Safety and Security: The Challenges of Bringing Them Together

This chapter looks back at how safety and security have developed in hazardous technologies and activities, explaining what has become an intersection between the two in both strategies and management practices. We argue for the con-nection to be made between social expectations of safe and secure societies and the limits to management and technical performance. In the ﬁrst part of the chapter, conceptual similarities and differences are addressed and we distinguish three scientiﬁc and contextual vantage points for addressing how safety and security are converging: the conceptual approach, the technical and methodological approach, and the management and practice approach. We then go on to show that, as professional areas, safety and security have developed in different ways and supported by quite separate scientiﬁc and technological ﬁelds. Finally, we present the organization of the book.


How Do Safety and Security Come Together?
Safety has long been a major concern for organizations, especially with the advent of hazardous technologies and activities. Within sectors such as energy, chemical, transportation, water, and health, safety is a core concept in policy, regulation, and management. Consequently, there are well-established institutional/management strategies, collaborations, and practices associated with preventing incidents and accidents. Maintaining the efficacy of these approaches is viewed as important for protecting hazardous technologies, as they are based on previous incidents and include the dynamic yet fragile organizational web of safety defenses [24]. From the 1980s, supported by an increased understanding of how and why accidents happen, increased attention was paid to how accidents and disasters are caused by societal developments [6]. Research demonstrated how hazards relate to changing organizational characteristics [12,21], and the argument that major accidents are inevitable in certain high-hazard systems became influential and spurred interest in the limits to safety and possibilities of organizational competence [12].
Security was up until the end of the Cold War strongly connected to state security and the protection against threats from foreign states. For civilian industries, security in this respect became an issue to the extent that organizations contributed to a state's military defense capabilities [6]. However, when the Cold War ended in the late 1980s, the political focus shifted to peace and international human rights as well as an increased consciousness about societies' own vulnerabilities to malicious acts such as sabotage and terrorism. Until the catastrophic attacks in New York on the 11th of September 2001, security threats were a much smaller part of the overall regulatory and management scope compared to other hazards considered 1 (i.e., major accidents and disasters). However, now over 15 years later, we have become far more familiar with facing malicious attacks that may involve suicide operations. Partly because of this change in the type of threat, the public feels a form of free-floating dread which is amplified by terrorist attacks [10]. New public policy notions have been introduced and different management and/or organizational perspectives are established for a secure society. Better preparation, emphasizing prevention in particular, has been called for by the public with new demands and accountabilities being developed [10]. In the U.S., the Transportation Security Administration (TSA), now part of the Homeland Security Department, was created following the creation and approval of the Aviation and Transportation Security Act in November 2001 (9/11 Commission report, 2004). As illustrated later in this chapter, similar developments have been seen in European countries.
The increasing emphasis on security and associated security risk reduction measures leads to an obvious intersection between safety and security management in hazardous industries. Leaders and analysts have had to understand and include a new category of threats. New forms of cooperation and domains of operations have also developed, that were not key premises in existing strategies and practices prior to 9/11. In addition, doubt has been cast on the efficacy of a good deal of the existing approaches to protecting hazardous technologies [10]. The interactions between safety and security have emerged as not all obvious, especially in normal situations. Subtle mutual influences do occur. As illustrated by Pettersen & Bjørnskau [13], safety and security practices may in some cases conflict with one another. Many organizations (industries, institutions) are hesitating whether they should have two separate entities for managing safety and security or merge the two.
For both safety and security, hazards and threats are today defined more and more as systemic risks and products of modern society. Local vulnerabilities are increasingly being understood as influenced by global events and processes [6], such as within digitalization [9,19]. These developments coincide with a similar transformation of both safety and security policy, toward broader fields and shared responsibilities focusing on societal, civil, homeland, and human issues. These changes must also be viewed in combination with a growth in risk management as solutions to policy requirements [6,17,20], developments that are connected to a wider pattern of neo-liberal influence [14] characterized by extensive deregulation, privatization, and outsourcing. Where the gray area between security and safety previously could be narrowed to the problem of defining the difference between an accident and a criminal act, safety and security can no longer (if they ever did) ignore each other in either concepts, policy or management practice.

