem)

• Thus, the next qms steps - after measuring and
  analysing a process - involve
• noting each conformity or non-conformity,
• taking appropriate action,
• recording all relevant information,
• making continual improvements based on these
  measurements and actions.

35

• a. Who was responsible for Process C? b. When
  was it last reviewed, particularly with respect
  to preventative and corrective actions?
• Did Process C have adequate work instructions,
  equipment and monitoring devices?
• a. How many quality audits were done on Process
  C? b. Please table the records. c. How many
  new non-conformances were listed.
• For each non-conformance related to Process C, a.
  describe the cause ascribed to the
  non-conformance, b. list the corrective action
  taken to correct it, c. estimate how effective
  the correction was, and d. describe the current
  status of the non-conformance.
• Did any continual improvements result from each
  Process C non-conformance?

36
OHS management systems, 1(Occupational health
and safety - the human obligation)

• OHS is one component of an organisations
  operation. It is covered by AS/NZS 48102001
  which
• provides a systematic approach to OHS
• has a special emphasis on hazards and risks.
• is based on qms
• and thus requires an OHS policy
• (continued)

37

• For each non-conformance related to Process C, a.
  describe the cause ascribed to the
  non-conformance, b. list the corrective action
  taken to correct it, c. estimate how effective
  the correction was, and d. describe the current
  status of the non-conformance.
• Did any continual improvements result from each
  Process C non-conformance?
• The disaster that occurred in Process C had OHS
  implications. To what extent were these foreseen
  or foreshadowed in a. the qms work instructions
  for Process C, b. the pre-disaster
  non-conformances for Process C and c. the
  pre-disaster audits of Process C?

38

• The disaster that occurred in Process C had OHS
  implications. To what extent were these foreseen
  or foreshadowed in a. the qms work instructions
  for Process C, b. the pre-disaster
  non-conformances for Process C and c. the
  pre-disaster audits of Process C.
• More specifically, the disaster that occurred in
  Process C highlighted hazards and risks in
  Process C. To what extent were these foreseen or
  foreshadowed in a. the qms work instructions for
  Process C, b. the pre-disaster non-conformances
  for Process C and c. the pre-disaster audits of
  Process C.
• What is your Companys OHS policy?

39
OHS management systems, 2

• (continued)
• requires management commitment to OHS,
• has demonstrable OHS conformance,
• is able to be independently certified,
• provides for
• monitoring,
• independent audits,
• continuous improvement.

40

• More specifically, the disaster that occurred in
  Process C highlighted hazards and risks in
  Process C. To what extent were these foreseen or
  foreshadowed in a. the qms work instructions for
  Process C, b. the pre-disaster non-conformances
  for Process C and c. the pre-disaster audits of
  Process C.
• What is your Companys OHS policy?
• Describe your managements commitment to OHS.
• a. What OHS non-conformances have you had
  recently? b. How many are relevant to Process C?

41

• What is your Companys OHS policy?
• Describe your managements commitment to OHS.
• a. What OHS non-conformances have you had
  recently? b. How many are relevant to Process
  C? c. Which were open when the disaster
  occurred?
• Have you had independent certification of your
  OHS practices?
• Describe how you monitored, audited and
  continuously improved OHS for Process C.

42
Hazards risks, 1(in an OHS context)

• Hazards and unacceptable risks must be
• identified,
• assessed, stating their
• potential
• consequences
• past experience
• controlled, and
• the controls evaluated
• emergency responses defined.

43

• Have you had independent certification of your
  OHS practices?
• Describe how you monitored, audited and
  continuously improved OHS for Process C.
• a. What hazards and unacceptable risks were
  identified in the Organisation in the periods
  prior to and after the disaster? b. What was
  their potential? c. How were they controlled?
  d. Were any relevant to the disaster? e. Did
  they alter your emergency response policy?

44
Hazards risks, 2

• Incidents associated with hazards must be
• investigated specifically
• including operating conditions
• investigated as system failures
• including studying similar past events
• used to initiate and complete corrective actions
  to either
• eliminate the risk,
• minimise the risk, or
• isolate the risk.

