health and safety critical control management · health and safety critical control management good...

HEALTH AND SAFETYCRITICAL CONTROLMANAGEMENTGOOD PRACTICE GUIDE

http://www.icmm.com

Foreword 3Introduction 4Definitions and acronyms 5

Critical control management 7

Summary 7Step 1: Planning the process 8Step 2: Identify material unwanted events (MUEs) 9Step 3: Identify controls 10Step 4: Select the critical controls 12Step 5: Define performance and reporting 14Step 6: Assign accountability 16Step 7: Site-specific implementation 18Step 8: Verification and reporting 19Step 9: Response to inadequate critical control performance 20

Appendices 23

Appendix A: The CCM journey model and mapping tool 23Appendix B: Guidance on critical controls 24Appendix C: CCM lead and lag indicators 26Appendix D: References 28

Acknowledgements 30

This document, one of a range ofdocuments on good practice inhealth and safety management,is designed to support theprinciple of continualimprovement. It providespractical guidance on preventingthe most serious types of healthand safety incidents, referred tohere as material unwantedevents (MUEs).

This guidance document providesadvice on how to identify andmanage critical controls that caneither prevent a serious incidentoccurring in the first place orminimize the consequences if aserious incident were to occur.Both types of control are needed.Evidence from major incidents in mining and metals, and inother industries, indicates thatalthough the risks were known,the controls were not alwayseffectively implemented.Therefore, this documentprovides specific guidance on:

• identifying the critical controls

• assessing their adequacy

• assigning accountability for their implementation

• verifying their effectiveness in practice.

The approach described in thisdocument is called criticalcontrol management (CCM).

CCM is well established and in use in many high-hazardindustries. However, this is the first time this approach has been captured in a singledocument designed specificallyfor the mining and metalsindustry. This would not havebeen possible without theguidance and support of ICMM member companies.

As with most new organizationalinitiatives, the successfulimplementation of CCM requiressenior executive support. This support is required in terms of not only establishingCCM within companies, but in its ongoing implementation. The approach enables seniorleaders to more effectivelyexercise their leadership role in safety as a result of thetransparency brought to bear by applying CCM. Under CCM,critical controls should be clearly described, and theirrequired performance and theaccountability for implementingthe controls should be madeexplicit. This should permitsenior leaders to participate even more effectively inmanaging the risks of majorincidents. Committed leadershipthrough the active monitoring of CCM across the mining andmetals industry is essential for the long-term success of the approach.

Health and safety critical control management Good practice guide 3

FOREWORD

R. Anthony HodgePresident, ICMM

The global mining andmetals industry hasmade great progress inimproving health andsafety performance. One of the sustainabledevelopment principlesof the InternationalCouncil on Mining andMetals (ICMM) is to seekcontinual improvement in health and safetyperformance.

Aim

The document provides advice on how to identify and manage criticalcontrols that can either prevent aserious incident occurring in the firstplace or minimize the consequences if a serious incident were to occur.This document provides specificguidance on:

• identifying the critical controls

• assessing their adequacy

• assigning accountability for their implementation

• verifying their effectiveness in practice.

Structure

This guidance document utilizes anumber of steps that an organizationcan use to structure their approach toCCM. This document describes:

• the background and aim of the CCM process

• guidance to prepare an organization for the CCM process

• nine steps to develop the CCM process

• annexes providing additional guidance on:

– a CCM journey model and mapping tool to help organizations assess status and progress

– critical controls

– lead and lag indicators.

Preparation for the CCM process

The CCM process outlined here is astep-by-step approach where theprocess is divided between planningand implementation. It is importantfor an organization undertaking CCMto have the right skills, experience and resources to implement it to ahigh standard. The organizationshould also have buy-in from seniorexecutives. Such support is afundamental characteristic of theorganizational maturity required tosucceed with CCM.

If an organization is unsure whether it is mature enough to begin, it isrecommended that the organizationundertake a review of its readiness toadopt CCM. This guidance documentincludes an analysis tool that mighthelp identify that readiness: the CCMjourney model and mapping tool. The tool is structured as a journeychart, with each step of the journeydescribing an increased level ofcontrol management culture andpractices. The tool can help map theorganization’s current status, as wellas provide ideas for moving towardsCCM by establishing the requiredfoundation (see Annex A).

Once an organization has assessed its maturity and established theappropriate foundation, it is ready toproceed with the process.

4 Health and safety critical control management Good practice guide

INTRODUCTION

This documentprovides advice onMUEs – guidance onmanaging criticalcontrols that alignsrisk management andgood managementpractice. CCM is anintegral part of riskmanagement and aids in identifying the priority risks in a company andimplementing criticalcontrols to prevent an incident or mitigate its impact.

Bowtie analysis (BTA) An analytical method for identifyingand reviewing controls intended toprevent or mitigate a specificunwanted event.

CauseA brief statement of the reason for anunwanted event (other than the failureof a control).

ConsequenceA statement describing the finalimpact that could occur from thematerial unwanted event (MUE). It isusual to consider this in terms of themaximum foreseeable loss.

ControlAn act, object (engineered) or system(combination of act and object)intended to prevent or mitigate anunwanted event.

Critical controlA control that is crucial to preventing the event or mitigating the consequences of the event. The absence or failure of a criticalcontrol would significantly increasethe risk despite the existence of theother controls. In addition, a controlthat prevents more than one unwantedevent or mitigates more than oneconsequence is normally classified as critical.

Critical control management (CCM)A process of managing the risk ofMUEs that involves a systematicapproach to ensure critical controlsare in place and effective.

HazardSomething with the potential forharm. In the context of people, assetsor the environment, a hazard istypically any energy source that, ifreleased in an unplanned way, cancause damage.

Material unwanted event (MUE)An unwanted event where thepotential or real consequence exceedsa threshold defined by the company as warranting the highest level ofattention (eg a high-level health orsafety impact).

Mitigating controlA control that eliminates or reducesthe consequences of the unwantedevent.

Preventing controlA control that reduces the likelihoodof an unwanted event occurring.

RiskThe chance of something happeningthat will have an impact on objectives.It is usually measured in terms ofevent likelihood and consequences.

Unwanted eventA description of a situation where the hazard has or could possibly be released in an unplanned way,including a description of theconsequences.

