From 1980 through 2010, safety performance emphasis was on accident prevention through the application of controls. We learned about the hierarchy of controls (elimination, substitution, engineering controls, administrative controls and personal protective equipment) and the multiple barrier principle (use several controls in case one or two fail so there will always be something to protect you). The Institute of Nuclear Power Operations has defined “defense in depth” as “the overlapping capacity of various defenses to protect personnel and equipment from human error. If a failure occurs with one defense, another will compensate for that failure, thereby preventing harm. The four lines of defense – engineered, administrative, cultural, and oversight controls – should work together to anticipate, prevent, or catch active errors before suffering a significant event.” This thinking took us a long way in improving safety, and most companies experienced significant reductions in incident rates, severe accidents and fatalities.
During that period of time, and due to that success, most utility companies started to target zero injuries as part of their safety performance improvement programs. This led to an almost exclusive focus on a single number: the all injury rate or the total recordable injury rate. The result was that companies were able to achieve rates of less than 1.0 (one injury per 200,000 hours worked), which, in turn, led to the belief that they were ultra-safe organizations where nothing really bad could happen. But history has demonstrated that, even in those high-performing organizations, disasters and fatalities can and do still occur. As James Reason taught us in the 1990s through his Swiss cheese model, even multiple barriers can fail under the wrong circumstances, leading to accidents and loss.