Thursday, January 31, 2013

Cyber War, Safety, and OSHA


There is a new hazard that companies need to be aware of: 
Workplace Industrial Cyber Safety Hazards.

Hazard Alert!

There's a war going on, and it's raging here at home; not in the streets or the fields, but on the Internet. You can think of it as a war on the digital homeland. If you work for a power company, bank, defense contractor, transportation provider, or other critical infrastructure type of operation, your organization might be in the direct line of fire. And everyone can become collateral damage.

The Responsibility of Safety Professionals

So what responsibility do we as Safety Professionals and what responsibility do our companies (as employers) have to address cyber industrial safety hazards in workplace? Today computer malware go beyond identity theft. Today computer malware attacks PLC (Programmable Logic Controllers) that control the automation of industrial processes; for instance, to control machinery.

Cyber attacks evolve from espionage attacks that steal intellectual property or monitor communications to disruptive or destructive attacks. Destructive and disruptive cyber attacks are relatively uncharted and troubling territory. Computer virus can start a machine and prevent it from being shut down. Stuxnet is a computer worm; a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges.


The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control (Stuxnet). Another seems right out of the movies: The computer program (Flame) secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.


"What if the machinery in your facility started up unexpectedly, started spinning wildly out of control, and refused to shut down? That is the new reality today. Are you prepared for it?"


In the past six months, there have been foreign attacks on oil and gas companies in the Middle East and on U.S. banks, including Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC, and SunTrust. How will we react if the next attack is against the electric grid, or our food and water supply.

Policies such as the 2012 Securities and Exchange Commission's Guidance on Cyber Disclosure now require many Fortune 500 companies to report any type of meaningful cyber threats in their organizations.

OSHA, LOTO, and the General Duty Clause

OSHA requires employers to provide a safe and healthful workplace that
is free from serious recognized hazards. LOTO requires machinery to be shutdown and no be able to be restarted, cycled, or energised.
Workplace Industrial Cyber Safety Hazards are a trigger here requiring employers to address them.

Malware

Both Flame and Stuxnet are considered malware. Malware, short for malicious (or malevolent) software, is software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. Malware is a general term used to refer to a variety of forms of hostile or intrusive software.

Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs and other malicious programs

Flame

Flame secretly mapped, recorded, and monitored Iran’s computer networks, sending back a steady stream of intelligence to prepare for a cyber­warfare campaign.

Stuxnet

Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems are used to control and watch industrial processes. Industrial control systems consist of PLC (Programmable Logic Controllers), which can be thought of as mini-computers that can be programmed from a Windows system.

These PLCs contain special code that controls the automation of industrial processes; for instance, to control machinery in a plant or a factory such as those used in pipelines or nuclear power plants. Stuxnet can enter a computer system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product and indicate to the operator and your antivirus software that everything is functioning as expected.

Stuxnet is the first-ever computer worm to include a PLC (Programmable Logic Controllers) rootkit to hide itself and target critical industrial infrastructure. Successful exploitation of this vulnerability results in the injection of a backdoor, as well as the installation of two rootkits that will hide both the .lnk files and the accompanying .tmp files.

Origins of Flame and Stuxnet

The United States and Israel jointly developed a sophisticated computer virus named Flame and Stuxnet. Flame collected intelligence in preparation for cyber-sabotage (Stuxnet) aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.

The effort, involving the National Security Agency, the CIA and Israel’s military, has included the use of destructive software such as the Stuxnet virus to cause malfunctions in Iran’s nuclear-enrichment equipment.

U.S. Attorney General Eric Holder announced a criminal probe last June (2012), shortly after a lengthy article by The New York Times' chief Washington correspondent, David Sanger, reported that anonymous, high-level sources in the Obama administration had told him that the U.S. and Israeli governments had used the Stuxnet worm to attack centrifuges at Iran's Natanz nuclear plant.

The Fix

Many security vendors have released Stuxnet removal tool and Microsoft has released Stuxnet FixIt tool too. There is a Microsoft Fix-IT solution, a solution called the G Data LNK Checker to block malicious LNK files, and a Stuxnet Rootkit Remover to clean the infected computers from common Stuxnet variants.