Verification activitiesThe process of checking the extent towhich the performance requirementsset for a critical control are being met in practice. Company health andsafety management systems mightuse a variety of terms for “verification”activities. Common terms includeaudit, review, monitoring and activemonitoring.

DEFINITIONS AND ACRONYMS


This is not a definitivelist of risk managementterminology. The focusis on some of the key definitions andacronyms associatedwith critical controlmanagement used in this document.

Imag

eco

urte

syof

Ang

loA

mer

ican

Committed leadershipthrough the activemonitoring of CCMperformance isessential for the long-term success ofthe process.

Summary

CCM consists of nine steps, six ofwhich are required to plan the CCMprogram before implementing them in the last three steps, as seen inFigure 1.

This document provides guidance foreach step in the process, as well askey actions and selected health andsafety examples.

Each step might require revisiting the previous step to achieve thedesired outcome. For example, the loop from Step 7 to Step 6indicates the potential need to revisit information from the planning steps when site implementation isdefined. This might occur because the site control performance variesfrom assumptions made at theplanning stage.

Each step in the process has a targetoutcome that should be achievedbefore moving to the next step. Table 1 summarizes all steps andoutcomes.

The following pages provide a step-by-step outline of the CCMprocess.


CRITICAL CONTROL MANAGEMENT

Figure 1: The critical control management process

Table 1: Critical control management steps and target outcomes

TARGET OUTCOMESTEP

Pla

nnin

gst

eps

Impl

emen

tati

on

1 A plan that describes the scope of the project, including what needs to be done, by whom and the timescales.

2 Identify MUEs that need to be managed.

3 Identify controls for MUEs, both existing controls and possible new controls. Prepare a bowtie diagram.

4 Identify the critical controls for the MUE.

5 Define the critical controls’ objectives, performance requirements and how performance is verified in practice.

6 A list of the owners for each MUE, critical control and verification activity. A verification and reporting plan is required to verify and report on the health of each control.

7 Defined MUE verification and reporting plans, and an implementation strategy based on site-specific requirements.

8 Implement verification activities and report on the process. Define and report on the status of each critical control.

9 Critical control and MUE owners are aware of critical control performance. If critical controls are underperforming or following an incident, investigate and take action to improve performance or remove critical status from controls.

1Planning the process

3Identify controls

4Select the critical controls

8Verification and reporting

5Define performance and reporting

7Site-specific implementation

6Assign accountability

9Response to inadequate

critical control performance

2Identify material unwanted events (MUEs)

Planning steps

Impementation steps

Feedback loop


CRITICAL CONTROL MANAGEMENTSTEP 1: Planning the process

The first step of the CCM process is tocarefully scope out and plan the work. This includes planning what definitions,criteria and actions will need to be carried out, what areas of an organizationand/or specific people will be involved, and over what timeframe. The followingquestions should be considered (each iselaborated on in subsequent steps):

• What is the organizational context? Are there existing projects at a corporate, business unit or site level that complement or conflict with this work?

• What is the objective and what are the specific deliverables of the project?

• What sections of the business will be involved?

• What method will be used to identify potential hazards?

• What methods will be used to identify unwanted events?

• What methods will be used to assess the risk of the identified unwanted events, including the criteria for a MUE?

• What method will be used to review MUE controls?

• What will the criteria be for critical control selection?

• What will the criteria be for assessing the objectives and performance of the critical controls?

• How will the verification processes be defined?

• How will ownership and accountability be defined?

• How can critical control information be adapted to become site-specific?

• How will critical control performance be verified in practice and what actions will be taken if requirements are not met?

• What methods will be used to investigate critical control underperformance?

• How will the impact of the CCM initiativewill be measured?

Scoping for a major initiative shouldconsider additional resources such asleadership, facilitation, project teammembership, timing and budget.

Key actions

• Develop a plan that describes the scope of the project.This includes: – organizational context – project objectives – responsibilities – business sections involved.

• Develop methods to: – identify potential hazards and unwanted events– assess risk – review MUEs– select critical controls– assess objectives and performance of critical controls– investigate critical control underperformance– measure impact of the project– identify ownership and accountability.

Target outcome

A plan that describes the scope of a project, including what needs to be done, by whom and the timescales.


3Identify controls










CRITICAL CONTROL MANAGEMENTSTEP 2: Identify material unwanted events (MUEs)

Identify material unwanted events (MUEs)Identification of MUEs needs to considerhistorical as well as foreseeable eventsgiven the operations and activities atindividual sites. As a result, identification ofMUEs needs to include suitably experiencedpersonnel and a review of relevant data.This will need to include the history fromthe site, company and the industry morewidely. This is because some incidents,while rare, are potentially disastrous. For example, underground ignition ofmethane by lightning is rare but it isforeseeable and potentially disastrous.

Materiality criteria Materiality criteria define the threshold that a risk must exceed before beingconsidered a material risk. The perceivedlikelihood of an event by any one individualmight be inaccurate, especially for low-probability/high-consequence events. It is recommended that materiality shouldbe defined based on consequences, such as the maximum foreseeable loss.

Examples of MUEsThe following table is a list of typicalmining- and metals-related MUEs based on historical analysis.

Key actions

• Understand major hazards and identify potential MUEs.

• Apply selection criteria to MUEs with a focus on the consequences.

• Identify design opportunities to address the hazard, reducing the potential consequences and eliminating the MUE from the CCM process.

• Describe the identified MUE, including the relevent hazard, mechanism of release and nature of the consequences.

Target outcome

Identify the MUEs that need to be managed.


3Identify controls









Table 2: Typical mining- and metals-relatedMUEs based on historical analysis

MINING AND METALS MUEs

Aviation

Underground ground control

Underground fire/explosion

Heavy mining equipment

Dropped objects

Pressurized systems

Confined spaces

Inrush/inundation

Explosives

Highwall stability

Flammable gas

Light vehicles

Work at height

Electricity

Hazardous materials


CRITICAL CONTROL MANAGEMENTSTEP 3: Identify controls

The purpose of Step 3 is to identify all the controls – both existing ones andpotential new ones – before identifyingwhich of the controls are the criticalcontrols in Step 4.

Identify controlsIn most cases, controls will already existas a result of previous risk-assessmentwork, experience within the company orindustry from incidents, or as a result oflegislation and associated guidance. Thisstage recommends that each identifiedMUE should be reviewed to check that theappropriate controls have been identified.