45

• a. What hazards and unacceptable risks were
  identified in the Organisation in the periods
  prior to and after the disaster? b. What was
  their potential? c. How were they controlled?
  d. Were any relevant to the disaster? e. Did
  they alter your emergency response policy? f.
  How many indicated system failures? g. Which
  were either minimised or isolated?

46
Best practice the Safety Case, 1

• A safety case is a documented demonstration of
  the way in which the hazards at a facility are
  managed to ensure acceptable risk.
• Risk Engineering Society, IEAust, Victoria
• It is consistent with
• qms, and
• performance-based management
• and is analogous to a Business Case
• providing assurance, and
• being capable of independent audit.

47

• f. How many indicated system failures? g. Which
  were either minimised or isolated?
• a. Did you have a Safety Case for Process C? b.
  If not, why not?
• Had your Safety Case been independently audited?
• a. How do you explain the disaster in the
  context of your Safety Case? b. How will you
  change the Safety Case?

48
Best practice the Safety Case, 2

• A safety case must conclude that the system being
  considered meets its defined safety criteria and
  is therefore sufficiently safe to be
• acceptable, and
• allowed to operate in accordance with its defined
  objectives and criteria.
• The objectives and criteria will already exist
  within the qms documentation.
• As it draws a conclusion, the safety case goes
  beyond a safety-assessors risk assessment.

49

• Had your Safety Case been independently audited?
• a. How do you explain the disaster in the
  context of your Safety Case? b. Was the disaster
  foreseen by it? c. If it had been, why did your
  preventative and/or mitigative measures fail? d.
  How will you change the Safety Case?
• Who produced your Safety Case?
• a. What would have been your pre-event numerical
  estimate of the risk of the disaster? b. What
  is the risk of its reoccurrence?
• Was the disaster foreseeable?

50
Best practice the Safety Case, 3

• Once all possible hazard causes are known,
• the next three key questions for a safety case
  are (Hawkesley)
• What could go wrong? - foreseeing
• Why wont it? - preventing
• But what if it did? - mitigating
• Two other questions are
• How wide is the coverage? for whom?
• Is anything exempted? for what?

51
Best practice the Safety Case, 4

• Question 4, but what if something did go wrong?
  is intended to address
• consequence management, and
• damage limitation
• but is often distorted to focus on liability
• management (e. g. control of information flows),
  and
• assessment (e. g. minimisation of cost incurred)
• (recall the qms requirement for top management
  sign-off)

52
Best practice the Safety Case, 5

• A safety case can become
• if it is divorced from the rest of qms,
• a contract between an operator and a
  single-purpose regulator.
• although not produced for the purpose,
• an imperfect tool for assigning liability when
  things do go wrong.

53
Best practice the Safety Case, 6

• Safety case documents in a qms format are
  produced by the organisation doing the work.
• They cannot be
• produced by other bodies
• imposed by other bodies
• There is a temptation for regulators to try to
  impose a safety case on an organisation.
• If this is done, the intended safety case becomes
  another regulation, and loses all its qms
  attributes and benefits.

54
Risk and probability, 1

• Risk can be calculated and given numerical values
  using probability theory.
• So it is easy to forget that risk is still a
  subjective concept. For example
• Once the dice is thrown, the probability of a
  given number showing, changes from 1/6 to 1.
• Our decisions on the same 1/6 probability will
  change with the size of the wager.
• Although each throw of the dice is an independent
  event, when we look at the results from a set of
  throws, some order emerges.
• There will always be insufficient data to
  estimate that order accurately.

55
Risk and probability, 2(even more subjectively)

• We will never be able to foresee all hazards.
• Some relevant events will be outside our control.
• Once an unlikely event occurs, any earlier
  prediction that it was unlikely becomes a
  mistake.
• On empirical evidence
• Damage is emotionally worse when it
• is caused by events over which the property
  owner had no control.
• occurs to large groups of people.
• Risk is rarely symmetric (liabilities vs
  value-adds).
• People do not avoid low risk events.

