By Gregory Hale
Look at the risks and learn the priorities. In the manufacturing automation arena, that line could apply to the safety environment or in a security scenario.
Users have to look at risks and understand the priorities in what you have to protect – and the catch is there is no room for error.
At the AIChE Spring Meeting and 10th Global Congress on Process Safety in New Orleans last week it was easy to understand how closely safety and security relate. Yes, one protects man against machines and the other protects machines against man, but the underlying concepts remain similar.
After all, they talk about the same things: Culture, analysis, training, management buy in, learning from incidents and near misses, costs, ROI, prioritizing, communications, working together among differing (often antagonistic) departments, and having a plan and making sure everyone is aware of it. After looking at the two industries, it is also easy to see how far along safety is in terms of recognition and getting things done, compared to security.
Safety has had a head start in terms of awareness and actual application of the initiative. Security, though, while seeing an awakening, truly needs a rocket-fuel blast to deservingly get on the same page.
Recognitions problems still exist on the security front, where a Bain & Co. report found too many organizations fail to align IT security capabilities with larger goals and overall risk. That means there is a lack of quality risk management and points toward reactive security compared to a thought out prevention program. The report points to a disconnect between an organization’s risk management efforts and the development of security that occurs because business groups and IT often fail to discuss emerging threats.
The question remains as to why are more organizations not implementing security into their daily mindset as they are safety? Some of the top internal reasons are: People, training, no real corporate mandate, and no business return on investment.
With security being the new kid on the block for process control, getting people to embrace how to integrate security into their everyday work life is an ongoing education process. Teaching workers to not plug a thumb drive into a computer before checking to make sure it is free of any virus is just one example.
In essence, the lack of ongoing training is also a culprit of not having automation professionals think of security on an everyday basis. In safety, manufacturers have ongoing training and standard operating procedures, but in security, there is not enough emphasis placed on total security worker education.
Established, but Learning
Meanwhile, safety continues to have its growing pains as it becomes even more important in this global age of manufacturing. But these pains come from decades of use and application experience.
“Increasingly there is an agreement that leadership is a key component for a safe organization,” said Julie Bell, technical lead for human factors at the Health and Safety Laboratory in Buxton, England. “Managerial failure is at least as important as technical failure. Despite this connection, there is very little information on what leadership should be doing when it comes to safety.”
There is two types of leadership that link to safety, she said.
“Transformational, where the leader acts as a role model and transactional, where the one in charge makes it clear about what will be accepted and what standards will be adhered to,” Bell said. “An active form of leadership plays an important role in promoting a positive culture and safety performance.”
Safety means there needs to be a clear message coming from the top, but it also means constant education from lessons learned.
“We need to share the incidents that occur to learn the lessons. Too often we share, but we don’t learn,” said Mike Broadribb, senior principal consultant Baker Engineering and Risk Consulting in San Antonio, TX.
“Sometimes we see mistakes made over and over again and we don’t learn from them,” said Carlos Barrera, managing engineer at Menlo Park, CA-based Exponent. “Lessons learned cannot just be a slogan everyone learns until the next incident comes up. You need to get to the root cause. If you get to the root cause, you get rid of the problem. But finding the root cause is difficult.”
Exxon Mobil has an involved scenario to learn from incidents and to determine what happened, the type of incident and at what level the incident stands in terms of severity.
For Exxon, quite a bit is at risk.
“We really have to find the cause of the phenomenon,” said Kelly Keim, Exxon Mobil Research and Engineering, Global Technology sponsor for process safety.
Near Miss Experience
“Accidents still happen. There is so much to learn from these incidents,” said Sunil Lakhiani, managing engineer at Exponent. “The high severity incidents are rare, but they are incidents to learn from. You hear about incidents, but do you hear about near misses? There is so much to take from a near miss and use those findings and apply it. Serious incidents and near misses have some of the same underlying causal patterns. Near miss identification is important.”
After learning from incidents and near misses, real life can often end up muddled with everyday problems and that leads to learning about risk management and understanding priorities, which can change on a moment’s notice.
Just ask Andy Bolsover, principal consultant at DNV GL.
He laid out a scenario that could potentially jar the mind of anyone: You are an offshore installation manager (OIM) on a platform and you face problems every day. Today you have an equipment problem, and an independent verifier coming in, and you are behind schedule, you lost your main engineer and have a replacement that does not have as much experience, on top of that you have corporate breathing down your neck. That is just Wednesday’s problems and you have not tackled all of Tuesday’s and Monday’s issues.
“What are the risks and what are the priorities? You have to keep track to keep up with all the risk,” Bolsover said.
Understanding risks and priorities an important measure for the safety environment, but equally as vital for security.
There must be a solid business proposition behind why a manufacturer would decide to make the security investment. Bringing the idea up to the executive suite that security is more of a business enabler that keeps the network and system up and running and productive and not just an insurance policy is important to generate awareness and send a strong message out to the company. After all, security is going to be an ongoing expenditure, not a one-time expense. Initially, there needs to be a risk analysis; what do you need to protect, what is the cost, what is the risk? Then there needs to be a way to quantify those numbers to assess the true benefit.
In the end a secure manufacturing environment means the system is up and running and producing product. The same is true for safety.
“A safe business is very much a successful business,” said Steve Flynn, global head of risk, learning and health safety and environment at BP. “There is still more to do. This is a continuous journey for us and for the industry.”
Talk to me. Gregory Hale is the editor/founder of ISSSource.com.