How Resilience Engineering Can Transform Safety Practice
How Resilience Engineering Can Transform Safety Practice
How Resilience Engineering Can Transform Safety Practice
Review
a
Safety Science Innovation Lab, Griffith University, 170 Kessels Road, Brisbane, QLD 4111, Australia
b
Department of Integrated Systems Engineering, The Ohio State University, Columbus, OH, USA
Keywords: The safety management literature describes two distinct modes through which safety is achieved. These can be
Safety professional described as safety management through centralized control, or safety management through guided adaptability.
Safety Safety management through centralized control, labelled by Hollnagel as ‘Safety-I’, aims to align and control the
Resilience engineering organization and its people through the central determination of what is safe. Safety management through
Safety differently
guided adaptability, or ‘Safety-II’, aims to enable the organization and its people to safely adapt to emergent
Safety-II
situations and conditions. Safety-II has been presented as a paradigm shift in safety theory, but it has created
Professional practice
practical difficulties for safety professional practice. In this paper, we define the two modes of safety manage-
ment and explain the challenges in changing the role of a safety professional to support Safety-II. When should
safety professionals re-enforce alignment, and when should they support frontline adaptations? We outline
specific activities for safety professionals to adopt in their role to move towards a guided adaptability mode of
safety management. This will move the safety professional further towards their fundamental responsibility – ‘to
create foresight about the changing shape of risk, and facilitate action, before people are harmed.’
⁎
Corresponding author.
E-mail address: [email protected] (D.J. Provan).
https://doi.org/10.1016/j.ress.2019.106740
Received 10 August 2018; Received in revised form 17 May 2019; Accepted 9 November 2019
Available online 11 November 2019
0951-8320/ © 2019 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license
(http://creativecommons.org/licenses/BY/4.0/).
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
basic limits of predetermined plans, in a complex, interdependent and We propose that the fundamental responsibility of safety profes-
changing environment, because responsible people adapt to make the sionals can be best described as: creating foresight about the changing
system work. Safety-II focuses on how work is done, looking for the shape of risk, and facilitating action, before people are harmed [58].
different ways people adapt to gaps, challenges, and surprises, and how Such that, if we get to count the bad things that have happened to
they synchronize activities to resolve conflicts and achieve shared people, then we have already failed. Thus, safety management must be
goals. proactive, not reactive, but how do safety professionals achieve this and
The challenge for safety management in this context, is to guide and identify problems before there are obvious failings? This paper answers
facilitate how people adapt to handle complexities and to provide the this question by presenting an outline of the activities and tasks of
resources for coordinated joint activity. Safety-II enables people to safety professionals in support of a guided adaptability mode of safety
dynamically align the pursuit of both safety and effectiveness because management, which has not previously been attempted in the high
there are always multiple conflicting goals, limited resources, and reliability organizations, resilience engineering, safety differently or
pressures to achieve more (i.e. industry's ‘Faster, Better, Cheaper’ im- safety-II literature. We do this by: outlining the existing role of a safety
perative). Safety management focusses on guiding how to, and when to professional in a safety management mode of centralized control [43],
trade-off and re-prioritize across multiple risks and goals when oper- describing the breakdowns of the safety professional role when oper-
ating in the midst of uncertainties, changing tempos and pressures. ating in this mode, and then providing direction for how the role can be
This debate between centralisation and decentralisation is not new reframed to support a safety management mode of guided adaptability.
within the safety or organisational literature. Perrow [42] argued that In addition to the primary purpose of this paper, we also aim to clarify
the conventional engineering approach to system safety would ulti- aspects of the resilience engineering theory that have been mis-
mately fail as systems became increasing complex and new approaches represented and misunderstood in the literature and practically within
were required. The high reliability organisation literature promoted the organizations.
need for non-traditional organisational capacities such as: sensitivity to
operations and a commitment to resilience [57]. Amalberti [3] dis-
2. Safety mode of ‘centralized control’
cussed the challenges of purely centralised approaches to safety in
improving the safety of some industries and technologies. This debate
Since the early 1900’s, organizations have viewed accidents as un-
in the safety literature followed and paralleled a similar debate in the
desirable outcomes from unplanned variation of work. Under this view,
organisational literature commencing in the 1960’s with understanding
safety is achieved by reducing the likelihood or consequences of deviation
management approaches to the motivation and effectiveness of
from planned safe work practices. Early ‘centralized control’ approaches
workers. Theory X and Theory Y is one such popular management
were derived from Taylor's ‘Scientific Management’ [53]. Taylor sug-
theory which presents the centralised versus decentralised distinction in
gested that there was “one best way” to perform any task. Whilst Taylor
relation to organisational management and work performance.
was primarily concerned with efficiency and productivity, companies
Katz [36] further discussed the need for organisations to manage the
such as DuPont adapted Taylor's approach for safety, documenting and
paradox of ensuring dependable role performance with encouraging
standardising safe work practices [51]. As scientific management gave
spontaneous initiative to manage emergent situations that were im-
way to Total Quality Management (TQM), the idea of “one best way” to
possible to plan for or not predict. The High Reliability Organisation
perform work was replaced by the idea of continuous improvement. TQM
(HRO) literature expanded this notion of context dependent modes of
retained an emphasis on documenting rules and procedures as a foun-
operation by arguing that for organisations to be safe and reliable they
dation for improvement however now sought to systemically prescribe
needed to be able to give effect to context dependent modes of opera-
the management processes through which operations would be mon-
tion [57]. More recently Grote [22] argued that organisations needed to
itored, and deficiencies prevented, identified, and corrected. More recent
focus their safety risk management programs towards uncertainty, and
approaches to systemic control over safety include Safety Management
make deliberate choices that establish a balance between stability and
Systems, safety culture, and behavioural safety – make greater allowance
flexibility by promoting both control and accountability.
for human variability than Taylor, but preserve the idea that safety arises
Safety professionals are confused (a) by the apparent divergence in
from preventing unsafe variation. The fundamental premise for Safety-I
safety management theory, and (b) by the contrast between the Safety-
and a centralized control mode of safety management is the belief that the
II literature and the existing safety management practices used within
plan for work and safety is substantially complete, and that all will be well
their own organizations [52]. The existing literature exploring safety
if everyone works to the plan and follows the safety management re-
professional practice concludes that the current profession believes in,
quirements. The organization exerts pressure to ‘work to plan, work to
implements, and performs activities in support of a centralized control
role, and work to rule’.
mode of safety [43]. Therefore, the safety profession largely operates
inconsistently with, and often counter to, a safety mode of guided
adaptability. Historically, the Safety-I literature, for all its theoretical 2.1. Organizational capacities for a safety management mode of centralized
shortcomings, has provided a strong practical reference for safety control
management, and for what it means for safety professionals to “do
safety work”. Since the safety literature sometimes views the two modes In order to create centralized control for safety management, or-
of safety as incompatible, safety professionals do not have a practical ganisations focus their effort on developing their capacity to: analyse
reference about how Safety-II can be used to steer their activity in hazards, implement controls, monitor conformance, delegate autho-
professional practice. rities, and standardize safety culture (see Table 1).
Table 1
Organizational capacities for a safety mode of centralized control.
