End of financial year arrives. Production targets are met. Every shift gets a BBQ to celebrate. The person who adjusted the critical parameter setpoint gets a bigger bonus than everyone else. The setpoint is put back to normal. The process instability goes away. The hazard report gets closed out. There was no incident.

This is how process safety usually happens.

Sean Brady uses the sand pile model to describe the interactions between factors contributing to a major incident in complex systems, providing a detailed analysis of the Boeing 737 MAX 8 failure1. Originally proposed by the physicist Per Bak, the model considers individual grains of sand. As they are randomly dropped onto a table, sand piles start to form. These piles of sand remain stable, growing and creating a surprisingly aesthetic montage – a desired outcome. Until. Until there is one grain of sand too many or a grain of sand falls just in the wrong place. Then everything starts tumbling down, one sand pile collapsing after another. The major incident. But which grain of sand caused it? The last one? The first one? Or all of them combined? And there is no way of knowing which grain of sand is going to be the last one.

It’s similar to the Swiss Cheese model, where the slices of cheese represent our controls, and the holes in the cheese represent defects in these controls. When the holes line up, there is no longer any barrier between the cause and the consequence. However, I think the sand pile model more intuitively represents major incidents. There is no perfection required, no perfect storm needed for everything to go horribly wrong. It’s a slow, insidious action that has become part of normal operations. Then one day, the house we’ve built tumbles down.

Or, before that happens, perhaps we sort ourselves out and go back to doing what we know we should be doing. And we don’t even perceive that we were potentially on the path to a major incident. Remaining with the analogy, we clear the table of sand and stop the grains of sand from dropping on the table.

This scenario, change setpoints to increase production to meet our targets and then put it back after the end of the year, is what we discussed in our monthly hypothetical in Process Safety People. And the ending would have been familiar to most process safety practitioners working at operating sites. It is apparent that our standards are dropping, or we’re finding ways to wiggle around our procedures, rationalising that this time, just once, it won’t matter. And we start building our sand pile.

In process safety, we often think that Chicken Little’s (or Henny Penny’s depending on where you are from) “the sky is falling”2 is alarmist, and sometimes even dismiss it as a straw man fallacy. We don’t want to be like Chicken Little, running around the site telling everyone we come across that the wiggle-room we’ve allowed ourselves is going to result in a major incident. We want steady, measured, considered analysis of the true risks.

But what if the acorn that fell on Chicken Little’s head was one of our grains of sand? What about the next one, or the one after that. Or the next day, or the day after that. Will that be the one that causes everything we’ve built to tumble down?