BitDefender has also released a free Stuxnet (Win32.Worm.Stuxnet) removal tool. This tool is capable of removing all known variants of Win32.Worm.Stuxnet, as well as the rootkit drivers that are used to hide critical components of the worm. The tool can be run on both 32-bit and 64-bit Windows operating system installations and will eliminate both the rootkit drivers and the worm.

[ Download Free BitDefender Stuxnet Removal Tool here: ]

[ Download Other BitDefender Security Tools here: ]

Consequences of Cyber War

Until the conflicts are resolved, almost everyone becomes a victim of unintended consequences during war, even cyber war. Cyber war may be digital, but it is still a form of war.

TRIA

The Terrorism Risk Insurance Act (TRIA) is a US federal law signed into law by President George W. Bush on November 26, 2002. The Act created a federal "backstop" for insurance claims related to acts of terrorism, mainly 9/11. The Act is intended as a temporary measure to allow time for the insurance industry to develop their own solutions and products to insure against acts of terrorism. The Act was set to expire December 31, 2005, but was extended to Dec. 31, 2014.

TRIA created a U.S. government reinsurance facility to provide reinsurance coverage to insurance companies following a declared terrorism event. TRIA is a short-term measure designed to help the insurance market recover from 9/11 and develop solutions to insuring terrorism.

Terrorism is not War.

War: An organized, armed, and often a prolonged conflict that is carried on between states, nations, or other parties usually over territory or resources. War can also be the liberation of a nation.

Terrorism: The French word terrorisme in turn derives from the Latin verb terreĊ meaning “I frighten.” Although “terrorism” originally referred acts committed by a government, currently it usually refers to the killing of innocent people by a non-government group in such a way as to create a media spectacle.

War usually has rules of conflict, such as the treatment of prisoners, terrorism does not follow the same rules, and often target civilians to put fear into the populace.
Most insurance policies include an "Act of War Exclusion." This can leave an employer vulnerable to (injury) claims as a result of a cyber attack.

Realistically....

It may take 5 to 10 years before we hear of a fatality caused by a machine with an infected PLC.Until then we will not hear about the machines refusing to shut down and "burning out" or "flying apart." We will not hear about the minor injuries from these events either. The employers may not even realize that their machines have been infected by a computer virus. They may simply say these were machine failure. 

Overshadowed by Terrorism


 There are warnings to power plants, pipelines, utilities, etc. for this, but they are for terrorism, not worker safety. Yes there is a danger to the public from these kinds of companies, but there is an even bigger danger from companies that are not considered terrorist targets. The danger is from being unaware that these computer viruses can affect their machinery.

These companies that make soda cans, plastic food containers, and key chains are not aware that one of these viruses that is aimed at a gas pipeline can find its way into their machinery and injure a worker. They may not even know it after the fact if they do not do a forensic investigation into the machine failure.

On the Front Line

Note: I am going to simplify the issue of Nuclear Automation. I realize to a certain degree today automation exists, the proposal (and reality) is much more complicated.
I have kept my eye on this issue from my work in the nuclear industry. The rule of thumb is triple redundancy, and up until recently, there were not three (reliable) computer OSs (Operating Systems) to provide triple redundancy. With Apple's OSX now a mainstream OS, there are three (Windows, Linux, and OSX).

Now there is real talk of automation in the Nuclear Industry. It scares me personally. There is no such thing as a completely closed system, and trying to achieve it is impractical. I question how much of the push for automation is for safety and how much is a cost savings.

Final Thoughts

I wear two hats in my organization: Risk Manager and IT Manager. It is from this unique perspective I was able to recognize this emerging threat. For years I have warned, educated, trained, and help prepare my clients for cyber threats.

For the last 10+ years I have been working with my clients to assess and prepare for hazards related to automated control systems. I am at the point now that I feel comfortable to come forward and begin educating our profession.

This opens up a new field in safety: Workplace Industrial Cyber Safety. This provides new opportunities for safety professionals such as myself, and gives a new career and  learning option for existing and upcoming safety professionals.

Employers and safety professionals need to think about and plan for escalating cyber conflicts and for disruptive and destructive attacks, not just espionage or intellectual property theft (the major focus undertaken against advanced persistent threats and hack in recent years). After all, more countries and groups will gain the ability to launch sophisticated attacks.

What can we do as Safety Professionals?