Capacity Description
Analyse Hazards Analysis of the factors that could cause operations to become unsafe
Implement Controls Implement Controls (physical and behavioural) to manage hazards
Monitor Conformance Control performance is informed by proactive and reactive information
Delegate Authorities Line management and safety professionals make safety decisions
Standardize safety culture Promote leadership and front-line commitment to prioritize safety
2
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
2.1.1. Hazard analysis making is complimented with all workers having an ‘authority to stop’
The starting point for controlling safety is to perform hazard ana- their work due to safety concerns [40].
lysis. Hazard analysis combines our understanding of the probabilities,
uncertainty and consequences of event scenarios in a way that enables 2.1.5. Safety culture
the organization to prioritise resources for monitoring and risk reduc- To align and motivate the organization to prioritize and commit to
tion activity [5]. Organizations invest significant resources expanding safety, safety culture improvement programs support the hazard ana-
their hazard analysis processes and therefore hazard and risk under- lysis, control, and monitoring activities. This aligned safety culture is
standing. Through processes at both a task (e.g. Job Safety Analysis) based on the principle that all incidents are preventable. Leaders create
and system level (e.g. Hazard and Operability Study), hazards are cultures through what they systematically pay attention to [50] and
identified, categorized, assessed and prioritized for action and mon- their actions aim to reinforce the organizations priority for safety and
itoring. These processes consider known internal and external factors care for its workers. This in turn influences workers and teams collec-
that could cause work to operate outside a tolerable level of safety risk. tively to prioritise safety themselves, comply with requirements, and
report any incidents so that the organization can rectify problems. Al-
2.1.2. Controls though there are a number of ways to define and describe culture [32]
Following the identification and assessment of hazards, controls the most well-known safety culture model describes five stages of ma-
(both physical and behavioural) are put in place to manage the hazards turity: pathological, reactive, calculative, proactive, and generative
to an acceptable level of risk. There is an established hierarchy of [33].
controls for individual hazards: elimination, substitution, isolation,
administrative, and personal protective equipment. These controls will 2.2. Safety Professional role under a safety management mode of centralized
often manifest themselves in engineering changes to systems and control
equipment, management systems, and procedures. Non-physical con-
trols such as procedures and business processes are documented in The current role and activities performed by safety professionals
Safety Management Systems, supplemented with training programs within organizations are largely aligned with a safety management
[48]. Organizations and teams within organizations establish beha- mode of centralized control [43]. There is a reciprocal relationship
vioural norms, expectations and rules in relation to work and general between the organisation's mode of centralized control and the role of
safety conduct – often termed behaviour-based safety. Behaviour-Based safety professionals – the safety management mode drives activities and
Safety (BBS) seeks to identify and prescribe safe behaviours in the tasks, and these in turn re-enforce the safety management mode.
workplace following the model of - define, observe, intervene, and test There is considerable research concerning the tasks and education
[21]. of safety professionals (e.g. [6–8, 11, 24, 25, 39, 64]. The largest study
into the tasks and activities of safety professionals involved a 169 item
2.1.3. Monitoring questionnaire performed with 5495 participants in 12 countries [25].
Organizations focus on the monitoring of the controls that are put in Hale and Guldenmund [25] identified 22 tasks performed by more than
place to manage the identified hazards. These monitoring activities 60% (but usually more than 80%) of respondents in all countries, these
include: inspection and testing of equipment, behavioural observations, included: checking compliance with policy and procedures, workplace
audits, and other routine surveillance activities. Corrective actions are risk assessment, develop company policy, make procedures (give in-
devised where these monitoring activities identify deficiencies in the structions and check compliance), investigate accidents, perform phy-
application of, or compliance with the controls. The ‘Swiss Cheese’ sical inspections, conduct audits of workplace behaviour. Despite the
model of accidents shows how accidents occur when the protective research into safety management practices of safety professionals, there
layers or barriers in place to prevent an incident fail [47]. In addition to is no compelling empirical evidence that safety professionals improve
the monitoring of controls, safety incident reporting occurs at all levels the safety outcomes of their organizations (Borys 2015).
of the organization. These incidents are events that represent break- The following safety professional activities have been synthesized
downs in the safety risk controls and therefore knowing how often they from the safety professional literature referenced above, and the orga-
are happening, and where, is important to prioritize additional safety nizational capacities outlined in Section 2.1, to support the centralized
management effort. Organizations identify and hold accountable man- control mode of safety (See Table 2):
agers and workers who are responsible for risk control and compliance
breakdowns. 2.2.1. Facilitate task hazard analysis
Safety professionals develop and facilitate processes that enable the
2.1.4. Authority safety hazards associated with individual tasks and activities to be
Management are ultimately accountable for safety outcomes and analysed and managed. These processes can include: pre-start safety
therefore have the over-riding authority on safety decisions within their assessments, job safety analysis (JSA), safe work method statements
areas of responsibility within the organization [38]. Line management (SWMS), and permit-to-work (PTW). The objective is to ensure that
and safety professionals make safety decisions and communicate and front line employees understand the hazards associated with their work.
implement these within their operations. Front-line employees are re-
sponsible for following procedures and requirements to safely conduct 2.2.2. Perform system level hazard analysis
their work. Management accountability for safety and safety decision- Organizations need to understand the hazards at a technology,
Table 2
Safety professional activities to support a mode of centralized control.
1 Support the task-based identification of hazards (e.g. take-5) and assessment of risk (e.g. JSA)
2 Facilitate the identification and assessment of system level hazards (e.g. risk registers, HAZOP)
3 Develop controls for tasks (e.g. working at heights) and processes (e.g. contractor management)
4 Monitor controls proactively (e.g. inspections) and reactively (e.g. incident investigation)
5 Provide safety incident and compliance reporting to line management and regulators
6 Support line management decision-making and arbitrate between stakeholders as necessary
7 Promote an 'authority to stop work' for safety across the frontline workforce
8 Develop and promote safety culture improvement programs
3
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
system or business level that may or may not be associated with in- behaviours.
dividual tasks of the front-line workforce. The hazards are assessed
using advanced hazard and risk analysis methodologies, including; 2.3. Organizational responses to a safety management mode of centralized
hazard and operability studies (HAZOP), layers of protection analysis control
(LOPA), hazard identification (HAZID), failure modes and effects ana-
lysis (FMEA), fault tree analysis (FTA), and pre-start up safety reviews The activities described in Section 2.2, when reflected in the safety
(PSSR's), etc. Safety professionals facilitate these hazard assessments management and safety professional literature are described and
and maintain the outputs. practiced as top-down normative requirements. This centralized control
approach refers to standardisation, generalisation and administration of
2.2.3. Develop safety controls safety management practices that are disconnected from the variability
Safety professionals develop safety risk controls and requirements to of the operational risks of the system or local unit.
manage safety hazards and the regulatory compliance requirements of Front-line work needs to adapt and deviate from plans, rules, roles
their organization's activities. These controls can be physical, proce- and procedures because of the dynamic and emergent nature of com-
dural, and behavioural. Safety professionals document and oper- plex systems. In a mode of centralized control, this need is not ac-
ationalize these controls through safety management systems, safety knowledged or supported by the organization, causing tensions and
plans, safety procedures and safety rules. Legal regulations, based on conflict. The resulting adaptive cycles of front-line work to the em-
diligent work practices, provide a useful framework on which organi- phasis on a safety management mode of centralized control is de-
zations can model their controls. structive for maintaining safety and achieving organizational goals. (see
Fig. 1). It is important to understand how the role and activities of
2.2.4. Monitor safety controls safety professionals influences their organisation.
Organizations monitor compliance with safety risk controls and
requirements to prevent safety incidents. The safety professional con- 2.4. Practical challenges and tensions for safety professional work
ducts proactive monitoring activities, including safety audits and be-
havioural observations. Safety professionals also conduct incident in- In the same way as there are adaptive cycles for front-line work (see
vestigations to reactively identify controls that were not complied with. Section 2.3), there are adaptive cycles for safety professional work as it
Corrective actions are identified as outputs of these monitoring activ- navigates and responds to the pressures of a centralised control mode of
ities to improve the safety controls or organizational compliance with safety management. A number of these adaptations are not desirable for
them. Safety professionals implement and track the completion of safety in the organisation.
corrective actions.