56

• Who produced your Safety Case?
• a. What would have been your pre-event numerical
  estimate of the risk of the disaster? b. What
  is the risk of its reoccurrence?
• Was the disaster foreseeable?
• Could the disaster have been avoided?
• a. Does your organisation adopt best practice
  procedures in risk management? b. Have you been
  trained in risk management?
• a. In retrospect, were there early warning
  signals of the imminent disaster? b. Were there
  early signs of the disaster which could have led
  to actions causing a reduction in its
  consequences?

57
Risk and probability, 3(even more subjectively)

• However, because of point 6, people do not want
  to be associated with a disaster at the least
  it damages their promotion prospects. So the low
  risk threshold depends on event consequences.

58
Risk and probability, 4

• In a more specific context, it is often forgotten
  that the consequences of unwanted events
  occurring can be modified by
• Adopting best practice processes, particularly
  in risk management
• Staff training and risk profiling sessions
• Responding to the unwanted event rapidly, as
• early warning signals are seen and understood,
  and
• the event progressively unfolds.

59
The road safety example, 1

• Typical accepted risks are (fatalities /
  person / year) from Lay, Handbook of Road
  Technology, Vol 2
• safe behaviour (public health), 1 in 1 000 000
• pay money to reduce 1 in 10 000
• in a year of car travel 1 in 10 000
• per car per year 1 in 5 000
• publicly unacceptable, 1 in 1 000
• in a lifetime of driving 1 in 200

60
Humans intrude

• Human misfits living outside of qms include
• Blind eyes who shoot messengers
• Bureaucrats who bury or compartmentalise
  warning messages
• Conservatives who oppose change
• Cowboys, who consider themselves immune from
  procedures or risks
• Other worlds who dont want to know
• Tyrants who cure risks by threats and
  punishments
• Walking disasters who create hazards
• Wimps who avoid responsibility

61

• a. Does your organisation adopt best practice
  procedures in risk management? b. Have you been
  trained in risk management?
• a. In retrospect, were there early warning
  signals of the imminent disaster? b. Were there
  early signs of the disaster which could have led
  to actions causing a reduction in its
  consequences?
• a. To what extent did in inappropriate human
  behaviour contribute to the disaster? b. Did
  the right people give and/or receive the right
  messages? c. Did some people act
  inappropriately?

62
The road safety example, 2

• The primary causes of a road crash are (from Lay,
  Handbook of Road Technology, Vol 2)
• Drivers alone (e.g. run off straight road), 65
• Drivers and road (e.g. hit roadside post), 25
• Drivers and vehicles (e.g. wheels lock during
  braking), 5
• Road factors alone (e.g. slippery surface), 2
• Vehicle factors alone (e.g. brakes fail), 2

63
The chain or the mattress?( a matter of
redundancy)

• In the context of failure theory
• Most practical systems are full of redundancies
  and inherent checks and balances (as with a
  mattress where the failure of one spring need not
  cause disaster).
• Few practical systems are determinant, where one
  event will cause total disaster (as with the
  links in a chain).

64
The curse of the Yarra(or the waters strike back)

• I have been involved in four major problems
  associated with crossing the Yarra, each of which
  supports my thesis that disasters, at a
  sub-project role, are rarely isolated events.
• They are more likely to be the symptoms of a
  widespread disease.
• The four crossings are Kings Bridge, Westgate
  Bridge, Bolte Bridge and the City Link tunnels.

65
Kings Bridge

• The designers were focussed on foundation
  problems, the steel used was poorly chosen, the
  welding methods were unsuitable for the steel,
  and the design details were inappropriate for the
  steel/welding used. If just one of these had not
  occurred, the bridge would not have failed.

66
Westgate Bridge

• The design brief tried to avoid welding, the
  designers thought worrying about constructablity
  beneath their dignity, the builders thought the
  bridge could be modified without recourse to the
  designers, site communications were non-existent,
  major mistakes were made in design details, and
  early warnings of failure were ignored. Fixing
  just one of these would have avoided bridge
  failure.