  • As safety professionals, we need to make sure that we have mechanical energy-isolation devices, that are not dependent on software, PLCs, to Lockout/Tagout our equipment.
  • Anticipate, recognize, prepare, and train for hazards from automated control systems becoming infected or corrupt, such as machinery that has been shut down starting, "run away" machinery,  and prevent machinery from being shut down.
  • Work with stakeholders (vendors, suppliers, maintenance, management, IT) to protect against automated control system hazards (upgrading existing networks, ordering new equipment with mechanical safeguards built in).  
  • Conduct (or have conducted) threat assessments based on level of cyber security and industry. 
  • Review your company's need to comply with policies such as the 2012 Securities and Exchange Commission's Guidance on Cyber Disclosure
  • If we do not have the expertise, then bring in someone who does. 
  • More training.

 

Take note:

 I have searched the Internet, published works, other blogs, and this is the first and only place to recognize the risks of cyber attacks as a workplace hazard in respect to OSHA. This is the cutting edge, forward thinking that I try to provide.

Thank you for reading.

Tuesday, January 29, 2013

Condoms for PPE

Condoms for PPE



I have a sense of humor. Just look at this topic. As funny as this topic seems, it also has some deeper implications. I am all for safety, and I take the protection of employees, not just mine but all employees very seriously. But more important is our Constitution. 

First and foremost, we must protect the Constitution. Without it our workplaces will resemble the (former) Soviet Gulags (forced labor camps). Safety will become a moot point. 


Do not say it can't happen here, just look at Russia, Egypt, Equatorial Guinea, and Belarus TODAY! (If you do not believe me, see: "Top 6 The Most Severe Human Rights Violations Around the World.")

I am NOT saying that these actors (workers, employees, etc.) do not deserve a safe workplace, I just do not know if this is something that can be enforced due to conflicts with the Constitution.  I also do not have a definitive answer either.

After you read the article, see my commentary at the end as to the Constitutionality of this.

Let us look at the situation as a risk manager/safety manager:

 Analysis:

OSHA (and Cal/OSH by nature of being subject to Federal OSHA as a minimum standard) has a standard for controlling hazards.
  1. Engineering Controls: First, if feasible, remove the hazard or enclose the hazard.
  2. Administrative Controls: Next,use measures (other than Engineering Controls) aimed at reducing employee exposure to hazards.
  3. PPE: The last option.

Recommendations:

It seems that everyone is forgetting Engineering Controls and Administrative Controls

Better testing. This can be considered both an Engineering Control (removing the hazard, i.e. the infected actor) and an Administrative Control (setting a better time table for testing and testing with a quicker turn around time). The system needs to be formalized and accessible so that employers (production companies) and other actors can be sure that the actors have met the requirements. (Note: I realize there are privacy concerns, I not that, but this is a recommendation, not the final written program.)

You also have to look at the condition "if feasible." Is the consumer looking for "safe sex" porn, or do they want something raunchier? 
  
Theatrical bodily fluids. This can be considered both an Engineering Control. The dirty little secret in this industry is that some production companies "enhance" scenes by using (additional) bodily fluids. Think of how cereal companies add white glue (paste) to milk in their product pictures to make them look more appetizing (See: National Geographic's Food that Fools You). 

Vaccinations before the fact. This will prevent infection if an exposure occurred. The system needs to be formalized and accessible so that employers (production companies) and other actors can be sure that the actors have met the requirements. (Note: I realize there are privacy concerns, I not that, but this is a recommendation, not the final written program.)

More education and more training. Can you really ever have enough.

You may think that examining this issue is ludicrous, but as a safety professional you may encounter situations out of the norm. Being able to analize situations like this in a responsible and professional manner, using best practices prepares you for the unexpected that you may encounter.

Now on to the article:

AHF: Cal/OSHA Fines Streamray Studios $28K for No Condoms, Other Safety Issues

On January 10th, OSHA officials issue multiple safety citations to Chatsworth-based Streamray Studios, Inc., which produces work for Penthouse, for failing to follow workplace safety regulations, including failure to "…ensure use of appropriate personal protective equipment, such as…condoms…"The OSHA citations came about after stepped up inspections following an outbreak of syphilis, a highly contagious but curable STD, shut down the entire adult industry for several weeks last summer. Inspections at Streamray occurred on or before October 4th and October 17th 2012.
curable STD, shut down the entire industry for several weeks last summer

AIDS Healthcare Foundation (AHF) has learned that Cal/OSHA (California's Department of Industrial Relations, Division of Occupational Safety and Health), the state's health and safety regulatory and watchdog organization, issued multiple workplace safety citations to Chatsworth-based adult film production company Streamray Studios Inc., including several for failing to follow workplace safety regulations, including for failure to "…ensure use of appropriate personal protective equipment, such as…condoms…"

The OSHA citations came about after stepped up inspections following an outbreak of syphilis, a highly contagious but curable STD, shut down the entire adult industry for several weeks last summer. Inspections at Streamray occurred on or before October 4th and October 17th 2012.

