Safety-II: Resilience in the Face of Abnormal Operation

Operating regimes can be grouped into three categories, Routine, Non-Routine and Abnormal.

• Routine Operation is planned, normal day-to-day operation, following established procedures.
• Non-Routine Operation is also planned and follows established procedures, but it is carried out infrequently, only when needed; e.g., startup, shutdown, on-line cleaning of a heat exchanger.
• Abnormal Operation is unplanned, unanticipated, and there is no established procedure. It is distinct from Emergency Response. Abnormal operation is the initiating condition for most process safety incidents. The response is cognitively developed at the time of need.

During Routine and Non-Routing Operations, workers execute procedures to pursue goals. But what happens in unanticipated situations when workers are called on to, for example:

• resolve conflicts,
• anticipate hazards,
• accommodate variation and change,
• cope with surprise,
• work around obstacles,
• close gaps between plans and real situations,
• detect and recover from miscommunications and misassessments.

When response to these types of Abnormal Operations are not or cannot be automated or proceduralized, these become Abnormal Operations. Operational Discipline as "always follow the procedure" becomes moot. The full team scope of Operational Discipline from a Conduct of Operations point of view must be brought to bear.

Workers adjust their response based on guidelines, safety boundaries, experience, and so on. They collaborate and troubleshoot with others, up and down the line of authority, as appropriate. They attempt to adapt and recover to safe conditions. And they do so correctly almost all of the time.

This worker characteristic is the source of Resilience.

Resilience, informally, is the ability to bend without breaking. In the context of Operational Discipline, it is defined as “the intrinsic ability of a system to adjust its functioning prior to, during, or following changes or disturbances, so that it can sustain required operation under both expected and unexpected conditions.” The central part of this definition is in the system’s ability to adjust its functioning, which differs from the ability to continue functioning via, for instance, redundant systems.

The traditional view of process safety is:

SAFETY-I: The condition where adverse outcomes are minimized

• Hazards are foreseen and anticipated
• Systems are well designed and maintained
• Procedures are complete and correct
• Workers are compliant and behave as trained

Adverse Outcomes result from unusual (erroneous) actions in usual conditions, when workers make the errors that humans, as fallible biological machines, can be expected to make.

Strong Safety-I systems provide the basis for identifying and avoiding unnecessary risk. Initially, industry targeted the human impact on unexpected outcomes. This resulted in programs like Job Safety Analysis and Stop Work that targeted immediate causal factors. But the solution extended beyond the person. So systems were targeted; look for latent causal factors; Process Hazard Analysis, Management of Change, Safety Instrumented systems, Procedures. All of these apply to Routine and Non-Routine Operation and to Work-As-Imagined.

Safety-I promotes a bimodal view where acceptable and unacceptable outcomes are due to different modes of functioning. When things go right it is because the system functions as it should and people work as imagined; when things go wrong it is because something or someone has malfunctioned or failed.

However, there is another view of process safety:

SAFETY-II: The condition where adaption and recovery to safe conditions are maximized

• Systems are subject to unanticipated change
• People do what makes sense at the time to achieve goals

Adverse Outcomes result from usual (normal) actions in unusual conditions, when workers do what appears to make sense at the time, but the situation is not as expected.

Safety-II is the system’s ability to succeed under varying conditions, so that the number of intended and acceptable outcomes is as high as possible. Adjust prior to, during, or following changes and disturbances to sustain required operations under expected and unexpected conditions.

Strong Safety-II systems apply where Safety-I is weak, to Abnormal Operation and to situations where Work-As-Done cannot align with Work-As-Imagined. These are situations that provide high risk for process safety incidents. Safety-II provides the basis for adapting and recovering

Safety-I and Safety-II processes are vital. Safety-II is not a replacement. System improvement results from Safety-I. System robustness results from Safety-II. Safety-II provides the basis to be Resilient.

Partial Bibliography

J. Reason, A Life in Error From Little Slips to Big Disasters, 2013.

E. Hollnagel, "Prologue: the scope of resilience engineering," in Resilience Engineering in Practice: A Guidebook , 2011, p. 2.

EUROCONTROL, Systems Thinking for Safety- Ten Principles, A White Paper - Moving towards Safety-II, August 2014

E. Hollnagel, et al, From Safety-I to Safety-II- A White Paper, September 2013