Safety and Security
Although there may be little difference between feeling secure and feeling safe [1], if we admit that the concepts of safety and security are not fully analogous, providing clear definitions of the concepts remains a challenge [4]. Not only is there a single word for safety and security in many languages (unlike in English), but also the many definitions from academics on the one hand and the colloquial use of the terms on the other hand convey ambiguities [4].
The definitions provided by academics mainly refer to two types of distinctions between safety and security: one related to the intentionality, safety focusing on hazards and non-intentional or accidental risks as opposed to security that focuses on malicious threats and intentional risks [1,20]. The other one builds on the differences of origins-consequences, safety being the ability of the system not to harm the environment whereas security is the ability of the environment not to harm the system [4,15]. Yet, further refinements are proposed by some authors combining these two axes of distinction between safety and security, especially to account for differences in the use of terms in different domains and to enrich the system-environment axis by considering the ability of a system not to harm itself [16].
Despite efforts at refining the distinction between safety and security, a returning question is whether to distinguish the two or to best manage dangers overall whether they make us feel unsafe or insecure [23]. A central concept for how to achieve both safety and security is risk management (Blokland & Reniers, Bieder & Pettersen Gould, both this volume). However, there is much confusion as to what to expect of risk analysis [18], how it can be carried out, and if it is the same for safety and security [8]. The conceptual differences between safety and security have in many contexts become further extended by science and technology, for example, in airport operations [5,6]. In daily operations, security screeners and safety personnel have different training, use different technologies, and operate in completely different ways. The different regulatory frameworks and the nature of some of the contracts in place at airports [5] further strengthen this divide. Still, such behavior by individual workers or organizations to protect against or mitigate threats and hazards requires decisions without clarification whether it is a matter of safety or security. Many such decisions involve "ordinary workers", managers, as well as HSE professionals, security officers, and other professionals. Blurred as these distinctions are, the contributions included in this book are a sample of how safety and security are converging based on different scientific positions and contextual vantage points: conceptual (Blokland & Reniers; Jore), technical and methodological (Leveson; Wipf; Bongiovanni), and management and practice (Brooks & Coole; La Porte; Boustras; Schulman). The chapters show that doing both safety and security are quite generic features of organizations and for many integral to their existence. However, distinguished as professional areas, safety and security have developed in different ways and supported by quite separate scientific and technological fields. Still, while some areas of professional safety and security practice are supported by highly specialized and rigorous knowledge, others are routinized by convention, rule, or law [18]. This requires, in addition to technical knowledge and methods, learning by empirical study of the organizations and systems in which safety and security develop and interact (see La Porte, this volume).

Safety, Security, Science, and Public Policy
Both safety and security can claim to be relatively young as scientific communities [20,11]. Safety science is customarily described as research for increased protection, preventing danger or risk of injury. However, the production of safety knowledge has proven to be diverse, with variations depending on context and with a mix of approaches from different disciplines [11]. Safety managers are also a diverse community that continues to grow, but some boundaries have developed, for example, within Occupational Health and Safety (OHS) [7]. Despite this, technical demands for safety vary a great deal, depending on the type of hazards that are at issue, and many requirements are legal or economic and originate more from policy, rather than from science. More specifically, they originate from the institutional and organizational goals in the safety strategies and climate of supranational regulatory agency, national or local government, or corporation. As for security science, it is as diverse as safety, equally multidisciplined, and with an even less defined knowledge and skill structure [20]. However, as for safety, security can be defined more clearly when you connect it to a specific context and supporting concepts, theories, and models that can be identified (Ibid.).
The chapters that follow focus on safety and security as distinct practices, such as Brooks and Coole investigate in Chap. 7, drawing attention to the role of practices and professions, but we also learn a great deal about safety science and security science. For example, Sissel Jore notes that an accident investigation report used security culture as one important explanatory factor behind the outcome of a terrorist attack and that many Norwegian petroleum companies apply security culture as a means of security improvement. While clearly having its counterpart in safety culture and in theory possible to define and investigate, the concept is applied with little technical support and analysis. Distinctions between security and safety as well as between scientific approaches and management thus become blurred both in theory and in practice.