On January 10, 2013, officials from the High Hazard Unit of Cal OSHA issued seven (7) citations ranging in degree from general to serious to Streamray. Three (3) of the seven dealt specifically with condom use and availability (or lack thereof) and/or safer sex practices among the adult film performers, including a citation for failure to 'write, establish, implement, and/or maintain an Injury and Illness Prevention Program (IIPP) which met the requirements of this standard for their employees who were exposed to hazards including but not limited to sexually transmitted illness in the course of producing adult videos. The seven citations resulted in financial penalties or fines totaling $28,460, of which $14,175 of the fines were specifically issued for lack of condoms on set, lack of an Injury and Illness Prevention Program (IIPP) and Exposure Control Plan.

"Streamray now joins the ranks of a growing list of adult film producers and distributors cited by Cal/OSHA for failing to properly follow workplace safety regulations on their adult film sets with regard to condom use and other safety precautions, cited specifically under Cal/OSHA's Bloodborne Pathogens Program, Personal Protective Equipment guidelines—i.e. for failing to use condoms or other barrier protection," said Michael Weinstein, President of AIDS Healthcare Foundation. "What is particularly heartening about these Streamray citations is that OSHA issued these citations alongside other citations for far more mundane violations—breakers in an electrical panel not being properly labeled, or for a table saw that did not have the proper guards and safety devices attached. In short, OSHA has normalized and incorporated the condom and bloodborne pathogens citations as a routine part of a whole battery of potential violations that an employer or workplace could face. We thank Cal/OSHA for stepping up to enforce regulations designed to protect the workplace safety of adult film workers at Streamray and other adult film producers in California."

Background on AHF's Adult Film Worker Safety Efforts

In November 2012, Los Angeles County voters passed Ballot Measure B, the County of Los Angeles Safer Sex in the Adult Film Industry Act. Measure B is the so-called condoms in porn measure spearheaded by AIDS Healthcare Foundation (AHF) with an overwhelming margin of voter support—57% to 43%.

Earlier last year, the City Council adopted the 'City of Los Angeles Safer Sex In The Adult Film Industry Act,' 'which conditioned the issuance of City of Los Angeles film permits to adult film producers to condom use in the subsequent adult films shot and produced in Los Angeles. AHF had first introduced the item as a proposed City ballot measure; however, City Council—anticipating that the measure would likely have passed—voted instead, as permitted by law, to adopt that measure outright in an 11 to 1 vote.

Both the City and County measures were initially spearheaded by AHF and members of the advocacy group, FAIR ('For Adult Industry Responsibility'), after as many as 22 HIV infections believed to be industry-related were reported in several outbreaks in Los Angeles since 2004, and amidst thousands of sexually transmitted infections (STIs) occurring annually among adult performers.

About AIDS Healthcare Foundation
 
AIDS Healthcare Foundation (AHF), the largest global AIDS organization, currently provides medical care and/or services to nearly 200,000 individuals in 28 countries worldwide in the US, Africa, Latin America/Caribbean, the Asia/Pacific Region and Eastern Europe. To learn more about AHF, please visit our website: www.aidshealth.org.  



My commentary on the Constitutionality of Cal/OSHA's condom requirement:

The First Amendment to the United States Constitution is part of the Bill of Rights. The amendment prohibits the making of any law "respecting an establishment of religion", impeding the free exercise of religion, infringing on the freedom of speech, infringing on the freedom of the press, interfering with the right to a peaceably assemble or prohibiting the petitioning for a governmental redress of grievances.

Pornography fits under freedom of speech and freedom of expression (which includes sexual expression).

