The 9-step Critical Control Management (CCM) process was shown in the last article with a discussion about the need to establish quality Control-Based Risk Management (CBRM) for priority unwanted events (step 3) before moving to CCM. This article will continue with the CCM process, presenting a variety of approaches to selecting potential critical controls (step 4).

Defining CCM and critical control

The 2015 ICMM guide defines CCM and critical control as follows:

Critical Control Management (CCM) – a process of managing the risk of material (or priority) unwanted events that involve a systematic management approach to ensure that critical controls are in place and effective.

Critical Control – a control that is crucial to preventing the event or mitigating the consequences of the event. The absence or failure of a critical control would significantly increase the risk despite the existence of the other controls. In addition, a control that prevents more than one unwanted event or mitigates more than one consequence is normally classified as critical.

CCM suggests that the risk of priority unwanted events (PUEs) can be better managed by focusing on the ‘critical few’ controls. CCM does not suggest that it replaces CBRM but rather supplements to achieve better risk reduction outcomes.

The above definitions can be operationalized in several ways. The guide mentions that CCM planning (in step 1) should include the identification of the Objective. Experience indicates that Objectives, defined and otherwise, for a CCM initiative vary greatly, leading to very different CCM outcomes.

Selecting critical controls – Example 1

A company or site may decide to use the CCM process to select the critical workforce acts for avoiding site PUEs. Thereby, using the process to define ‘golden rules’. The Bowtie Analysis may become an illustration of controls that highlights critical acts for the workforce.

One mining company identified that 80% of its critical controls are acts. This should not be a surprise for an industry that continues, in most areas, to be people-intensive.

The example illustrates a potential CCM Objective, applying the CCM process to achieve an improvement in workforce behavior to reduce risk. However, this approach is not the intended purpose of CCM.

Selecting critical controls – Example 2

The company or site decides to select the controls for PUEs that a cross-section of site personnel and experts identify as the most crucial. The Objective is to manage these selected controls with a CCM approach, so the risk is reduced. The critical controls could be acts, objects or technological systems.

Surveys of companies involved in CCM provided insights on critical controls that align with this example.

  • “A control is critical if its failure or ineffectiveness will lead to a risk scenario being greatly elevated.”
  • “A critical control is a control that is heavily relied upon to manage a major hazard through preventing an accident or mitigating the severity of its consequences. It needs to have a high amount of demonstrated adequacy.”
  • “A critical control is a non-negotiable control. If it doesn’t exist, the business cannot operate.”

What makes a control crucial?

From above, the critical control must be ‘crucial’. What makes a control crucial? The illustration below was supplied to ICMM for the 2015 guide by BHP to illustrate their control cruciality criteria.

The illustration supplies a series of questions that determine the cruciality of a control so it might be classified as critical. These questions can be applied to any control whether it is an act, object or technological system.

There is another aspect of critical controls that is important to successful CBRM and CCM. The control must be measurable. In other words, there must be some method to identify the effectiveness of the control. If the control’s status cannot be effectively measured against defined performance specifications, using some form of observation, checking, tracking, monitoring, auditing, etc, it cannot be a control, and especially not a critical control.

Experience indicates that cruciality and measurability must be requirements of a critical control. Another may be the degree to which the control is indicative of the overall control strategy risk. I hope this is food for thought and discussion.

Selecting critical controls – Example 3

The company or site gathers a team cross-section of site personnel and experts to review a completed Bowtie Analysis that includes the erosion factors that compromise controls and positive supporting activities for the controls. The team must decide which controls, erosion factors or supporting activities would, when measured, be the most indicative of overall PUE risk.

The Objective for example 3 is to manage the PUE risk by tracking status and changes in the expected performance of the critical indicators.

The first question is – ‘would the CCM outputs in example 2 (selecting critical controls) be different for example 3 (selecting critical indicators), considering the same PUE?’

Consider a specific object that is seen to be crucial using the approach in example 2. The pressure relief valve (PRV) on a chemical process is identified as a critical control for a vessel overpressure explosion PUE. The erosion factors are corrosion (the site is close to the ocean) and poor maintenance. The supporting activities are regular testing and recording of results. The team discusses how to reduce corrosion issues and ensure maintenance is done as required. Actions are generated to address the two erosion factors. The PRV performance and verification requirements are developed to advance the CCM process.

If the same overpressure explosion is considered with the focus on critical indicators of inadequate or changing PUE risk (as per example 3), the team might identify the anti-corrosion programme acts or the maintenance planning and execution acts, as measurable indicators of the PRV status. These two potential erosion factors may also be relevant to other objects that are controls for risk in the chemical process. As such, the performance and verification requirements for the anti-corrosion and maintenance programmes would be developed with potential implications to other threats related to the vessel explosion PUE.

If we also look at a specific act that is seen to be crucial, the difference between cruciality and indicativeness may be even more important.

An underground fall of ground may be selected as a site PUE. Review of the Bowtie for the event may identify the supervisor’s inspection of the telltales on the roof as a critical control, crucial to managing ground fall risk. The inspection is an act.

The ‘cruciality” team (example 2) might then begin discussions about performance requirements for the act, as well as verification mechanisms. Verification of acts using observation data usually presents challenges. (Note: more on this part of the CCM process in future articles)

The ‘indicativeness’ team (example 3) may identify erosion factors for the inspection of telltales such as supervisor workload causing time pressure or an inadequate reporting method for telltale data. Thereby choosing workload management and the application of a new reporting method as critical indicators.

Can a control be crucial but not indicative? Can a control be indicative but not crucial? Can something other than a control, such as an erosion factor or supporting activity, indicate the risk?

The answer is probably that the PUE risk is a combination of effectiveness measures that may be controls, erosion factors or supporting activities.

The 3 questions that should be part of a critical control selection process

The three questions that should be asked as part of the critical control selection process should be, in addition to questions included in the BHP example above:

Is the control, erosion factor resolution or supporting activity:

  • Crucial? (The absence or failure of which would significantly increase the risk despite the existence of the other controls)
  • Measurable in a manner that indicates effectiveness?
  • Indicative of the overall PUE risk?

Identifying measurable erosion factors or supporting activities for a crucial control, or individual critical control indicativeness, may be relatively easy.

Overall PUE Critical Indicativeness would require a broader look at the PUE control strategy. Once potential individual critical indicators are identified, the completed Bowtie could be considered by firstly examining the control set for each threat and considering the impact or dependence of the control indicators on the sets. High interdependence may suggest high indicativeness. High reliance on a single control for a threat would also indicate high indicativeness. This process would then be repeated for each significant threat and consequence set of the PUE Bowtie.

This approach may also help identify common critical indicators, therefore making that indicator even more powerful as a PUE risk measure.

From ICMM, the absence or failure of a critical control would significantly increase the risk despite the existence of the other controls. Therefore, if critical controls and/or their critical indicators can be effectively measured, and they are indicative of the overall control strategy for a PUE, they may be a relatively accurate measure of risk for the PUE.

Ideally, this approach goes well beyond simply asking the question; ‘If these few critical controls were the only measures of acceptable PUE risk, would I, as site manager, be comfortable?’

The next article will build on the CCM process by discussing critical control performance requirements and verification methods with an expanded focus on acts as critical controls.