What is a control?Deciding on what is or is not a control is a key step. The following guidance isavailable:

• the definitions at the start of this document

• the control identification decision tree (see Figure 2)

• example of a critical control systemgiven in Step 5 (see Table 3).

Key actions

• Identify the controls.

• Prepare a bowtie diagram.

• Assess the adequacy of the bowtie and the controls.

Target outcome

Identify controls for MUEs, both existing controls and possible new controls. Prepare a bowtie diagram.

Figure 2: Control identification decision tree

Source: Adapted from Hassall, M, Joy, J, Doran, Cand Punch, M (2015).

NO

NO

NO

YES

NOT ACONTROL

A CONTROL

Is performancespecified, observable,

measurable andauditable?

Does it prevent or mitigate an

unwanted event?

Is it a human act,object or system?

YES

YES


3Identify controls










CRITICAL CONTROL MANAGEMENTSTEP 3: Identify controls continued

Too many controlsExperience from other industriessuggests that it is possible to identifya large number of plans, processesand tools that can be inappropriatelyclassified as controls. This leads tounnecessarily complex bowties that dilute the attention needed toeffectively implement those controlsthat can have a direct impact onpreventing and/or mitigating an MUE.Some examples of inappropriatecontrols are:

• management plans

• risk-assessment techniques such as Step Back 5 x 5

• behaviour-based safety tools.

All of the above are important parts of health and safety managementsystems but are not specific topreventing or mitigating an MUE.Management plans might describecontrols, risk-assessment techniquesmight lead to controls being identifiedand behaviour-based safety toolsmight tell us something about howcontrols are working or not working.However, they are not controlsthemselves as defined by thisguidance document.

This guidance document mightdemonstrate that many activities,previously thought to be controls, donot fit the definition or the purpose.For example, previously mentionedprocedures, rules and expectedpractices are not controls. Similarly,training, supervision, maintenanceand other plans are not controls.

What is a good control?Good controls meet the definitionsgiven in this document and meet thecriteria in the control identificationdecision tree in Figure 2. In addition,they have the followingcharacteristics:

• they are specific to preventing an MUE or minimizing its consequences

• the performance required of the control can be specified

• their performance can be verified.

Further guidance on controlsAdditional information and guidanceon controls can be found in Annex B.

Prepare a bowtieProprietary tools are available, butbowties can also be drawn by hand (eg on a whiteboard) or developed withstandard office productivity software.

There is no one right way to develop a bowtie (see as an example in Figure 3). However, this is a criticalstage and the bowtie should beprepared by careful reference to thedefinitions at the start of thisdocument and the additional guidancegiven on controls in Annex B.

It is usual to start with the MUE byasking:

• What are the possible causes that could lead to the MUE?

• What controls are in place (or could be put in place) to prevent the cause leading to the MUE?

• What are the maximum foreseeable consequences of the MUE? (It is usual at this stage to assume there are no controls in place, which is sometimes referred to as low-risk.)

• What controls are in place or could be introduced to reduce the possibility of the consequences occurring?

Assess the adequacy of the bowtieand the controlsOnce the bowtie is developed, itshould be reviewed:

• to confirm that the controls are appropriate and relevant for each cause and/or consequence

• against the hierarchy of control – is there overdependence on people-type controls compared with engineering controls, which are higher up the hierarchy of control?

Figure 3: Bowtie diagram indicating preventative and mitigating controls

Unwanted event

Hazard

Control

Control

Control

Control

Consequence

Consequence

Cause

Cause

PREVENTATIVE MITIGATING

CRITICAL CONTROL MANAGEMENTSTEP 4: Select the critical controls

What is a critical control?The starting point for this step is the bowties developed in Step 3. The controls identified on the bowtieshould be assessed to determine ifthey are critical controls.

The following questions can help todetermine if a control is critical:

• Is the control crucial to preventing the event or minimizing the consequences of the event?

• Is it the only control, or is it backed up by another control in the event the first fails?

• Would its absence or failure significantly increase the risk despite the existence of the other controls?

• Does it address multiple causes or of mitigate multiple consequences the MUE? (In other words, if it appears in a number of places on the bowtie or on a number of bowties, this may indicate that it is critical.)

Critical control decision treeThe decision tree in Figure 4 providedby an ICMM member may also helpdetermine if a control is critical.

Note that the decision tree indicatesthat selecting a critical control may bean iterative process and could involvereviewing several aspects of a controlbefore deciding whether it meets thecriteria for a critical control.

Key actions

• When identifying critical controls, apply the critical control definition and guidance in this section.

• Consider the performance requirements of the potential critical controls and how they could be verified.

• The final set of critical controls for an MUE should represent the critical few that, when managed using CCM, can effectively manage the MUE risk.

Target outcome

Identify the critical controls for the MUE.



3Identify controls










CRITICAL CONTROL MANAGEMENTSTEP 4: Select the critical controls continued

Figure 4: BHP Billiton critical control decision tree

Source: Adapted from BHP Billiton.

Does control prevent, detect or

mitigate a materialrisk?

Does control prevent event

initiation?

Does control prevent or detectevent escalation?

Is control effective for multiple

risks?

Is controlindependent?

Is control the only barrier?YES

NONO

NO

YES

NO

NO

Not a critical control

Identified control

Critical control

YES

YES

YES

YES

NO

CRITICAL CONTROL MANAGEMENTSTEP 5: Define performance and reporting

Step 5 involves examining theobjectives, performance requirements(including current performance) andreporting mechanisms for a criticalcontrol. The following questionsshould be considered when definingeach of these points:

• What are the specific objectives of each critical control?

• What performance is required of the critical control? (This is sometimes referred to as a performance standard.)

• What activities support or enable the critical control to perform as required and specified?

• What checking is needed to verify that the critical control is meeting its required performance? How frequent is the verification needed? What type of verification is needed?

• What would initiate immediate action to shut down or change an operation or improve the performance of a critical control?

Control information summaryFor each critical control the followinginformation is needed:

• The name of the critical control

• What are the specific objectives of the critical control?

• What performance is needed from the critical control?

• What activities support the performance of the control to the standard?

• What verification activities areneeded to ensure the critical control is meeting its required performance?

An example of a critical controlsystem for a specific MUE is providedin Table 3.

Key actions

• Define objectives and performance requirements for each critical control.