The Supreme Court ruling in California VS Freeman in 1989 legalized pornography. (With the state's definition of what pornography)

Our 1st Amendment also states that: "federal and lower government may not apply 'prior restraint' to expression with certain exceptions such as national security and obscenity."
The production of video has been held that just as (painted) artwork, it is a form of expression.

Prior restraint or prior censorship is censorship in which certain material may not be published or communicated, rather than not prohibiting publication but making the publisher answerable for what is made known. Prior restraint prevents the censored material from being heard or distributed at all; other measures provide sanctions only after the offending material has been communicated, such as suits for slander or libel.

So if Cal/OSHA is forcing the use any and all types of barrier protection, how is that not censoring people from being able to truly express themselves sexually? 

Final Thoughts: 

This also demonstrates that "Safety" and what we do does not exist in a vacuum. It exists in the world. There are other forces that may override safe work practices. Most of these are Constitutional Rights.

Consider other rights other than the freedom of expression: ADA (Americans with Disabilities Act), and the EEOC (Equal Employment Opportunity Commission) just to name two. Would you ever not hire someone because of their gender, because they appeared to be a foreigner, or because English was a second language?

Many times I examine the extreme. If you can handle these situations that I present, you might learn something and will definitely be able to handle the "normal" day-to-day.

Just remember, for any PPE, you must wear (use) it correctly for it to work and protect you.



Employers’ OSHA 300A Forms Due Feb. 1

Employers’ OSHA 300A Forms Due Feb. 1



Employers who are required to keep Form 300, the Injury and Illness log, must post Form 300A, the Summary of Work-Related Injuries and Illnesses, in a workplace common area annually from Feb. 1 to April 30.

All covered employers must post their 2012 annual summary by Feb. 1, 2013. You can download the form from OSHA’s Injury and Illness Recordkeeping Forms Web page.

Form 300A reports an employer’s total number of deaths, missed workdays, job transfers or restrictions, and injuries and illnesses as recorded on Form 300. It also includes the number of workers and the hours they worked for the year.

Who Must Post OSHA Form 300A?

Nonexempt employers with more than 10 employees must post the form. Businesses that employ fewer than 10 workers or those that fall into an exempted category must also record injuries if they are told to by OSHA or the Department of Labor’s Bureau of Labor Statistics.

Certain low-hazard industries are exempt.

Only the summary must be posted. The log itself does not need to be displayed but must be available for inspection by employees, their representatives or OSHA investigators. Employers with multiple job sites should keep a separate log and summary for each location that’s expected to be operational for at least a year.

Posting Period

The posting period is three months, from Feb. 1 to April 30. The 300A summary must be posted at each job site in a conspicuous area where notices to employees are customarily placed. Copies of the 300A summary should be provided to any employees who may not see the posted summary because they do not regularly report to a fixed location.

If the establishment has had no recordable injuries or illnesses, a company executive still must certify the 300A summary, and the establishment must post the form, with zeros in the appropriate lines.

Reportable Injuries

Generally, only serious injuries that are the result of workplace activity are reported. Analyze the activity to determine whether the injury was actually due to work duties. Businesses are not required to report injuries resulting from activities merely incidental to work responsibilities.

A serious injury is one that results in a fatality, loss of consciousness, days away from work, a restricted work schedule or job transfer, or a significant-injury or -illness diagnosis by a health care provider, or that requires medical treatment beyond basic first aid.

Do not report incidents that require only basic first aid.

If the injury involved is of a sensitive nature, such as sexual assault, then employers should write “privacy case” in the box for the worker’s name.

OSHA has announced that in 2013 it will continue to focus on record-keeping in its National Emphasis Programs, and so employers should review the forms to ensure that all recordable incidents have been included. Companies are required to update and maintain records for five years plus the current year and provide them to OSHA investigators for inspection.

Monday, January 7, 2013

LEGOs and Training

So you ask, "What does Legos have to do with safety?"

I was having a discussion with a collegue from the Compliance and Safety Blog about a recent blog post titled "OSHA vs. Hollywood" (found here:).This is an interesting post.

I told him that I am familiar with being on production sets (this includes TV and live concerts) having done some work with the production industry (I hate to say television because we are in the era of the new media which can be radio, TV, satellite, Internet, direct to DVD, etc.).

This work was for friends as a favor, a friend I met from my time in college when I worked with a production company that catered mainly to the music industry. I was in charge of the road crew.