Safety, Security, and Social Expectations
That there are limits to bureaucratic and technical performance in the search for safety and security is undeniable. Both accidents and malicious attacks will happen and uncertainties will continue to abound [18]. As Schulman states in Chap. 9, there are always more ways that a complex system can fail than there are for it to operate correctly as designed. And hostile strategy can add additional possibilities for disaster because of the treatment of vulnerabilities as strategic targets. Yet one must ask, what is safe and secure enough? Also, as safety and security prompt new demands, even for stronger integration, what are the implications for the people in organizations and institutions managing technologies that continue to grow in scale and complexity? Who will be reinforced and who will experience increased tension and conflict? See La Porte (this volume).
As previously stated, many organizations (industries, institutions) are hesitating whether they should have two separate entities to manage safety and security or merge their treatment. Security is being added to the scope of some safety authorities (for example, in aviation with EASA and the French Civil Aviation Authority), but with very limited inputs from research as to how to deal conceptually and in practice with this extended scope. A further potential issue is around transparency and sharing of data and experience. An illustration is the publication of research, where security research may demand confidentiality about results, whereas safety management practice and safety research aim for maximum openness.
So far, most research and literature on the relationship between safety and security has focused on engineering aspects like design and risk analysis methods [15], as well as some work on conceptual issues [4]. But despite the number of years where safety and security have coexisted as approaches, there seems to be limited research on how safety and security are managed in practice at all levels. Importantly, a few field studies confirm a tension between safety and security when it comes to daily activities [5,13] and thus there is a need to further investigate the interactions between the two aspects within hazardous technologies and activities.

Organization of the Book
The chapters of this book are not put into any divided sections, but the flow of chapters follows roughly their focus from conceptual, technical, and methodological themes toward issues of empirical research, management, and practice. It is instructive to note, however, that there is a good deal of overlap between chapters. The final chapter summarizes some key challenges and problems from looking across contributions and discusses some key issues for an interrelated research agenda for safety and security. In chapter two, Blokland and Reniers take a risk perspective and focus on what links and differentiates safety and security in situations where there is uncertainty related to effects on individual, organizational, or societal objectives. For risk analysis purposes, the chapter largely outlines safety and security in the same way but also argues for some differences between security and safety related to effects, objectives, and uncertainty. Leveson, in chapter three, presents how system safety engineering methods can be developed to include both safety and security scenarios. The approach taken acknowledges that system design errors cannot be eliminated prior to use and that the complexity of many systems requires new and more inclusive models of causality. The chapter illustrates how engineering tools based on system theory can be applied to handle safety and security in an integrated manner. Based on an empirical case from light helicopter operations, Wipf uses a game theory approach in chapter four to assess safety and security issues in combination. The chapter illustrates the commonalities and differences between assessment techniques. Acknowledging the turn of security science toward softer measures, Jore argues for security culture as a promising concept for organizations, as it can make security a priority and shared responsibility, and compares it in chapter five to the more widely applied concept safety culture. The adequacy of the concept is discussed based on its use in an investigation report from a terrorist attack on an internationally run Algerian oil facility and the discussion is structured by using criteria for conceptual adequacy. Chapter 6 is methods oriented and takes an end user perspective on safety and security. Focusing on an airport security environment and security screening in particular, Bongiovanni shows the potential benefits of looking beyond legal and managerial perspectives that seem to dominate both safety and security management. He argues that this can help organizations to use fewer resources on the "eternal killjoys" of loss prevention and increase value for users. Chapter 7 explains how safety and security, though sharing an overarching drive for social welfare, are diverging as distinct professions. Brooks and Coole explain, considering security within the context of corporate security and safety within the context of occupational health and safety, that when considered within their occupations and supporting bodies of professional knowledge, there are limited synergies. "What organizational design and operational puzzles arise when 'safety in operation', and then 'security from external threat' are demanded from organizations and public institutions as their core technologies grow in scale and complexity" asks LaPorte in Chap. 8. Building on experience from a field study of large-scale technical organizations, the chapter formulates questions that emerge when safety and security become mixed operational challenges and sketches out a guide toward further empirical research. The chapter also addresses strategic implications for senior leadership confronted by both external threats and the increasing operating social complexities of organizations operating hazardous systems. Based on previous research on high-reliability management, Schulman focuses in chapter nine on the management challenge of safety and security convergence. He discusses how high reliability may function as a common framework for safety and security, as well as challenges of bringing safety and security under a larger management framework. And in Chap. 10, Boustras explores safety and security from the perspective of the workplace, arguing for how emerging risks and new drivers are motivating new focus areas in the interface of safety and security. As job-related consequences and the direct economic impact for organizations are less apparent, state authorities and regulatory pressure become more of the backbone but with increasing demands on the workplace.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.