• Identify current activities that affect the critical control’s performance.

• Describe activities to verify performance and reporting requirements.

• Identify what would trigger immediate action to stop or change the operation and/or impose the performance of the critical control.

Target outcome

Define the critical controls’ objectives, performance requirements and how performance is verified in practice.



3Identify controls










CRITICAL CONTROL MANAGEMENTSTEP 5: Define performance and reporting continued

Table 3: Health example (a critical control system)

1 What is the name of the critical control for diesel particulate overexposure (MUE)?Enclosed cab on mining equipment

2 What are its specific objectives related to the MUE?To restrict the access of diesel particulates into the operators’ environment to levels well below the occupational exposure limit

6 What is the target performance for critical control?100 per cent of inspection and tests either satisfactory or repair is done before truck is put back into operation

7 What is the critical control performance trigger for shutdown, critical control review or investigation?5 per cent of inspections and tests indicate cab ventilation issues that cannot be resolved or are not resolved before truck returned to service

3 What are the critical control performance requirements to meet the objectives?

Positive pressure cabin environmentmaintained to level that prevents ingress ofdiesel particulates

Pressure differentiator indicator thatalarms when pressure drops below critical level

Air intake filter operating at greater than99% efficiency

4 What are the activities within the management systems that support having the critical control able to do what is required?

Scheduled maintenance and calibration ofindicator according to manufacturer’srequirements

Pre-shift filter housing inspection fordamage

Filter inspection at planned maintenanceevery 500 hours

Filter change-out every 1,000 hours

5 What can be sampled from the set of activities for verification, providing a clear image of the critical control status?

Review maintenance and calibrationrecords

Review alarm log and corrective actiontaken

Review documented pre-start inspections

Review 500-hour inspection records

Review 1,000-hour change-out records

CRITICAL CONTROL MANAGEMENTSTEP 6: Assign accountability

To ensure the risk of an MUE is beingmanaged, the controls must beworking effectively. This requires thehealth of the controls to be monitoredthrough verification activities that areassigned to specific (or multiple)owners. This can be described in averification and reporting plan.

The verification and reporting planmust include:

• an MUE owner (this should be a senior line manager responsible for the operation)

• a critical control owner, who should be a line manager responsible for operations (they are responsible for monitoring the health of the critical controls through review of verification activity reports)

• a verification activity owner, responsible for undertaking and reporting the verification activity outcome

• a communication plan among all owners (see as an example Figure 5)

• a description of verification activities

• an owner for the review of verification reports at a senior line management level.

An example of a verification andreporting plan for a health MUE ispresented in Table 4.

Key actions

• Assign owners for MUEs, critical controls and verification activities.

• Describe reporting plan for the health of critical controls.

• Assign owner for review of reports.

Target outcome

A list of the owners for each MUE, critical control and verification activity. A verification and reporting plan is required to verify and reporton the health of each control.



3Identify controls










CRITICAL CONTROL MANAGEMENTSTEP 6: Assign accountability continued

Figure 5: A sample CCM management framework

Table 4: Example of a critical control verification and reporting plan for an MUE

MATERIAL UNWANTED EVENT (MUE)Diesel particulate overexposure

MUE ownerUnderground mine manager

Role of MUE owner: • Review reports monthly* from

relevant critical control owners.

• Decide on required action.

CRITICAL CONTROLPositive pressure cabin environmentmaintained

Critical control owner Underground mine maintenancesuperintendent

Role of critical control owner:• Review verification activity reports

weekly*.

• Report summary to the MUE owner.

VERIFICATION ACTIVITYReview maintenance and calibrationrecords

Verification activity owner Maintenance supervisor who overseesthe relevant equipment/task

Role of verification activity owner: • Gather and review information-based

verification activity requirements and compare to expectations.

• Initiate actions.

• Submit weekly* verification summary report to the critical control owner.

Note: * this is an example timeline only.

DEF

INED

EXP

ECTA

TIO

N

VER

IFY

AN

DR

EPO

RT

MUE OWNER ACCOUNTABILITY

Critical Control 1 owner accountability

VerificationActivity 1

owner


owner


owner


owner

Critical Control 2 owner accountability

Critical control 1 Critical control 2

CRITICAL CONTROL MANAGEMENTSTEP 7: Site-specific implementation

Steps 1 to 6 may have taken place at thecorporate or business unit level in acompany that has similar sites and thereforecommon MUEs. Step 7 requires that theprevious steps be reviewed to ensure theyare appropriate and applicable to each site.

Figure 6 describes the process required todevelop a site specific MUE control strategyand subsequent implementation and rollout. It involves taking the corporate orbusiness unit MUE control strategydeveloped in steps 1 to 6 and adjusting it tosuit the local context.

A site-specific approach for a MUE shouldinclude an overall MUE verification andreporting plan, subsections of which define aspecific critical control owner’s verificationplan and the individual verification activitiesfor a critical control. The site specificstrategy may need to be tested with thecorporate or business unit level beforeproceeding. Once agreed, a plan toimplement the strategy at the site will need to be developed. The plan shouldinclude leadership, accountabilities, acommunications plan, standards anddeveloping knowledge and understandingrelated to the critical controls.

The feedback loop between Steps 6 and 7, as shown in the CCM process diagramabove, indicates the iterative aspect of Step 7 where the site submits their CCMplans to the corporate or business unitbefore finalization.

Key actions

• Critical control information must be specific to a site or asset.

• Adjust the critical control definition, performance information and verification requirements as necessary to suit the local context.

• Site-specific planning for implementation may involve an iterative process.

• Site-specific planning should include establishing a foundation for CCM that includes leadership, communication and appropriate development of knowledge and understanding related to the critical controls.

Target outcome

Defined MUE verification and reporting plans, and an implementation strategy based on site-specific requirements.


Figure 6: Developing a site specific controlstrategy adjusted to suit local requirements

FILTERSite specific context

Corporate MUE control strategy

Site specific MUE control strategyIncludes adjusted: • critical control definition

• performance information• verification requirements

Site implementation and roll out Leadership Knowledge Accountabilities

Communication Standards


3Identify controls










CRITICAL CONTROL MANAGEMENTSTEP 8: Verification and reporting

Step 8 puts into practice theverification of critical control statusthat was defined in Steps 5 and 6, and specified in the MUE verificationand reporting plan from Step 7.Information regarding each criticalcontrol will be gathered on behalf ofthe critical control owner who willreport to the MUE owner at a definedfrequency. This information flowshould be designed to efficientlycommunicate variances betweenexpected and actual critical controlperformance, such as with a trafficlight reporting system.