2.4.1 Safety Professional activities are ‘Reactive’
2.2.5. Provide safety reporting
Organizations generate, communicate and review safety reports to Due to the inevitable gap between work as imagined and work as
make decisions to improve safety. These reports include information done, there is a constant need for reactive activity to “correct” covert
about compliance with safety requirements, completion of safety ac- work systems and double binds. Line management asks safety profes-
tions (e.g. observations, action closure), and safety incident descrip- sionals to explain and address incidents and non-conformances. This
tions, severity, and frequency. This information allows safety profes- level of reactive activity prevents proactive exploratory activity to un-
sionals to identify the parts of their organization that require additional derstand and support the current functioning of operations. Safety
safety management attention and improvement actions. management within the organization becomes slow and stale, and un-
responsive to the changing shape of operational risk. Warning signs of
2.2.6. Influence and arbitrate decisions for safety trouble are discounted until there is definitive information (i.e. an in-
Safety professionals have the technical expertise and safety man- cident), at which time it is too late to prevent harm to people.
agement experience to facilitate and if necessary, arbitrate safety de-
cisions between stakeholders. This arbitration can be required at times 2.4.2 Safety Professional activities are ‘Fragmented’
between the workforce and line management of the organization, and
with third parties (customers, contractors or regulators). Safety pro- Safety professionals are focussed on safety management activities
fessionals understand the safety risks and safety compliance require- that are created and performed separate to the core functioning of the
ments that apply to work activities and locations, and they can use their organisation's system of work. The safety management activities are
authority to make safety recommendations and decisions. determined as a result of linear oversimplifications of operational
problems where the response is either specific local action imposed on
2.2.7. Promote an authority to stop work operating units, or over-generalised conclusions that are impossible to
Organizations enact their commitment to safety by providing em- action effectively (e.g. “communication” and “teamwork”). The ever-
ployees with authority to stop work when confronted by an unsafe si- increasing safety management expectations and programs on the side-
tuation [56]. Safety professionals promote this authority across the lines of the operations create more pressure and more goal conflict (i.e.
workforce and develop processes to support its enactment. If situations time and resources), without addressing issues with the overall func-
arise that are not adequately managed, they are investigated and re- tioning of the organization. Safety professional work retreats and
solved by adjusting work to conform to existing safety risk controls and fragments in a similar way to front-line work.
requirements or developing new controls for the situation.
2.4.3 Safety Professional activities are ‘Defensive’
2.2.8. Develop safety culture
Safety professionals promote and support a safety culture that aligns Safety professional activities are defensive, in the sense that they
the organization on common principles. A safety culture promotes the seek closure on behalf of the organisation. In order to avoid being
belief that all safety incidents are preventable by prioritising safety, overwhelmed and uncertain about safety risk, safety professionals need
identifying hazards, complying with safety requirements, and im- to “tick off” tasks faster than they generate new tasks. An activity that
proving through reporting and understanding safety incidents. Safety raises more questions than it answers generates more new work than it
management needs to be very visible across the organization through ticks off. Each open item is a personal threat to line management and
ongoing communication, visual material and line management the organisation, since it will be seen by outsiders as a shortfall in safety
4
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
management. Therefore, there is a strong need to seek closure – ticked Despite these three destructive adaptations, we recognise that safety
boxes, simple answers, and strict processes with well-defined stopping professionals may also currently perform valuable safety management
points. Inevitably this leads to blaming operational units or front-line work. However, the theoretical limitations of the Safety-I approach for
workers, because broader, less-defined answers require broader, less- complex systems mean that even when the role is practiced closely
defined solutions. aligned to the Safety-I theory, it will not be sufficient to manage safety
5
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
in a modern complex organization. The goal of safety management is to facilitate safe variation. It is
people, and only people, who are the ones able to adapt to a complex
2.5. The need to redesign the role of safety professionals and changing world, and bridge the gaps in technology, processes, and
information to maintain safety.
The unintended consequences of anchoring safety professionals in The safety management mode of guided adaptability understands
reactive, fragmented and defensive activity, ironically intensify as the that plans, procedures, roles, and requirements are inherently flawed
organization increases its efforts to improve safety management and unable to cater for the complexity of work as done. Therefore, it
through centralized control; more safety problems are identified to understands that all systems operate in degraded modes, and people
react to, more fragmented solutions are implemented, and more de- and operations will adapt to meet the challenges, pressures, trade-offs,
fensive activity is created. The pressure to conform exerted on front-line resources scarcity, and surprises that they face. Rather than pressuring
work teams, create these adaptive responses, and drives a greater dis- front-line operations to conform with stale plans, the organization and
tance between work as imagined and work as done. safety professionals should provide support and facilitation to con-
These consequences can have negative impacts on safety manage- structively guide these adaptations.
ment: blame culture, inappropriate resource allocation, increased goal As we have shown, the safety mode of centralised control in practice
conflict, mismatched responsibility to resourcing, non-value-adding within organisations creates challenges and unintended breakdowns
safety clutter, stale models of risk and operations, adversarial re- that increase as organizations increase their safety effort. It was these
lationships, lack of systemic interventions, single focus on worker observations of safety management modes of centralized control in
compliance, investment in protecting the organization, and manipu- practice in organizations that created the need for a diametrically op-
lated safety reporting metrics. posed alternative, namely a safety management mode of guided
Are these problems caused by the limits of Safety-I theoretical ap- adaptability [10, 29].
proaches, or are they practical consequences of poor application of
those approaches? We suggest that there is an inevitable link between 3.1. Organizational capacities for a safety management mode of guided
the two. Safety-I theory does not account for the technical, social and adaptability
political complexity of organizations and the variability of the work of
practitioners in the field. So, when the management and safety theory In order to create guided adaptability for safety, organisations focus
we describe in Sections 2.1 and 2.2 are extrapolated into front-line their effort on developing their capacity for: anticipation, readiness to
work and the role of the safety professional, pressures and tensions respond, synchronization and proactive learning (see Table 4).
inevitably arise. This has been empirically demonstrated in the safety
literature over the past 30 years (see Table 3). 3.1.1. Anticipation
In this section, we outlined the centralized control mode of safety An important capacity for a mode of guided adaptability is being
management and the role of the safety professionals, as well as how this able to ‘anticipate’ and predict future failure paths [30] and to make
approach can create unintended destructive adaptations for safety trade-offs and sacrifice judgements accordingly. Anticipating future
professionals and front-line work. We showed that Safety-I, at the scenarios allows the organization to monitor the conditions and threats
theoretical level, and certainly in practice, is not sufficient to deal with associated with these scenarios, as well as to build resources and ca-
the complexity of managing safety risk in modern complex systems. pacities to respond. Threats to safety are monitored through the de-
Safety-I theory cannot compensate for the necessary integration of tection of operating points within the system that signal where safety
safety management into the core operations, and decision-making of margins may be eroding. [9].
the organization. Safety-I has limits, and the linear oversimplifications Within all organizations there is an omnipresent production pres-
become relevant due to the modern trends in organizations, technology, sure, which consistently exerts pressure towards reducing safety mar-
systems and society. Therefore, the solution is not to add further cen- gins and therefore the resilience of operating units. Organizations
tralized control safety management practices in an attempt to prevent maintain a commitment to safety management in a way that enables
these breakdowns. Consistent with resilience engineering theory, the safety to be an important consideration in all decisions, as well as ac-
solution is to complement control with adaptability, and transition to- tively making sacrifice judgments (trade-offs) when safety is compro-
wards guided adaptability as a strategy that considers the increasing mised by operational and financial objectives.
complexity of modern organizations. The safety professional role can be
redesigned consistent with the theoretical developments in managing 3.1.2. Readiness to respond
safety risk in complex systems if we can reframe the control-adapt Organizations maintain flexible capacities and resources to com-
paradox that presently exists between Safety-I and Safety-II. In pensate for additional foreseen and unforeseen demands. The ability of
Section 3, we outline the solution to this control-adapt paradox as a organizations to absorb disruptions and maintain safety and operational
safety management mode of ‘guided adaptability’ and detail the en- performance has recently been termed ‘graceful extensibility’ [61].
abling role of the safety professional. Maintaining redundant capacity (slack) in an adaptive system is diffi-
cult, as organizations will aim to remove it to improve efficiency.
3. Safety management mode of guided adaptability Therefore, an organizations continuously monitor the resources that are
able to be re-deployed to keep pace with the changing tempo and de-
During the 1990s and 2000’s, through authors such as Rasmussen, mands of work [61]. Sacrifice judgements temporarily relax these acute
Woods, Hollnagel, Dekker, Amalberti, and Leveson, there were in- production or efficiency goals to reduce risks when operations are too
creasing calls to pay attention to adaptability as a key ingredient for close to safety boundaries [59, 60]. The organisation supports the
safety management. These authors acknowledged the importance of flexibility of operating processes to enable adaptive responses to local
control, but since they were writing at a time when safety management conditions. Workers have sufficient autonomy to make decisions about
by centralised control was entrenched in organizations, they often po- their work in real time. This requires employees to have the psycho-
sitioned their work in contrast to existing practice. This reinforced the logical safety to apply their judgement without fear of repercussion – a
popular perception that control and adaptability could not co-exist. ‘just culture’ [12, 20].