67
Bolte Bridge and City Link Tunnels

• It is not possible for the author to put his
  views on these in writing.
• Instead, consider any report on any major
  failure. Have you read of any that have said
  The failure was caused by item F failing. No,
  the norm is to be presented with a long catalogue
  of problems. The disaster is just the end play
  in a sad saga.

68

• a. In retrospect, were there early warning
  signals of the imminent disaster? b. Were there
  early signs of the disaster which could have led
  to actions causing a reduction in its
  consequences?
• a. To what extent did in inappropriate human
  behaviour contribute to the disaster? b. Did
  the right people give and/or receive the right
  messages? c. Did some people act
  inappropriately?
• Have there been other instances of related minor
  or major disasters in the Organisation or
  associated-industry in recent times?

69
Zero tolerance to disasters

• A strongly developing concept which underlies the
  recent strengthening in support for qms, OHS,
  etc is the principle that no disasters should be
  tolerated, and their risk of occurrence should be
  reduced to zero.
• This approach should be applied to planning,
  designing, operating and assessing. It is an
  attempt to change the state of mind from
• passive acceptance, to
• active avoidance.

70
Back in the real world(real answers to unreal
questions)

• So what answers would we expect to receive from
• a normal employee
• holding a responsible position
• in an Australian,
• normal, producing organisation
• which has just experienced a typical moderate
  major disaster
• including damage to people and property?
• recognising that at the coal-face poor decisions
  are usually driven by time savings rather than
  cost cutting.

71

• Mr A is an employee of Organisation B, where a
  disaster has occurred.
• Mr A, a. does Organisation B have a qms? b. has
  it been certified? answer Yes yes.
• Is it in accordance with ISO 9001? answer We
  up-dated it last year. Was that certified?
• In terms of clause 4.1 of ISO 9001, in which
  process did the disaster occur? answer In
  Process C.
• In the context of clause 4.1 of ISO 9001, please
  describe process C. answer The best
  description of process C is given under procedure
  F in our Quality Plan. Process C is

72

• relatively labour intensive. Quality Plans are
  defined in Note 1 to Clause 7.1 of ISO 9001.
• In the context of clause 4.1c of ISO 9001,
  please describe the criteria and methods being
  used to ensure effective operation of process C.
  answer The best description of the criteria
  and methods is given under procedure F in our
  Quality Plan. The need for this content is
  discussed in Clause 7.1c of ISO 9001.
• a. In the context of clause 4.1e of ISO 9001,
  were you monitoring, measuring and analysing
  process C? b. Was the associated documentation
  controlled in accordance with Clause 4.2.2?
  answers Yes Yes.

73

• In the context of clause 7.1 of ISO 9001, what
  product was being produced at the time? answer
  Product D.
• In the context of clause 7.2.1 of ISO 9001, which
  requirements was product D meeting? answer
  Requirements E.
• In the context of clause 7.2.2 of ISO 9001, had
  requirements E been reviewed? answer Yes.
• How do requirements E compare (benchmark) with
  those in use by similar organisations? answer I
  am not aware of any identical work elsewhere.
  This is a very competitive business. Is he
  saying that they all compromise safety?
• In the context of clauses 4.2.1de of ISO 9001,
  what

74

• documents records exist concerning the
  operation and control of Process C? answer A
  complete set.
• In the context of clause 8.2.4 of ISO 9001, what
  do the records say about the conformity of
  process C product D? answer There were a few
  non-conformances but most had been closed when
  the disaster occurred. Question 21 returns to
  explore the issues raised by this answer. For
  the moment, note that a. disasters rarely occur
  in splendid isolation and b. it is common for
  people to fail to perceive what in retrospect are
  the obvious signs of an impending disaster.