The threshold of unacceptable criticalcontrol performance was defined inStep 5 and localized in Step 7.Performance below that thresholdshould trigger action, which mightvary from an investigation to an orderto immediately stop the relevant work processes.

Key actions

• Undertake verification activities for critical controls as described in MUE/critical control verification and reporting plan (developed in Step 5).

• Report a summary of verification activity results to the critical control owner.

• Report critical control verification status to the MUE owner.

• Reports should highlight priority information succinctly using traffic light system.

• Action initiated if critical control performance drops below the defined triggers (established in Step 5).

Target outcome

Implement verification activities and report on the process. Define and report on the status of each critical control.


3Identify controls









CRITICAL CONTROL MANAGEMENTSTEP 9: Response to inadequate critical control performance

The low performance or failure ofcritical controls must be investigatedand understood in order tocontinuously improve the CCMprocess. The absence of accidents orincidents must not be taken asevidence that controls are workingadequately. Where there is more thanone control, a control may fail withoutany incident occurring because ofredundancy in the controls. As aresult, the verification process isimportant to detect controls that arenot performing according to thespecified requirements.

Where the failure of a critical controlis detected following an incident, thiscould be:

• a hazard or at-risk situation (usually associated with a human action/error)

• a failure of the critical control

• an event that resulted in serious harm or had the potential to cause serious harm.

It may be necessary to review thecurrent site incident investigationmethods to ensure that theinvestigation process includesidentification of relevant criticalcontrols, understanding of their statusat the time of the event and thecausation related to the critical controlfailure. Many common accidentinvestigation methods may need to bemodified for the CCM investigation.

The critical control failure may alsotrigger a review of the critical controldesign related to its previouslydocumented objectives andperformance requirements.

Following is a sample set of questionsfor reviewing the critical controldesign, selection and managementafter an incident, adapted from BHPBilliton information.

Key actions

• Take action when critical control performance is inadequate (below the defined trigger threshold).

• Investigate the causes of unacceptable critical control performance.

• Information and data from the investigation should be used tocontinuously improve the CCM.

Target outcome

Critical control and MUE owners are aware of critical control performance.If critical controls are underperforming or following an incident,investigate and take action to improve performance or remove criticalstatus from controls.



3Identify controls










CRITICAL CONTROL MANAGEMENTSTEP 9: Response to inadequate critical control performance continued

For the inadequate performance of thecritical control in an incident:

• What critical controls failed?

• How did the critical control fail or perform inadequately?

• What were the causes of the failure or inadequate performance of the critical control? In order to determine the cause it can be helpful to ask the “5 Whys”.

Based on the answers to the lastquestion, the following sample criticalcontrol questions might also behelpful:

• Was the critical control designed to operate in the incident situation?

• Was the description of the critical control performance requirements adequate?

• Did the defined critical control performance requirements include the management activities that are required to ensure its function in the circumstances of the incident?

• Did the owners and operators of the critical control understand its objective, design and operation (ie are they suitably trained and/or experienced)?

• Was the appropriate critical control documentation available to all relevant control operators?

• Did the verification activities check the status of the control in a manner that could have avoided the incident?

• Did the verification reporting system communicate critical control status prior to the incident to initiaterequired action and to prevent the incident?

The investigation of critical controlfailures and a subsequent criticalcontrol review process shouldestablish required improvements orchanges related to the critical control,including modification of performancerequirements and the verificationactivities, or even replacement of thecritical control with another control.

As such, critical control failureinvestigation and review providesimportant lessons learned forcontinuous improvement of the CCM – hence, its circular design.

Note that investigation might alsosuggest a review of the MUE or theaddition of a new MUE, requiring areturn to Step 2.

Imag

eco

urte

syof

Rio

Tint

o

Buy-in from seniorexecutives is afundamentalcharacteristic of the organizationalmaturity required tosucceed with CCM.


APPENDIX AThe CCM journey model and mapping tool

The CCM summary journey model and mapping tool (see Figure A1)is intended to assist a company,business unit or site to benchmarktheir current CCM maturity.

Managers should use the summaryillustration to gain a high-levelunderstanding of the characteristicsand the indicators. It can also be usedto provide an indication of where theorganization is positioned in regard to the CCM journey.

In implementing CCM improvements,the tool provides a useful benchmarkfor managers to review progress. The implementation plan should alsoinclude information on the reviewcycle for monitoring progress.

Figure A1: Summary illustration of the CCM journey model and mapping tool

Leadership mindsets

Individual mindsets

Finding the highestrisk unwanted events

Analyzing controlsand identifying themost critical

Defining requiredcontrol performance

Embedding andmanaging controls

Improving controls

Compliance

Limited appreciationfor the control focus

Basic historical orproactive methods for priority unwanted events

Controls noted to re-rank risk but nosignificant controldiscussion

No discussion ofrequired controlperformance

Limited, if any,embedding andmonitoring of controls

Sporadic actionsrelated to controls,close out limited

Compliance butsupport health and safetyrecommendations

Limited appreciationfor the critical controlfocus

Systematic historicalor proactive methodsfor priority unwantedevents

BTA applied todiscuss controls andtheir effectiveness

No performancerequirements defined

Some informal orsporadic monitoringof controls

Improved actionmanagement but not well linked tocontrols

Seeing value andappreciating the focus

Engaged in theprocess and somecritical controlunderstanding

Effective historical or proactive methodsfor MUEs

Critical controlsidentified using BTAand effectiveness

Control informationdefined, includingaccountability

Some monitoring isdefined and done forcritical controls

Deviations fromcritical controlmonitoring generateactions

CCM is driven by line leaders

Critical controls arean accepted focus

Proactive and lessons learnedprocesses arecombined to identifyMUEs

Critical controls are identified withobjectives andperformancerequirements

Critical controlperformancerequirements defined and theverification process

All critical controlsare systematicallyembedded andverified and status is reported

Any deviations fromthe CCM planningexpectations areinvestigated andactioned

CCM is an accepted,important part of the work process

Work methods andCCM are the same

Proactive and lessonslearned processesidentify MUEs

Identified criticalcontrols includeinformation for workprocess integration

Integrated criticalcontrol information is in work processrequirements

Verifying the workprocess includescritical controls

Acting on deviations in work processincludes criticalcontrol needs

LIMITED CONTROLFOCUS

CONTROL FOCUS CRITICALCONTROL FOCUS

CCM PLANNING WORK PROCESSCCM

GENERALCHARACTERISTICS


APPENDIX BGuidance on critical controls

Method to assess control adequacyFigure B1 shows a sample controladequacy analysis method developedby an ICMM member. This exampleincludes three control schemes:people based, system based andengineering based.