There appeared to be a stark choice between Safety-I and Safety-II. The
mode we present here, ‘guided adaptability’, is not a new idea, but 3.1.3. Synchronization
clarifies the principle that safety comes neither from preventing or To sense and respond effectively to emerging issues, data and in-
encouraging variation, but from recognising that variation is inevitable. formation flows freely across boundaries both internal to the
6
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
Table 3
Practical challenges of safety professionals in a mode of centralised control.
Activity Intent Pressures and tensions
Facilitate task level hazard Identify and evaluate the known safety hazards associated with - Compliance processes that become more about ‘tick & flick’ than
analysis tasks supporting decision making [4, 28]
- The process has a negative impact on the time and resources for every work
task adding to goal conflict [13, 19]
- Creates a fixed model of risk for tasks that reduces ability to identify
changing circumstances [59, 60]
- Shifts accountability away from management to the front-line workforce to
manage safety for themselves [15–17]
Perform system level hazard Identify and evaluate system threats and vulnerabilities to assist in - Creates a fixed model of risk for the system that is not revised as new
analysis design and operation information emerges [59, 60]
- Provides un-justified comfort that the system is safer than it is in reality
(‘Probative blindness’) [44]
- Process focussed on demonstrating and proving safety to external parties
(Regulators) [45]
- Results in the production of ‘Fantasy Plans’ that describe an unrealistic
safety status and response [34]
Develop safety controls Develop physical and behavioural controls for specific hazards and - Specific controls to cover all individual risks generate large and
risks bureaucratic Safety Management Systems [13, 19]
- Ever increasing volume of controls creates safety clutter in organisations
[46]
- Safety controls are applied to specific situations and the overall functioning
of the organisation is not addressed [59, 60]
- Safety controls focus on the behaviours of frontline workers, specified in
rules and procedures [18]
- Continually adding safety controls does not improve the safety of the system
[3]
Monitor safety controls Monitor conformance with the defined safety controls proactively - Conformance and compliance activity (audits, investigations) creates
during normal operations and reactively following safety incidents adversarial relationships [43]
- Incident Investigations, through hindsight bias, create oversimplifications
and focus on human error [15–17]
- The focus of control monitoring shifts from understanding and fixing the
system to protecting the organisation [13, 19]
- Discipline, sanctions, and blame are applied to individuals that deviate from
the specified controls [12]
- Focusing on conformance and compliance reduces open communication and
organisational learning [59, 60]
- Actions pulls operations towards a generalized standard that is not sensitive
to local safety practices [2]
- Control monitoring activity creates excessive time and resource burden on
workers and management [15–17]
Provide safety reporting Provide safety performance reports to management. - Responding and reporting to minor and frequent incidents is a
misallocation of time and resources [15–17, 59, 60]
- Increasing demand creates new safety metrics that become ever-further
removed from risk [15–17]
- Targets and objectives set at perfect safety performance (zero injuries)
creates activity to ‘manage the metric’ [13, 19]
- Focusses the discussion about safety on minor individual events rather than
the functioning of the system [14]
- Creates the same pressures and tensions as described in ‘monitor safety
controls’ [15–17, 43]
Influence and arbitrate Reconcile differences of opinion on the safety issues associated - Safety Professional role defaults to line management objectives rather
decisions for safety with individual tasks. than front-line perspectives [43]
- Safety Professional monopoly on safety expertise marginalizes expertise of
practitioners and experts [2]
- External perspectives on safety evaluated based on relationship rather than
expertise (regulators over contractors) [15–17]
- Safety Professional decisions become binary compliance requirements, not
revised with new information [59, 60]
- Safety judgements focus on the safety issue alone and are not-sensitive to the
broader operation [56]
Promote Authority to Stop Work Promote the ability of front-line workers to stop any task for safety. - Focus on the front-line workforce to detect vulnerabilities shifts
responsibility from management [13, 19]
- Relying on authority to stop work creates goal and work conflicts when
problems arise [56]
- The authority to stop work does not consider broader organisational
considerations – ‘cold water and an empty gun’ [58]
Develop safety culture Promote consistent beliefs and mindset about safety. - Safety Professionals promoting cultural deficiency creates adversarial
relationships with managers [43]
- Attempts to change behaviour generates emotional responses to events that
dismisses information [57]
- Promoting a strong cultural message (i.e. Zero Harm), creates fear and
performance anxiety that increases fatality risk [15–17]
- The words and actions of management are incongruent in different contexts
which reduces open communication [15–17]
- Attempts by management to enact un-authentic actions and behaviours
erodes trust and relationships [12]
7
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
Table 4
Organizational capacities for a safety mode of guided adaptability.
Capacity Description
Anticipation Create foresight about future operating conditions, revise models of risk
Readiness to respond Maintain deployable reserve resources available to keep pace with demand
Synchronization Coordinate information flows and actions across the networked system
Proactive learning Search for brittleness, gaps in understanding, trade-offs, re-prioritisations
organization (between departments) as well as external (e.g. original II, in that both safety I and safety II offer perspectives that are useful to
equipment manufacturers, contractors, regulators, etc.). This synchro- manage work. Resilience engineering literature emphasis ‘plan and
nization provides a constant opportunity to: understand the changing revise’ and the high reliability organisations literature argues for or-
shape of the system, the extent to which operations remain within safe ganisations to move between stability and flexibility as the context
operating boundaries, and the opportunity for coordinated action in demands. The safety management mode of guided adaptability extends
response to changing demands. This approach combats the structural from the safety management mode of centralised control.
secrecy, distortion, and deletion of information that can occur across The following safety professional activities have been synthesized
internal and external organizational boundaries through a mode of from the resilience engineering and Safety-II literature and the orga-
centralized control [54]. nizational capacities outlined in Section 3.1, to support the creation of
an environment to guide the safe adaptation of work (see Table 5).
3.1.4. Proactive learning Table 6 further provides examples of potential specific tasks under each
In all organizations, there is a gap between ‘work as imagined' safety activity.
(WAI) and ‘work as done' (WAD). Work as imagined is reflected in
plans, systems, processes, metrics, and management actions. These do 3.2.1. Explore everyday work
not align with work as it actually happens. Work as imagined, is exactly Safety professionals observe everyday frontline work through their
that, it is not a correct representation of what happens in practice. independent safety lens, combined with their organizational under-
Rather than interpreting data to fit the existing concept of work and standing, and domain safety management knowledge. Through being a
model of risk, proactive learning organizations aim to understand work participant rather than an authority, and balancing conformance with
and then informed by that create a better sense of what it should be guiding adaptability, the safety professional is open to exploring
[58]. Organizations seek to understand where their operations are be- emerging information and threats. Woods [59, 60] proposed the role of
coming brittle and take action to preserve safety margins. This ensures the safety professional as being ‘informed’ and actively generating in-
that the system as a whole provides on-going support for people on the formation about how the organization is currently operating. Through
front-line to be successful [29]. Organizations adopt a systems view for performing everyday work observations for safety [26] the safety pro-
understanding and managing the safety of their people and technology fessional acts as a ‘learner’, seeking context and understanding about
[37]. With the increasing complexity and interconnectedness of modern what is needed to support safe adaptation and success on the front line.
organizations, synchronization enables different parts of the organiza- The safety professional engages with operational units, not to make
tional system to compensate for unexpected strain on one area of re- judgments about the safety compliance of their work, but rather to
sources or activity [35]. To create proactive learning, organizations update their own and the organization's mental models of work, risk
embrace and monitor the adaptive cycles of work. and organizational life. Through their role as an inside-outsider, safety
professionals can identify the gap and what is occurring within it and
3.2. Safety professionals’ role under a safety management mode of guided bring this to the attention of all stakeholders. A large gap between work
adaptability as imagined and work as done signals a breakdown in the coordination
of the organizational system.