Note: Yes, I was a roadie. The term used by the production company was schwoog. They felt roadie had a certain connotation and the term schwoog was a more accurate description: "One who is charged with the moving, assemblance, disassemblance of the assets of, and in the service of another.

I referenced a blog post I made on a similar matter dealing with movie productions. I saw an article on this topic in a movie industry trade publication I got from my friend while consulting for him on a music video (for the web) that he was producing. The gist of the article was OSHA getting more into the movie production industry starting with the porn industry.


Take a look at my blog post: http://safetyandstaffing.blogspot.com/2010/03/cal-osh-safe-sex.html.

CalOSH and porn? How could I resist to write a post about this. As you may have noticed, I take a lighter approach to safety, but my commitment to safety and the quality of training is of the highest standards. I have found over my many years 2 things:

First that most employees that we as safety professionals deal with are blue or gray collar. They are technicians, craftsmen, tradesmen, and artisans. They work with their hands and are skilled, take great pride in their craft, and work with their hands. Most safety professionals are like lawyers, theologians, and engineers, quoting standards, specs, numbers; the equivalent of reading the phone book. They are also very good and take pride in what they do.

The stumbling point comes when the safety professionals try to impart our knowledge to craftsman. We tend to speak different languages. I found that a lighthearted, humorous approach, with the majority being hands on, limited lecture, with 2 way communication is the most effective.

Note: This is a blog, so hands on is limited.

I wanted to make my point that my methods are supported by the metrics (results) that I track.

Legos


This is where Legos come in. Yes it is true that those little guys always their PPE, and follow OSHA and ANSI standards, that is not my focus on legos.



I was asked by by one of my Nuclear clients to do training that focused on following instructions. (Nuclear) Human Performance relies on the use of written procedures and has tools to help follow procedures without causing error.

Note: I will have to do a post on Human Performance.

Since I do hands on training, this exercise had to be hands on. (Nuclear) Human Performance procedures are written similar to military procedures, there is no room for interpretation and no room for error if followed. The people I was training had different jobs, so I had to have an exercise that everyone could do. I could not just have them use an existing procedure and rebuild a valve.

My criteria for the exercise was as follows:

  1. Conform to (general) Human Performance standards.
  2. Conform to the site's Human Performance standards.
  3. Conform to INPO, NRC, DOE,  and all other nuclear standards.
  4. Be hands on.
  5. Be generic in nature and not require any special skills (like rebuilding an engine). Not have any technical jargon.
  6. Allow them to work in teams.
  7. Allow the use of Human Performance tools that they have been trained to use.
  8. The procedures must be of the highest quality, meeting Human Performance standards or MilSpec standards. Written by engineers and allowing no room for interpretation, deviation, or error.
  9. Have a single outcome that I can inspect and grade.
  10. Meet the goals and objectives of training.
  11. Be fun and keep their attention.
I even had the Human Performance department approve my procedure (instructions) for the training exercise and  the procedures (instructions) used in the training exercise.
My first thoughts was to have them bake a cake or build a model. Then I remembered an article that I had read about Legos. Their instructions are produced by engineers and people with PhD's. They are the best instructions I have ever seen.



I also had to build every project prior to the exercise to ensure the correct number of pieces were there. Then I took every piece apart, counted them (to ensure the "number of parts" matched what was printed on the box), put them into zip lock bags so as not to lose any pieces, and reboxed them.

In one of the groups, I kept a piece out that you could still build the model without to see if they would "stop when unsure". I had the peice in my pocket, and they did stop and tell me a piece was missing. I pulled it out of my pocket, and they finished. A photographed the finished projects to grade, then we had a group discussion of the Human Performance tools that were used, how this training related to their jobs and the prevention of human error.

My methods seem a bit unorthodox at first, but the underlying principles are solid, with measurable results. I was complimented for the training I did both by management and the employees.

I enjoyed Legos growing up and they have grown in popularity with many adults. I have recently regained an interest in Legos. Lego introduced a line called Mindstorm (more on Mindstorm here). Mindstorm revolves on a PCL (Programmable Logic Controller) brick that was created by MIT's (Massachusetts Institute of Technology) media lab.

Along with hobbyists, teachers in high schools and colleges are using Mindstorm to teach robotics, students are using it for projects and competitions, inventors and engineers are using it to prototype, and there are many other uses.