The illustration shows seven levels of event severity where Level 7 is thehighest. It also suggests that the mosteffective controls for the highest-severity levels are engineering based(or objects), that is Control Level 4, 5and 6. Note that control levels equateto levels of reliability.This frameworkcan assist with discussion on theadequacy of controls for severeconsequences or an MUE.

Following is an overview of the supportinformation for Figure B1.

People-based controlsThese rely on the skills, knowledgeand experience of individuals orgroups. Control actions (or acts) areinitiated by individuals based on theirskills, knowledge and experience andon their interpretation of theorganization’s values and objectives.Given the reliance on people, thereliability of people-based controlsmay vary over time. People-basedcontrols (or acts) have three levels ofadequacy based on considerationssuch as degree to which peopleunderstand the roles andresponsibilities, how skilled andtrained they are and the overall level of process discipline. Note that eventhe highest-level control, a Level 3, is not seen to be adequate for high-severity consequences or MUEs.

System-based controlsThese are executed by individualswithin the bounds of a managementsystem. Execution is based on aprescribed approach either as acommon practice or as a definedprocedure and in some instances,input from people is governed bysystem-set rules and protocols.Control reliability is achieved throughthe system surrounding the control,including management review andfollow-up. Systems-based controlspotentially range in adequacy fromLevel 1 to Level 5, where Level 5 is

suitable for an MUE. A Level 5 system-based control has a documentedprocedure including document control,there are system-set rules andprotocols (access, authority levels,expected control range), operators aretrained in the procedure includingperiodic assessment, control outcomeperformance is clearly defined andverified (similar to the suggested CCM approach) and the system designis covered by a rigorous changemanagement process.

Engineering-based controls (or objects)These execute automatically and do not require human intervention.Engineering-based controls mayinclude both hardware and automatedIT-based controls. Engineering controlsare designed to achieve a specificrepeatable level of control to a set levelof availability. Reliability of engineeringcontrols is achieved through themanagement system surrounding theongoing review and improvement ofthe controls performance. Engineeringcontrols can achieve the highest levelof adequacy ranging from 4 to 6.Levels 5 and 6 are suitable for MUEs.These controls are designed andimplemented to specific performancecriteria (availability and reliability), aremanaged as part of a preventativemaintenance system, have a system-generated alarm/notification in theevent of control failure and havemanagement follow-up of systemdeficiencies, and there is a rigorousmanagement of change.

This method can be used to establish a control level for an individual controlby assigning the relevant adequacyrating (green, yellow or red) based onconsideration of the control level andpotential consequence. The methodcan be repeated for all controls in theMUE bowtie analysis (BTA). Also, thegraphic BTA can be modified to showthe relevant colour for each control.

Once every control in the BTA iscategorized red, yellow or green, theBTA can be evaluated to consider theoverall risk-control strategy. As aguide, tolerable risks will have at least one green control per cause.As a result of applying this controladequacy analysis method to an MUEBTA, there should be an opportunity to:

• confirm that the overall MUE control strategy is adequate and the risk is tolerable, or

• identify causes for which control enhancements are required.

Successful definition of a well-derivedBTA for the selected MUE, whichincludes agreement that the overallcontrol strategy is adequate, willprovide the basis for critical controlselection in Step 4. An example of aBTA is provided in Figure B2.

Other analysis methods for examiningcontrol design adequacy or overallcontrol effectiveness are available in Hassall, M, Joy, J, Doran, C andPunch, M (2015).

Figure B1: Example control adequacy analysis method

Sources: BHP Billiton and MMG.

Control design likely to be appropriateControl design may require enhancementControl design likely to require enhancement

ResponsetypeCONTROL LEVEL

6

5

4

3

2

1

People based

Systembased

Engineeringbased

Response by CONTROL SCHEME

Min

imum

reco

mm

ende

dco

ntro

llev

el

Potential risk severity

1 2 3 4 5 6 7

6

5

4

3

2

1


APPENDIX BGuidance on critical controls continued

CO

NSE

QU

ENC

ESTH

REA

TS/C

AU

SES

CO

NTR

OLS

CO

NTR

OLS

Figure B2: Health BTA example

Pur

chas

edas

per

Tier

3or

4po

licy

Bio

dies

elfu

elus

ed

Low

sulp

hur

dies

elus

ed(1

0ppm

)

Low

ash

oils

used

Clo

sed

cran

kcas

eve

ntila

tion

desi

gnFi

lter

edop

encr

ank c

ase

vent

ilatio

nde

sign

Clo

sed

cran

kcas

eve

ntila

tion

desi

gnFi

lter

edop

encr

ank c

ase

vent

ilatio

nde

sign

Full-

flow

dies

elpa

rtic

ulat

efil

ter

used

Par

tial-

flow

dies

elpa

rtic

ulat

efil

t er

used

Die

selo

xida

tion

cata

lytic

filte

rus

ed

Filt

ratio

nsy

stem

with

disp

osab

lefil

ter

elem

ents

used

Lim

iting

the

num

ber

ofve

hicl

esin

anar

ea

Roa

dsm

aint

aine

dto

min

imiz

een

gine

load

“No

idlin

gpo

licy”