A resilience engineering approach to the role of safety professionals Safety professionals focus their attention on studying the adapta-
was first considered by Woods [59, 60] following the Columbia Space tions in the gap between work as imagined and work as done. Through
Shuttle incident. He described the ‘4 I's’ of a safety organization as understanding, tracking, and analysing these adaptive and co-adaptive
‘involved,' ‘informed,' ‘informative’ and ‘independent’ and suggested cycles of connected teams in the organization, the safety professional
that their activities should include: involvement in everyday decision- identifies sources of resilience and brittleness. Safety professionals un-
making, generating operational information of work as done, owning derstand how teams are adapting, the sacrifices, trade-offs, resource
technical standards, understanding anomalies and emerging issues, and allocations, and re-prioritisations. They understand what teams are
providing expert advice [59, 60]. This framework provides the starting adapting to, the procedures and resources that don't work, aren't suf-
point for the development of safety professional activities under a safety ficient, stale and out-of-date. Informed by this, they coordinate action
management mode of guided adaptability. to respond. Safety professionals resist the pressure from management
It is important to note that the safety management mode of guided for work as done to conform with work as imagined, as this only drives
adaptability builds on the foundations of the safety management mode the gap further apart. Instead, safety professional role addresses the gap
of centralised control. This is consistent with the foundations of Safety by understanding what is happening and providing paths to move
Table 5
Safety professional activities to support a mode of guided adaptability.
1 Explore everyday work to understand the gap between work as done and Work as Imagined, and facilitate updates to the organizations models of risk
2 Support local practices and balancing the job demands of front-line teams
3 Generate action to reduce goal conflict between production, cost, and safety, and negotiate the redistribution of operational resources.
4 Facilitate the free flow of data and information across organizational boundaries
5 Generate future operational scenarios through monitoring internal and external threats, and system vulnerabilities
6 Facilitate the making of sacrifice judgments for safety
7 Facilitate learning processes from both daily organizational life as well as from unexpected events
8
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
Table 6
Safety Professional activities, intent, and example descriptions of tasks.
Activity Intent Example Descriptions of Tasks
Explore everyday work Understand the way the organisation is currently - Engage with and observe the challenges and problems faced by front-line work
operating and where resilience and brittleness is as done. Facilitate the identification and implementation of safe adaptations.
present. - Understand the issues and uncertainties being grappled with by technical
specialists and the organisational discounting of emerging information. Monitor
and enhance the rigor applied to safety-critical decision-making.
Support local practices and guide Support local practices and guide adaptations for - Understand how disturbances, problems and surprises are being detected,
adaptations safety. understood and responded to – SNAFU catching. Identify the capacities that
are supporting safe adaptation and develop actions to extend proactive
learning across organisation.
- Guide adaptability by deciding which local practices and adaptations to re-
enforce and which to undermine.
Reduce goal conflict and negotiate re- Monitor goal conflict and create action to alleviate - Monitor organisational pressures; change, cost, production, schedule,
distribution of resources it. Facilitate the re-allocation of operational resources, etc. Understand where discounting of safety risk and safety trade-
resources. offs might be occurring due to production, cost and other goal pressures.
Identify actions to intervene.
- Create system wide action to reduce goal conflict through facilitating
adjustments to cost, schedule and production goals.
- Maintain an inventory of internal and external deployable resources (technical
specialists, key roles, critical equipment).
- Monitor the needs and gaps in resourcing (people and equipment) across the
organisation. Identify and facilitate the redistribution of organisational resources
to support changes in operational demands.
Facilitate information flows and Create mechanisms to transfer information and - Create formal and informal mechanisms to receive information about the
coordinate action coordinate action across organisational boundaries. current functioning of teams across the organisation. Facilitate the transfer of
this information across organisational boundaries where it can enhance
decision-making.
- Coordinate action and operational support to keep pace with emerging demands
across organisational boundaries.
Generate future operational scenarios Utilise current understanding of the organisation to - Facilitate the development of possible future operating scenarios and the
predict possible future conditions. associated safety risks based on a multi-disciplinary understanding of the
organisation. Facilitate the implementation of contingency plans to detect and
respond to these scenarios.
- Probe front-line workers and technical specialists to identify the uncertainty
associated with current operations and safety risks.
Facilitate Sacrifice Judgements Support the understanding of trade-off decisions - Facilitate the development of contingency plans, including flexible deployable
and the resolution of acute goal conflict. resources for high-risk activities to enable justified sacrifice decisions to be
made
- Identify sources of operational uncertainty and use this as a definitive signal that
work needs to be closely supported and implement mechanisms to gather more
information to understand and respond to the changing shape of risk.
Facilitate Learning Create organisational change based on current - Continually monitor the culture of the organisation detecting any sources of
conditions and future scenarios. blame and sanctions in relation to safety and operational performance and
implement actions to restore trust and openness.
- Develop and conduct training in dealing with anomalies and surprises, to
enhance the organisational capabilities for: anticipation, revision, initiative, and
reciprocity.
forward. They consider which adaptations they re-enforce, and which the local practices of frontline teams enhances resilience [49]. Rather
they undermine. The safety professional positions themselves at the than passively observing, safety professionals facilitate action through
sharp end of decision-making about the adaptation of work and, facil- mindful cooperation with the frontline workforce. The safety profes-
itates stakeholder alignment through cross information. sional can facilitate planning and communication processes, facilitate
Safety professionals ensure that the organization is able to sense the alignment between the workforce and management, and enable the
early signs of trouble. All systems are operating under degraded con- making of trade-offs and sacrifice judgments on behalf of safety. The
ditions, some of which the organization knows a lot about, and some of safety professional supports front-line teams to establish their operating
which are emerging and uncertain. The pressure and tension in the norms and processes to create dependable task performance. This co-
organization in a safety mode of centralised control often discounts creation of work methods provides a common direction for work that
these ‘weak’ signals, in the belief that the existing plans and require- enables effective and efficient team performance and task interfaces –
ments are comprehensive. In a mode of guided adaptability, increases constraints that de-constrain, a very different perspective on rules [1].
in ‘uncertainty’ become a definitive signal of emerging risk. The safety To collectively cooperate, the safety professional models and sup-
professional takes action to understand the issue, sacrificing production ports open communication that elicits the expectations of line man-
as necessary and probing management and technical expert confidence agement and the concrete experiences and needs of the frontline
in the organizational understanding of the situation. workforce. The safety professional promotes an environment of trust,
co-operation, and reciprocity [41]. Safety professionals start to guide
adaptations by understanding how front-line teams are currently
3.2.2. Support local practices and guide adaptations
adapting in the gap between work as imagined and work as done. The
Woods [59, 60] described the role of a safety professional as being
safety professional identifies where work adaptations are increasing
‘involved’ in the organization's operations by having constructive and
risk and facilitates action to revise work practices. Safety professionals,
targeted involvement in everyday decision-making. The safety profes-
at the sharp-end of organizations, guide adaptability by deciding which
sional provides support to frontline teams to dynamically balance job
adaptations they support and which they undermine – when to do
demands, resources and other work organization factors. Supporting
9
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
which – support change or require conformance. This challenge should The safety professional looks for signs of fragmentation and pro-
not be underestimated, as it requires the safety professional to create vides support where problems cross-over and break-down at organiza-
change, in responses to information that is not as definitive, as it would tional boundaries. They identify and work to resolve the things that are
seem in the case of an incident. undermining collaboration, which builds the potential for coordinating
Safety is something that you do (i.e. safety management), it is not in response to future events that are different to those experienced in
something that you have [30]. The tensions and challenges described in the past. The safety professional becomes part of making the system
this paper remain in the organization, and the safety professional role work by highlighting where coordination is breaking down, or how it
needs to become the focal point between the pressure for centralized can be enhanced.
control from above, and the need to guide adaptability below. The Safety professionals establish intelligence-gathering lines of com-
safety professional becomes a key facilitator of action – they help plans munication to key people and data systems across the organization.
and adaptation to co-exist rather than to compete. This intelligence includes: people changes, resources scarcity, opera-
If we now think of safety professionals as sharp end actors, they are tional shifts, goal conflict, or changes in the external operating context
positioned locally, not hidden in back offices. They are close to: op- of the organization. This real-time information provides the safety
erational and line management environments, decision making pro- professional with insight for where safety risk may be increasing, trade-
cesses, and sources of data and information. Safety professionals un- offs occurring, and safety margins eroding. The safety professional va-
derstand the conflicts and trade-offs in the operational environments, lidates this system level information with local operating units.