Here is the link to the web page showing how to build "Plotter" pictured above, which is what reignited my interest in Legos:

http://ricquin.net/lego/instructions/plotter.htm

Cheers.

Wednesday, January 2, 2013

Death of the Safety Professional

Happy New Year!



This is whats happening to professionals in business and industry today: You get technicians to do the work that use to be done by craftsmen & professionals. I just had a pair of Kenneth Cole shoes resoled: $68. Although they were $200+ shoes, I got them on clearance for $55. Cheaper to pay a sales clerk than a shoemaker. It use to be that mechanics rebuilt starters, alternators, and engines. Today it is cheaper to replace with a remanufactured part. Yes, it is cheaper to buy a remanufactured engine that is (re)built on an assembly line than to have a mechanic do it.

We are getting away from HR people, accountants, lawyers, and hiring (glorified) "secretaries" with titles as HR admin, admin assistant, payroll technician, etc. and giving them access to ADP, Legalzoom, hr.com, staffingsafety.com, etc.

You can't really blame business owners, every time they get a couple dollars in their pocket, there are a bunch of hands reaching in. Government is the biggest pick pocket of all.











There is 1 place where you still see professionals:  heavily regulated industries (airline, nuclear, medical, refineries, petroleum, etc.). With the high unemployment, companies that hire professionals want to pay less and less. They are even replacing their higher paid professionals with (sometimes better qualified) unemployed professionals willing to work for much less. Companies that are hiring "technicians" many times get a better qualified professional at a technician price.


I predicted this economy over 10 years ago. What we are in is a "correction." The economy is seeking equilibrium. The pendulum wants to be in the middle, but will overshoot equilibrium and then stop and swing back the other way toward the middle (equilibrium). The bigger that something that knocks the system out of equilibrium, the bigger the correction, and the bigger the distance that it over shoots equilibrium.



I noted that in Europe gas was about $5 per gallon, unemployment was  about 10%, and the countries were to heavy in debt. We were artificially keeping prices down and our employment up. Add to that a tech bubble that fueled a housing bubble (by making many business owners, and investors  richer), we had money to spend. We bought everything and hired everyone.


Japan had a similar problem, they based their economy on the premise that the market was infinitely expanding. The market has a limitation: the Earth. As a result, Japan saw things they never had before: unemployment, obesity, the homeless, and nursing homes to name a few results.


So who is making money? Lawyers, sales professionals who eat what they kill (commission only), and gray-area professionals who bring in large amounts of revenue and you want them to be happy and quiet (bankers, stock brokers, derivatives traders, futures traders, etc.), government contractors (you need to know someone to get a contract and make campaign donations),  and corporations (too big to fail).


The first expenses that a company cuts are advertising (marketing) and safety. So what is a safety professional to do? You need to show a hard dollar amount that you, as a safety professional, are making for your company. So how do you make money? Remember Ben Franklin, "A penny saved is a penny earned?" Saving money.


The one area that would get the most attention is Workers' Compensation Insurance. Even beyond reducing accidents (and the costs associated with them) is if you can show that you are reducing the cost of the Work Comp Premium.


Very few safety professionals have the luxury of only doing safety anymore. We need to be IT (Information Technology) specialists, web developers, social media gurus, and now insurance brokers. This is one of the themes that runs through my blog.


I am a licensed insurance broker myself: Life, Health, Property, Casualty, and Surplus Insurance in 15 states. Now my credentials are overkill, and quite expensive. I have these licenses for other services I work on with my clients.

A P&C (Property and Casualty) Insurance License is easily attainable by a safety professional in most states. It costs much less than getting a CSP in time and money. It also shows that you as a safety professional not only knows safety, but understand Work Comp and the impact that you have on it. It may also allow you to be part or the insurance policy renewal process more than you would be as a safety professional.


This will be the first of upcoming posts that will focus on Work Comp insurance. What made me focus on this topic? Two things; first a colleague of mine had interviewed for a job in the transportation industry. Not only was I a reference for her, but I pointed out some nuances of that industry to help her prep for the job, which she was offered.

Second, one of my clients has just completed a policy renewal, which I was heavily involved with. Our initial figures indicate that work comp claims' costs have been reduced 25%-33%. This was an unintentional consequence. I will have a post about that titled: "Unintended Consequences."