follo

wed

Equi

pmen

top

erat

edco

rrec

tlyfo

rem

issi

onm

inim

izat

ion

Fuel

addi

tives

used

Die

selv

ehic

lem

aint

aine

dto

plan

Pos

t-se

rvic

eta

il-ga

sm

easu

rem

ents

take

nan

dre

view

ed

Pre

-shi

ftta

il-ga

sm

easu

rem

ents

take

nan

dre

view

ed

Synt

hetic

fuel

sus

ed

Engi

nere

plac

edas

per

plan

Exce

ssiv

eex

posu

reto

dies

elpa

rtic

ulat

em

atte

ran

dga

ses

Old

engi

nete

chno

logy

Fuel

and

lubr

icat

ing

oil

com

posi

tion

Cra

nkca

seem

issi

ons

No

exha

ust

afte

r-tr

eatm

ent

Poo

ror

inad

equa

tem

aint

enan

cepr

actic

es

Ope

ratin

gco

nditi

ons

Inap

prop

riat

eve

hicl

eop

erat

ion

Exce

ssiv

edi

esel

part

icul

ate

mat

ter

and

gase

sac

cum

ulat

ion

inth

ew

orkp

lace

atm

osph

ere

Exce

ssiv

edi

esel

part

icul

ate

mat

ter

and

gase

sac

cum

ulat

ion

atth

eop

erat

orpo

sitio

n

Per

sona

lexp

osur

eto

dies

elpa

rtic

ulat

em

atte

ran

dga

ses

Ill-h

ealt

hef

fect

sfr

omex

cess

ive

expo

sure

1

Spot

vent

ilatio

nsy

stem

Dilu

tion

byve

ntila

tion

syst

em

Med

ical

surv

eilla

nce

prog

ram

Occ

upat

iona

lhy

gien

epr

ogra

m

Ope

rato

ren

clos

edin

envi

ronm

enta

lca

bin

Res

pira

tory

prot

ectiv

eeq

uipm

entu

sed

Una

ccep

tabl

edi

esel

engi

neem

issi

ons

into

wor

kpla

ceat

mos

pher

e

1O

ccup

atio

nalh

ygie

nem

onito

ring

and

med

ical

surv

eilla

nce

are

used

tom

onito

rth

eef

fect

iven

ess

ofco

ntro

lson

the

“lef

than

d”si

deof

the

unw

ante

dev

entb

utar

eal

sore

gard

edas

cont

rols

ifus

edto

redu

ceth

ese

veri

tyof

the

cons

eque

nce

onth

e“r

ight

hand

”si

de.

100

90

80

70

60

50

40

30

20

10

0


APPENDIX CCCM lead and lag indicators

Like other major initiatives, there aretwo measurement requirements forCCM:

• the impact of the CCM initiative on the problem it is intended to address

• the degree to which the initiative is functioning as expected.

Indicators for measuring the impact of the CCM initiative can be leadand/or lag.

Lag indicators are a common measureof occupational health and safety,though there is recognition of theirlimitations as a sole measure. CCMtargets MUEs. Therefore, the lagindicator could be the frequency ofthose major events and, possibly, theresultant consequences. Of course,MUEs are rare and, as such, weakmeasures.

A more effective lag indicator may be found in the frequency of high-potential incidents related to theMUEs. These specific high-potentialincidents can be captured, comparedto pre-CCM frequency and tracked so the numbers can be trended.

Lead indicators for CCM should beeasily found in the reports from critical control verification activities.This “dashboard” informationsummarizes the performance status of the critical control versus definedexpectations. For example, well-defined and executed verificationactivities could yield information suchas critical control performancepercentages.

As an example, Figure C1 shows basicannual lag and lead indicators for twocritical controls related to a singleMUE. The lead indicators for the twocritical controls are tracking upward,indicating increasing performance ofthe critical controls. The lag indicator,high-potential incidents, is trackingdownward. Assuming that the high-potential incident reporting culture hasnot changed, this probably indicatesimprovement too.

Figure C1: Lag and lead indicators for an MUE

Critical Control 1 statusfrom verification

Target performance for Critical Control 1

Target performance for Critical Control 2

2014 2015 2016 2017

Critical Control 2 statusfrom verification

High-potential incidents re critical controls and MUE

APPENDIX CCCM lead and lag indicators continued

The UK HSE suggests that both lagand lead indicators should be used for MUE risk management. The illustration below is from theirguide, Developing process safetyindicators (Health and Safety Executive(HSE) 2006). Their focus is the “riskcontrol system”, which we canconsider synonymous with our CCMsystem – the result of applying theCCM process in this document.

Like the UK HSE, this documentrecommends that both lag and leadindicators be established to measurethe CCM system.

These measures can also be usedto define key performance indicators

at various levels of the organization. The CCM process defines verificationand reporting activities. For additionalinformation relating to the importanceof developing key performanceindicators, please refer to InternationalAssociation of Oil & Gas Producers(2011).

This ICMM document alsorecommends regular review of theentire CCM process and system inorder to identify the degree to whichthe initiative is being implemented andoperated to expectations. An annualreview of the CCM initiative couldinvolve a gap analysis comparingactual status with the original scopeand the detailed execution of all steps in the process, including themeasurement of performance and theuse of key performance indicators.

This information can also assist withthe continuous improvement of theCCM process.

Additional information on leadingindicators can also be found in theICMM publication Overview of leadingindicators for occupational health andsafety in mining (ICMM 2012).


Figure C2: UK HSE illustration of “Dual assurance – leading and lagging indicators measuring performance of each critical risk control system”

Source: Health and Safety Executive (HSE) 2006.

Use the information from indicators to:

RISK CONTROL SYSTEM (RCS)

Follow up adverse findingsto rectify faults in the safety

management system

ACTIVE MONITORING

Leading indicator:Process or input indicators

Processes or inputs are the important actions or activities

within the RCS that arenecessary to deliver the desired

safety outcome

REACTIVE MONITORING

Lagging indicator:Outcome indicator

An outcome is the desired safety condition that the RCS

is designed to deliver

Regularly review performanceagainst all indicators to check

effectiveness of safety managementsystem and suitability indicators

APPENDIX DReferences


Hassall, M, Joy, J, Doran, C and Punch, M (2015). Methods for selection and optimisation of criticalcontrols. ACARP report no C23007. Available at www.acarp.com.au/reports.aspx (March 2015).

Health and Safety Executive (HSE) (2006).Developing process safety indicators: a step-by-stepguide for chemical and major hazard industries. HSG254. Available at www.hse.gov.uk/pubns/priced/hsg254.pdf.

ICMM (2009). Leadership matters: the elimination of fatalities.London, ICMM.

ICMM (2012).Overview of leading indicators for occupational health and safety in mining.Report. London, ICMM.

International Association of Oil & Gas Producers (2011). Process safety: recommended practice on keyperformance indicators. IOGP report no 456. Available at www.iogp.org/pubs/456.pdf.