they interpret the emerging signals, and they anticipate problems. Safety professionals amplify the voice of the frontline and domain
Safety professionals require management support for guiding adapta- experts to compensate for the impact of power, hierarchy and produc-
tion at the sharp end, as in different situations they will sometimes tion pressure within organizations. Woods [59, 60] also described the
require compliance, and sometime sacrifice production. role of a safety professional as ‘informative’ referring to providing in-
formation about system vulnerabilities to reframe and direct interven-
3.2.3. Reduce goal conflict and negotiate the re-distribution of resources tions. Safety professionals are uniquely placed in the organization to
The safety professional initiates system-wide action to respond to provide this information, as they have knowledge of the system as a
threats. These actions relate to decisions concerning: continuing op- whole, as well as the functioning of local operating units. The safety
erations, reducing goal conflict, and the dynamic reallocation of re- professional has experience of life at the ‘sharp-end’ of the organization
sources. The safety professional facilitates the adjustment of organiza- as well as with ‘blunt-end’ decision-making.
tional and operating unit goals when they threaten to trade off safety Repeated observations of front line activities enable the safety
margins. These goals include: production targets, financial budgets, professional to identify operational changes and probe the potential for
resource levels, contract requirements, project schedules etc. The safety normalization of deviance [55]. Monitoring these adaptive cycles of
professional should aim to build safety into the organizational system workers and teams embedded in the larger organization also provides
and the way that it continually operates [37]. local data to compare and contrast with system level data. Safety in-
Safety professionals are able to directly influence the resource al- cidents are easy to see, however operational performance is about
location within and across operating units. They create and maintain an normal work where the people, technology, and processes within the
understanding of the organizations total deployable reserve resources. system sense and respond within safe system boundaries therefore not
The safety professional can claim, negotiate and re-distribute human, resulting in incidents. Safety professionals provide fresh insight and
financial and technical resources. Investing in safety management is actionable suggestions to maintain safety and improve system perfor-
most important when management of an operational unit believes they mance.
cannot afford to [59, 60], such that the safety professional and local The safety professional organization in part, operates like a shadow,
operating units have the authority to requisition additional resources to parallel, or redundant communication and coordination network
absorb unexpected demands. throughout the organization. Safety information can be exchanged be-
Guided adaptability preserves the idea that planning and proactive tween safety professionals in different departments with a minimal
coordination is useful. However, always understands that it isn't com- level of distortion due to their consistent safety vernacular. Safety
plete and so the organization constantly searches for new and emerging professionals translate information into ways that their local operating
information. All plans and models of risk are only partially correct, and units and functional departments understands – be that operations,
while work to plan is reasonable in the first instance, organisations have project management, engineering, procurement, finance, etc.
to be able to recognise and adapt as things change. Guiding adaptation
is helpful for achieving safety and other organizational objectives. 3.2.5. Generate future operational scenarios
Safety professionals understand, and have their organizations under- The safety professional provides information about the changing
stand the shift from, ‘plan and conform’ to ‘plan and revise.’ vulnerabilities of the system gathered through monitoring activities.
However, more than providing information, the safety professional
3.2.4. Facilitate information flows and coordinate action creates risk foresight from this information using their domain safety
The safety professional provides a useful resource to actively facil- knowledge and their intimate understanding of the organization [43].
itate communication across organizational boundaries and therefore Safety professionals facilitate analysis methods to understand the resi-
limit structural secrecy between departments. The safety professional lience of the organization, that might include: systems-theoretic acci-
through their interactions and understanding of all parts of the orga- dent modeling and processes (STAMP), resilience analysis grid (RAG),
nization can identify communication needs and gaps across operating and functional resonance analysis method (FRAM).
units, technical departments, and support teams. The safety profes- Safety Professionals generate potential future operating scenarios
sional directly facilitates this information and data flow in the interests and the safety risks associated with them. Safety professionals model
of safety, from where it is known, to where it needs to be understood. and predict the short, medium and long-term effects of line manage-
Not only within the organization, the safety professional identifies and ment decisions and adaptations within the organization. This is much
facilitates the organizational understanding of external knowledge broader activity than safety hazard assessments, and involves sophis-
about technology (original equipment manufacturers), safety science ticated scenario modeling that plots interdependencies and potential
(academia), safety practices (regulators and industry partners), and cascades [63]. Creating safety risk scenarios relating to the current
specialist activities (contractors). Ensuring that information and data is decisions and actions of people and the trajectory of the organization
in the right place in the organization at the right time, enables better will likely challenge conventional assumptions of line management
decision-making for safety. about safety risk [59]. For this reason, Woods [59, 60] suggested the
10
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
safety professional needs ‘independence’ to perform their role effec- failures (i.e. near misses). The efficacy of improving the chance of im-
tively. This cognitive, social and organizational independence allows proving safety outcomes through learning from failure is often debated
the safety professional to challenge models of risk, bring this perspec- in the safety literature (e.g. [27]). The safety management mode of
tive to the organization through an independent voice, and have the guided adaptability instead learns from adaptations that create success.
dedicated resources to perform monitoring activities, and facilitate These are the situations where surprises and new information emerged,
change. and the organization was able to revise its plans and models, and suc-
Safety professionals are constantly looking for information about cessfully adapt to the situation [62]. The safety professional supports
where the boundaries are in the system and therefore where brittleness the organization to understand how this successful adaptation occurs,
is present. To monitor the organization the safety professional operates what information and resources are drawn on, how is it interpreted and
and is informed at both the system level as well as the local operational deployed, and what further capacities are critical to these situations.
level. The safety professional keeps a discussion about risk alive even Safety professionals are constantly communicating with and sup-
when everything looks safe [13, 19] and supports the organization to porting the education of others in respect of safety management and
revise mental models of operational risk as new information emerges operational performance. To do this effectively, safety professionals
and evidence accumulates [59, 60]. have an advanced understanding of many disciplines, including: resi-
lience engineering, systems theory, complexity theory, cognitive psy-
3.2.6. Support and facilitate the making of sacrifice judgments chology, and sociology. They are able to share this knowledge effec-
tively with others in applied situations.
Safety professionals enable and maintain a commitment to sup-
porting operational performance and safety at the very top of their 3.3. Organizational responses to a mode of guided adaptability
organization. Their role is to provide a safety lens over the entire
system, in a way that promotes a ‘devotion to safety’ alongside other In Section 2.3 we outlined the adaptive cycles of front-line work
system and organizational goals [31]. This commitment to safety is from a mode of centralized control. There are adaptive cycles of front-
maintained alongside the organization's production and financial ob- line work as it responds to the new pressures of a guided adaptability
jectives and compensates for the ‘faster, better, cheaper’ imperative of mode of safety management (see Fig. 2). It is important to understand
modern organizations. The safety professional directly influences the how the role and activities of safety professionals influences their or-
adjustment or cessation of critical operational activity where safety ganisation.
margins are not sufficiently understood. To be effective, this commit- Safety Professionals coordinate and connect organizational activity
ment needs to be reflected in all the actions and behaviors of the or- through: focussing activities at the sharp end, understanding the gap
ganization and supported by the creation of a ‘just culture’ [20]. The between work as done and work as imagined, probing uncertainty as a
safety professional has a critical role in facilitating the understanding definitive signal of pending trouble, and coordinating activity across
of, and role modeling the behaviors present in a just culture. organizational boundaries. We acknowledge that ‘safety differently’
Safety Professionals create, support and share experiences where professional practice is in its infancy, and hence the descriptions pro-
safety management is prioritized over production and financial objec- posed in Section 3.2 and specific tasks in Table 6 are not likely to be a
tives. This can be a situation where workgroups have adjusted their reflection of current practice.