75

• a. Is your Company committed to qms? b. Is it
  being properly applied? c. How is the Companys
  support demonstrated? d. When was the last
  management review? e. Are you adequately
  resourced? f. How do your comments specifically
  apply to Process C? answer a. Yes, but they
  get upset when it causes delays. b. Yes, but I
  wouldnt say it was first priority. c.
  Everywhere you look there are signs about quality
  but I bet there are none in the Boardroom. d.
  Just before the next certification. e. The
  quality group always want more staff, but theyre
  another overhead. f. Its easy to be wise in
  hindsight. These issues are pursued further in
  the answers to questions 17-23.

76

• a. How would you describe your Companys approach
  to non-conformances? b. Do you self-regulate?
  c. Is it effective? answer We self-regulate
  and we are very honest and also very practical in
  our approach. practical we dont let it delay
  the job - most jobs carry small compromises.
• a. What is your position in the Company? b. What
  are you responsible for? c. Who do you report
  to? d. Do they support your qms activities?
  answer I am a manager and I am responsible for
  Process C. I report to the Works Manager.
  Everyone supports qms but the bosses get
  aggressive when it results in unscheduled
  stoppages. most current jobs are highly
  programmed with insufficient allowance for
  unplanned delays.
• What quality improvements were made in qms in the
  year before the disaster? answer We reduced
  the number of process alarms as the important
  ones were being masked. Who determined which
  alarms were important?

77

• a. Who is responsible for Process C? b. When was
  it last reviewed, particularly with respect to
  preventative and corrective actions? answer I
  am responsible. We reviewed the process about
  six months ago and thats when we decided to make
  the changes I mentioned in my previous answer.
  There is rarely a sense of urgency in these
  matters.
• Despite your Companys commitment to qms, is
  there a tendency to put it aside in times of
  crisis? answer Until the disaster, we havent
  had a crisis.
• Did process C have adequate work instructions,
  equipment and monitoring devices? answer Yes.
  And still the disaster occurred.

78

• a. How many quality audits were done on Process
  C? b. Please table the records. c. How many
  non-conformances were listed? answer There
  were two audits. Here are the records. There
  were five non-conformances. There is rarely a
  problem having non-conformances raised.
• For each non-conformance related to Process C, a.
  describe the cause ascribed to the
  non-conformance, b. list the corrective action
  taken to correct it, c. estimate how effective
  the correction was, and d. describe the current
  status of the non-conformance. answer Here is
  the list
• NC12, trivial alarms, alarms decommissioned,
  effective, closed.

79

• NC3, no test record, record obtained, no link to
  product used, still open
• NC45, no same-day sign-offs, retrospective
  sign-offs, work verified by others, closed.
• The closures are not too convincing and might be
  rejected by a future audit.
• Did any continual improvements result from each
  Process C non-conformance? answer We
  decommissioned the alarms. !
• The disaster that occurred in Process C had OHS
  implications. To what extent were these foreseen
  or foreshadowed in a. the qms work instructions
  for Process C, b. the pre-disaster
  non-conformances for Process C and c. the
  pre-disaster audits of Process C?

80

• answer a. The OHS link was good at a general
  level. b. Perhaps that alarm might not have
  been disconnected? c. There hadnt been an
  audit since the alarm was disconnected.
• We will skip many of the OHS, Safety Map and
  Risk Management responses. Of course, the staff
  followed the requirements as well as could be
  expected and, of course, the plans did not cover
  all the eventualities that did arise. The
  disaster was, after all, unforeseen.
• a. What hazards and unacceptable risks were
  identified in the Organisation in the periods
  prior to and after the disaster? b. What was
  their potential?

81

• c. How were they controlled? d. Were any
  relevant to the disaster? e. Did they alter
  your emergency response policy? f. How many
  indicated system failures? g. Which were either
  minimised or isolated?
• answer a. After the event we did discover that
  the disabled alarm, if it had been noted amongst
  all the other alarms, would have alerted someone
  to the fact that the installation crew had
  omitted a key step. Im not sure whether anyone
  would have realised the significance of the
  omission. b. There would have been no disaster
  if the installation had been done as specified,
  or, if someone in authority had known of the
  omission and its significance and then acted. c.
  In retrospect, they werent. d. Yes. e. How
  do you protect against humans? f. About 4. g.
  None.