National Offshore Petroleum Safety and EnvironmentalManagement Authority (NOPSEMA) (2012). Control measures and performance standards.Guidance note N04300-GN0271, Revision no 4. Available at www.nopsema.gov.au/assets/Guidance-notes/N-04300-GN0271-Control-Measures-and-Performance-Standards.pdf.

www.nopsema.gov.au/assets/Guidance-notes/N-04300-GN0271-Control-Measures-and-Performance-Standards.pdf�



www.iogp.org/pubs/456.pdf�

www.hse.gov.uk/pubns/priced/hsg254.pdf�

www.acarp.com.au/reports.aspx

Imag

eco

urte

syof

Rio

Tint

o

CCM is an integral partof risk management with a focus on theidentification andperformance monitoringof critical controls toprevent the realization of material risks.

ACKNOWLEDGEMENTS

This document wasprepared based on a review of ICMMmember practices. The additional inputfrom the followingpeople and companiesis gratefullyacknowledged.

Consulting team

The process outlined in the documentwas developed by Jim Joy (Jim Joy &Associates Pty Ltd), Michael Byrne(Michael Byrne & Associates Inc.) andJeff Burges (Mel and Enid ZuckermanSchool of Public Health, University ofArizona). An independent technicalreview and edit was provided by PeterWilkinson (Noetic Risk Solutions). It was edited by Stu Slayen, proof readby Richard Earthy and designed by Duo Design.

ICMM members

The development of the document wasoverseen by an ICMM working groupwith additional technical supportprovided throughout the process.ICMM is indebted to the following fortheir contributions to the research andtheir engagement on iterative draftswhich led to the final document.

Working group

Chair: Andrew Lewin (BHP Billiton)

Nerine Botes Schoeman (African Rainbow Minerals)

Cas Badenhorst (Anglo American)

Frank Fox (Anglo American)

Gareth Williams (Anglo American)

Craig Ross (Barrick)

André Fey (Hydro)

Barries Barnard (Lonmin)

Phil Stephenson (Newmont)

Additional technical support

Ian Home (Anglo American)

George Coetzee (AngloGold Ashanti)

Felipe Fuentes (Barrick)

Rob McDonald (BHP Billiton)

Tony Egan (Glencore)

Andrew McMahon (Minerals Council of Australia)

Martin Webb (MMG)

Ben Huxtable (MMG)

Anthony Deakin (Rio Tinto)

ICMM team

Hannes Struyweg and Mark Holmesled the process to develop thisdocument on behalf of the ICMMsecretariat. Communication supportwas provided by Holly Basset andLaura Pocknell.

Photographs

Front cover – copyright © Rio TintoPage 6 – copyright © Anglo AmericanPage 22 – copyright © Rio TintoPage 29 – copyright © Rio Tinto


Disclaimer

This publication contains general guidanceonly and should not be relied upon as asubstitute for appropriate technicalexpertise. While reasonable precautionshave been taken to verify the informationcontained in this publication as at the date of publication, it is being distributed without warranty of any kind, either expressor implied.

In no event shall the International Council on Mining and Metals (“ICMM”) (or itsaffiliates or contributors, reviewers oreditors to this publication) be liable fordamages or losses of any kind, howeverarising, from the use of, or reliance on this document. The responsibility for theinterpretation and use of this publication lies with the user (who should not assumethat it is error-free or that it will be suitablefor the user’s purpose) and ICMM assumesno responsibility whatsoever for errors oromissions in this publication or in othersource materials which are referenced by this publication.

The views expressed do not necessarilyrepresent the decisions or the stated policyof ICMM. This publication does not constitutea position statement or other mandatorycommitment which members of ICMM areobliged to adopt under the ICMM SustainableDevelopment Framework.

We are not responsible for, and make norepresentation on, the content or reliabilityof linked websites, and linking should not betaken as endorsement of any kind. We haveno control over the availability of linkedpages and accept no responsibility for them.

The designations employed and thepresentation of the material in thispublication do not imply the expression ofany opinion whatsoever on the part of ICMMconcerning the legal status of any country,territory, city or area or of its authorities, or concerning delimitation of its frontiers or boundaries. In addition, the mention of specific entities, individuals, sourcematerials, trade names or commercialprocesses in this publication does notconstitute endorsement by ICMM.

This disclaimer should be construed inaccordance with the laws of England.

Publication details

Published by the International Council onMining and Metals (ICMM), London, UK.

© 2015 International Council on Mining andMetals. The ICMM logo is a trade mark ofthe International Council on Mining andMetals. Registered in the United Kingdom,Australia and Japan.

Reproduction of this publication foreducational or other non-commercialpurposes is authorized without prior writtenpermission from the copyright holdersprovided the source is fully acknowledged.Reproduction of this publication for resaleor other commercial purposes is prohibitedwithout prior written permission of the copyright holders.

ISBN: 978-1-909434-13-4

Available from: ICMM, www.icmm.com, [email protected]

mailto:[email protected]

http://www.icmm.com

ICMM35/38 Portman SquareLondon W1H 6LRUnited Kingdom

Phone: +44 (0) 20 7467 5070Fax: +44 (0) 20 7467 5071Email: [email protected]

www.icmm.com

Follow us

About ICMMThe International Council on Mining and Metals is anindustry body created by leading mining and metalscompanies to catalyze strong environmental and socialperformance in the sector; and to enhance understanding ofthe benefits, costs, risks and responsibilities of mining andmetals in contemporary society. It works as a not-for-profitorganization, engaging with all parts of society andcollaborating with 21 major mining and metals companiesand 35 national mining and commodity associations thatare its members.

ICMM is governed by the CEOs of the following companies:

African Rainbow Minerals AngloGold AshantiAnglo AmericanAntofagasta MineralsArevaBarrickBHP BillitonCodelcoFreeport-McMoRan GlencoreGoldcorpGold FieldsHydroJX Nippon Mining & MetalsLonminMitsubishi MaterialsMMGNewmontRio TintoSumitomo Metal MiningTeck

https://www.youtube.com/user/ICMMvideos�

https://www.linkedin.com/company/international-council-on-mining-and-metals---icmm�

https://twitter.com/icmm_com�

http://www.icmm.com

mailto:[email protected]

health and safety critical control management · health and safety critical control management good...

Documents