work due to emergent safety concerns, or additional unbudgeted re-
sources have been provided to preserve safety margins. Celebrating 4. Conclusion
sacrifice judgments as a success encourages managers and employees
across the organization to do the same. Safety professionals celebrate The central theme of centralized control is ‘plan and conform’, while
the tender that was lost because safety was priced in, and the project the central theme of guided adaptability is ‘plan and revise’. Resilience
team that went over schedule and over budget to maintain safety engineering theory always specified guided adaptability, but often got
margins that were required for unforeseen and therefore not planned misinterpreted as the opposite end of the control-adapt paradox due to
for issues. The organization sees these as successes for safety, and this is the entrenched Safety-I practice in organisations. Consistent with the
very different to other organization's models of success. origins of Resilience Engineering, Safety-II, Safety Differently, and High
Reliability Organisation theory, guided adaptability is not about
3.2.7. Facilitate learning choosing between control or adaptation, but about helping safe varia-
tions happen, and helping variations be safe. Managers, safety profes-
The safety professional facilitates organizational learning processes sionals and frontline workers need to determine when, for a given
at a system, team and individual level, from both normal work as well context, the safe course of action is to comply with standardised prac-
as from unexpected events. Continuous learning enables the organiza- tices, and when the safe course of action is to adapt.
tional to keep pace and the maintain organizational alignment on a Whilst sympathetic to the reality of Safety-I practice within orga-
shared model of risk [59, 60]. To understand an unexpected situation nizations, we have shown the necessity for safety professionals to
that occurred within the organization the safety professional facilitates transition their safety management practice towards enabling a mode of
an open, unstructured inquiry with the people involved first-hand. The guided adaptability in the interest of improved organizational safety
safety professional enables an exchange of perspectives on the situation outcomes. This will move the profession closer towards its fundamental
amongst the stakeholders that can evolve towards a shared picture of responsibility to create foresight about the changing shape of risk, and
risk and action [43]. What needs to be learned and changed within the facilitate action, before people are harmed [58].
system is a judgment of the individuals closest to the point of risk, or The important first step for the safety profession is to acknowledge
experts in the situation, and is not be made by the safety professional that their role is presently trapped in a mode of centralized control,
and line management alone. The safety professional through their un- where they spend too much safety energy on reactive, fragmented and
derstanding of how the system functions, and how work is done, can defensive activity. Alongside the recent theoretical, and empirical re-
own and facilitate these organizational learning processes. The direc- search developments in managing safety in complex systems, some
tion of this learning process is ‘up and out’ [13, 19], taking information safety professionals want to add activities aligned to a guided adapt-
from the frontline and interpreting it in a way that enables the system ability mode of safety management, but they are not sure how to start –
as a whole to learn and adapt. this paper addresses this problem.
In the safety management mode of centralized control, learning Sections 2 and 3 provided the two modes of safety, and the role of
comes from significant safety failures (i.e. accidents) or near safety safety professionals. Whilst the safety professional role we described in
11
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
a mode of centralized control (Section 2.2) is strongly informed by collaborating, and safety professionals are telling the front-line teams
current safety practice [43], the role in the mode of guided adaptability what to do for safety management. In safety-I, together with line
(Section 3.2) is more tentative based on the authors’ own interpreta- management they are part of processes that always results in new in-
tions of the implications of current safety theory for safety professional junctions or demands – “we are the safety management authority who
practice. The role of any individual safety professional will also ne- speaks to the front-line workers about how it should work”. In a safety
cessarily be shaped by their specific role, as well as the domain and management mode of guided adaptability, the safety professional is
operational context of their organisation. The safety professional needs part of what makes the organization successful, that is effectively
to have the autonomy, flexibility and discretionary resources to reshape adapting to emerging situations, and overcoming challenges where
their role in response to changing needs within the organization as they things didn't work as planned or imagined. Safety professionals help
move towards guided adaptability. their organizations be successful in a changing, complex world.
The safety professional role evolves to be part of helping the orga- The role of safety professionals in a safety management mode of
nization be successful, not just a ‘detect and repair’ mechanism for guided adaptability is very different than in a safety management mode
safety compliance problems. The role shifts where is sits in the world, of centralized control. We have described tasks and activities of a safety
from being an agent on behalf of line management's formal authority, professional that is within the potential authority of the role, however
towards being a participant at all levels. In a safety management mode we acknowledge that it is one that would require significant relational
of centralised control, there is no genuine participating, no influence over many other roles in the organisation, in particular line
12
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
management. Whilst the implications for the mindset and capabilities of [4] Amalberti R. Navigating safety: necessary compromises and trade-offs-theory and
safety professionals is outside the scope of this paper, they are con- practice. Springer; 2013.
[5] Aven T. "On how to define, understand and describe risk." Reliab Eng Syst Safety
siderable. Some safety professionals may find moving towards a safety 2010;95(6):623–31.
management mode of guided adaptability a tremendous burden – [6] Blair EH. Critical competencies for SH&E managers-implications for educators.
moving from setting rules, monitoring compliance, investigating in- Proceedings of the ASSE professional development conference and exposition. 2004.
[7] Brun J-P, Loiselle CD. "The roles, functions and activities of safety practitioners: the
cidents, and preparing safety reports, to – being a sharp-end operator, current situation in Québec." Safety Sci 2002;40:519–36.
contributing to the success of the company, studying adaptations, [8] Chang SH, Chen DF, Wu TC. "Developing a competency model for safety profes-
making decisions on what to re-enforce or undermine, coordinating sionals: correlations between competency and safety functions." J Safety Res
2012;43(5-6):339–50.
activity across boundaries, and openly probing and questioning tech- [9] Cook RI, Rasmussen J. "Going solid: A model of system dynamics and consequences
nical specialists and management. Performing the role of a safety pro- for patient safety." Quality Safety Health Care 2005;14(2):130–4.
fessional in a safety management mode of guided adaptability requires [10] Cook RI, Woods DD, Miller C. A tale of two stories: contrasting views of patient
safety. National Health Care Safety Council of the National Patient Safety
good people, and a mindset and interpersonal capability that is vastly
Foundation at the AMA; 1998.
different to that likely to be found among safety professionals currently [11] Dejoy DM. "Safety Professionals: A Survey of Job Activities." Occupatl Hazards
performing their role in a centralised control mode of safety manage- 1991;53:35–8.
ment [24, 43]. As [23] proposed, safety professionals need to evolve [12] Dekker S. Just culture: balancing safety and accountability. Ashgate Publishing, Ltd;
2012.
from single loop learning regarding reactive correction of deviations, to [13] Dekker S. Safety differently: human factors for a new era. CRC Press; 2014.
deutero-learning which concerns themselves as well as managers and [14] Dekker S. Drift into failure: from hunting broken components to understanding
operators becoming better learners. complex systems. CRC Press; 2016.
[15] Dekker S. The field guide to understanding 'human error'. CRC Press; 2017.
Organizational leaders and line managers will play an important [16] Dekker S. The safety anarchist: relying on human expertise and innovation, redu-
role in supporting safety professionals to move towards a safety man- cing bureaucracy and compliance. New York: Routledge; 2017.
agement mode of guided adaptability. The safety professional needs to [17] Dekker S. "Zero Vision: enlightenment and new religion." Pol Pract Health Safety
2017;15(2):101–7.
be resourced and empowered to change, requiring: investments in in- [18] Dekker SWA. "Follow the procedure or survive." Human Factors Aerosp Safety
quiring and analysing problems that are not definitive, sacrificing 2001;1(4):381–5.
production and other organizational goals to maintain safety margins, [19] Dekker SWA. "The bureaucratization of safety." Saf Sci 2014;70:348–57.
[20] Dekker SWA, Breakey H. "‘Just culture:’ Improving safety by achieving substantive,
and questioning and probing technical specialists and all levels of procedural and restorative justice." Safety Sci 2016;85:187–93.
management. Line management will be resourcing roles to in- [21] Geller ES. "Behavior-based safety and occupational risk management." Behav Modif
dependently question their decisions and actions [59, 60]. 2005;29(3):539–61.
[22] Grote G. "Promoting safety by increasing uncertainty – Implications for risk man-
The key contributions of this paper are:
agement." Safety Sci 2015;71:71–9.
[23] Hale A. "Editorial: Learning and training in health and safety." Safety Sci
1 Articulating the two modes of safety – ‘centralised control’ and 2016;81:1–4.
‘guided adaptability’; [24] Hale AR, Bianchi G, Dudka G, Hameister W, Jones R, Perttula P, Ytrehus I.
"Surveying the role of safety professionals: Objectives, methods, and early results."
2 Explaining how the two modes creates tensions and adaptations to Safety Sci Monitor 2005;9(1):1–33.
the role of safety professionals and front-line workers, [25] Hale AR, Guldenmund FG. Role and tasks of safety professionals: Some results from
3 Enabling guided adaptability by providing a first specification for an international survey. Melbourne: Safety In Action; 2006.
[26] Havinga J, Dekker S, Rae A. "Everyday work investigations for safety." Theor Iss
the safety professional role, and: Ergonom Sci 2017;19(2):213–28.
4 Clarifying aspects of Resilience Engineering theory in relation to the [27] Hollnagel E. From protection to resilience: Changing views on how to achieve
control-adapt paradox. safety. Sydney, Australia: International Symposium of the Australian Aviation
Psychology Association; 2008.
[28] Hollnagel E. The ETTO principle: efficiency-thoroughness trade-off. Surrey,
We suggest that the next important step in the development of the England: Ashgate; 2009.
safety professional role in a safety management mode of guided [29] Hollnagel E. Safety-I and Safety-II: the past and future of safety management.
Ashgate Publishing Limited; 2014.
adaptability is to develop role specifications and case studies for spe-
[30] Hollnagel E. Safety-II in practice: developing the resilience potentials. Routledge;
cific industries and levels of position (which will improve, change, and 2017.
get more specific over time). By re-opening the discussion on the role of [31] Hollnagel E, Woods DD, Leveson N. Resilience engineering: concepts and precepts.
Ashgate Publishing, Ltd; 2006.
safety professionals and the alignment to their organisation's mode of
[32] Hopkins A. "Studying organisational cultures and their effects on safety." Safety Sci
safety management, this paper aims to personalise the Safety-I versus 2006;44(10):875–89.
Safety-II dialogue within the safety profession. Are safety professionals [33] Hudson P. "Implementing a safety culture in a major multi-national." Safety Sci
supporting and reinforcing a centralized control mode of safety man- 2007;45(6):697–722.
[34] Hutchinson B, Dekker S, Rae AJ. Fantasy Planning: the gap between systems of
agement, or are they dynamically balancing the needs of people on the safety and safety of systems. Proceedings of the Australian Safety Critical Systems
front-line to sense and respond successfully to emerging situations and Conference. 2018.
changing context though a safety management mode of guided adapt- [35] Kahn W, Barton M, Fisher C, Heaphy E, Reid E, Rouse E. "The Geography of Strain:
Organizational Resilience as a Function of Intergroup Relations." Acad Manag Rev
ability? Are they the ‘controller,’ or are they the ‘guide?’ 2017;43(3):509–29.
[36] Katz D. "The motivational basis of organizational behavior." Behav Sci
Supplementary materials 1964;9:131–46.
[37] Leveson NG. "Applying systems thinking to analyze and learn from events." Safety
Sci 2011;49(1):55–64.
Supplementary material associated with this article can be found, in [38] Mullen JE, Kelloway EK. "Safety leadership: A longitudinal study of the effects of
the online version, at doi:10.1016/j.ress.2019.106740. transformational leadership on safety outcomes." J Occupat Organ Psychol
2009;82(2):253–72.
[39] Nedved M, Booth R. "A Comparison of the Role and Training Needs of Safety
References Personnel in the U.K. and West Germany with Special Reference to the Chemical
Industry." J Occupat Accid 1982;4:61–77.
[40] Nordlöf H, Wiitavaara B, Winblad U, Wijk K, Westerling R. "Safety culture and
[1] Alderson DL, Doyle JC. "Contrasting Views of Complexity and Their Implications
reasons for risk-taking at a large steel-manufacturing company: investigating the
For Network-Centric Infrastructures." IEEE Trans Syst Man Cybern Part A: Syst
worker perspective." Safety Sci 2015;73(126-135).
Humans 2010;40(4):839–52.
[41] Ostrom E, Walker J. Trust and reciprocity: Interdisciplinary lessons for experi-
[2] Almklov PG, Rosness R, Størkersen K. "When safety science meets the practitioners:
mental research. Russell Sage Foundation; 2003.
Does safety science contribute to marginalization of practical knowledge?" Safety
[42] Perrow C. Normal accidents: Living with high risk technologies. Princeton
Sci 2014;67:25–36.
University Press; 1984.
[3] Amalberti R. "The paradoxes of almost totally safe transportation systems." Safety
[43] Provan DJ, Dekker SWA, Rae AJ. "Bureaucracy, Influence and Beliefs: A literature
Sci 2001;37:109–26.
review of the factors shaping the role of a safety professional." Safety Sci
13
D.J. Provan, et al. Reliability Engineering and System Safety 195 (2020) 106740
2017;98:98–112. [56] Weber DE, MacGregor S, Provan DJ, Rae AJ. ""We can stop work, but then nothing
[44] Rae AJ, Alexander RD. "Probative blindness and false assurance about safety." gets done." Factors that support and hinder a workforce to discontinue work for
Safety Sci 2017;92:190–204. safety." Safety Sci 2018;108:149–60.
[45] Rae AJ, Provan DJ. "Safety work versus the safety of work." Safety Sci [57] Weick KE, Sutcliffe KM, Obstfeld D. Organizing for High Reliability: Processes of
2019;111:119–27. Collective Mindfulness. Res Organizat Behav 1999;1:81–123. R. S. Sutton and B. M.
[46] Rae AJ, Provan DJ, Weber DE, Dekker S. "Safety Clutter: The accumulation and Staw. Stanford, Jai Press.
persistence of 'safety' work that does not contribute to operational safety." Pol Pract [58] Woods DD. Creating foresight: Lessons for enhancing resilience from Columbia. In:
Health Safety 2018;16(2):194–211. Starbuck W, Farjoun M, editors. Organization at the limit: NASA and the Columbia
[47] Reason J. "Beyond the organisational accident: the need for "error wisdom" on the disaster. Malden, USA: Blackwell; 2005.
frontline." Quality and Safety in Health Care 2004;13(2):28–33. [59] Woods DD. How to design a safety organization: Test case for resilience en-
[48] Robson LS, Clarke JA, Cullen K, Bielecky A, Severin C, Bigelow PL, Irvin E, Culyer gineering. In: Hollnagel E, Woods DD, Leveson N, editors. Resilience engineering:
A, Mahood Q. "The effectiveness of occupational health and safety management Concepts and precepts. Surrey: Ashgate; 2006. p. 315–25.
system interventions: A systematic review." Safety Sci 2007;45(3):329–53. [60] Woods DD. "Resilience engineering: Redefining the culture of safety and risk
[49] Savioja P, Norros L, Salo L, Aaltonen I. "Identifying resilience in proceduralised management." Human Factors Ergonom Soc Bull 2006;49(12):1–3.
accident management activity of NPP operating crews." Safety Sci 2014;68:258–74. [61] Woods DD. "Four concepts for resilience and the implications for the future of re-
[50] Schein EH. "Organizational culture." Am Psychol Assoc 1990;45(2):109. silience engineering." Reliabil Eng Syst Saf 2015;141:5–9.
[51] Stabile DR. "The Du Pont experiments in scientific management: efficiency and [62] Woods DD. STELLA: Report from the SNAFUcatchers workshop on coping with
safety, 1911–1919." Bus History Rev 1987;61(3):365–86. complexity. Columbus, OH: The Ohio State University; 2017.
[52] Swuste P, Gulijk Cv, Zwaard W, Oostendorp Y. "Occupational safety theories, [63] Woods DD, Branlat M, Herrera I, Woltjer R. "Where Is the organization looking in
models and metaphors in the three decades since World War II, in the United States. order to be proactive about safety? a framework for revealing whether it is mostly
Brita Netherl A Literat Rev. Safety Sci 2014;62:16–27. looking back, also looking forward or simply looking away." J Contingenc Crisis
[53] Taylor FW. The principles of scientific management. Harper; 1914. Manag 2015;23(2):97–105.
[54] Vaughan D. "The dark side of organizations: mistake, misconduct, and disaster." [64] Wu TC. "The roles and functions of safety professionals in Taiwan: Comparing the
Ann Rev Sociol 1999;25:271–305. perceptions of safety professionals and safety educators." J Safety Res
[55] Vaughan D. "Theorizing Disaster: Analogy, historical ethnography, and the 2011;42(5):399–407.
Challenger accident." Ethnography 2004;5(3):315–47.
14