SEARCH

A recent incident involving a lawyer who relied on ChatGPT to prepare a court filing has raised questions about the reliability and accountability of using artificial intelligence tools in professional fields. The lawyer, Steven A. Schwartz, submitted a brief based on research conducted by ChatGPT, resulting in the inclusion of fabricated court cases. This incident has highlighted the limitations and risks associated with relying solely on AI-generated content. As a result, the discussion has emerged as to whether the use of ChatGPT should lead to the loss of an engineering license to practice. While ChatGPT and other similar AI tools provide utility across various industries, including the legal profession, it is crucial to acknowledge their limitations. In the case of Steven A. Schwartz, ChatGPT generated false information by inventing court cases that did not exist. This incident not only raised questions about the accuracy of AI-generated content but also emphasized the need for human verification and critical analysis. Professional Responsibility and Ethical Considerations This incident involving ChatGPT has shed light on the importance of adhering to professional ethics and exercising due diligence when utilizing AI tools. While technology can enhance productivity and efficiency, professionals must remember that their expertise and judgment are paramount. In the legal profession, submitting inaccurate or false information can have severe consequences. Courts and judges rely on the accuracy and integrity of the information presented to them. The use of AI tools should never substitute proper legal research and verification. The incident involving ChatGPT has prompted Judge Kevin Castel to set a hearing to determine potential sanctions against Steven A. Schwartz and the law firm, Levidow, Levidow & Oberman. Such consequences reflect the need for accountability when incorporating AI into professional practice. Professionals, especially those in highly regulated fields like engineering, bear a significant responsibility to provide accurate and reliable information. Speculating on the potential outcomes of engineers relying on ChatGPT in critical infrastructure systems presents concerning scenarios. Inadequate verification or the unintentional introduction of false information by the AI tool could lead to design flaws, system vulnerabilities, or erroneous control commands. Loss of License to Practice? The question arises as to whether the use of ChatGPT or similar AI tools should result in the loss of an engineering license. While this specific incident raises concerns about the lawyer's reliance on AI-generated content, revoking an engineering license based solely on the use of ChatGPT may be an extreme measure. It is essential to consider the circumstances surrounding each case, including the intent and level of negligence involved. Instead of automatic revocation, it might be more appropriate to develop guidelines and best practices for incorporating AI tools into professional practice. Professionals should receive adequate training and education on the ethical implications, limitations, and potential risks associated with AI tools. Licensing bodies can play a crucial role in setting standards and ensuring that professionals are well-equipped to navigate the challenges of integrating AI into their work. What Should be Done? While the incident involving ChatGPT and a lawyer highlights the risks of relying solely on AI-generated content in the legal profession, contemplating the use of ChatGPT by engineers and other professionals raises even greater concerns. Professionals must exercise caution, diligence, and critical thinking when incorporating these technologies into their work. Revoking a professional license may be the right course of action when AI technologies are used out of ignorance, or otherwise when public safety is at risk. At the same time, it is crucial to emphasize professional responsibility, ethical considerations, and the need for comprehensive guidelines and training. Responsible use of AI will require support from multiple levels: Governments need to establish effective legislation to regulate the use of AI where public safety may be at risk. Professional regulatory and licensing bodies need to establish appropriate code of conduct and practice guidelines with respect to the use of AI. Professionals need to make themselves aware of the risks associated with AI as it relates to their discipline and practice areas. Manufacturers need to self-regulate their behaviour by establishing responsible AI policy and practices.

Understanding the concept of offside holds significance in sports and in business, although it can be difficult to understand and recognize. Ted Lasso, the lead character in the acclaimed Apple TV series, embarks on his coaching tenure with AFC Richmond, possessing minimal knowledge of soccer. In his debut game, he remains blissfully unaware of an offside play. However, as the series unfolds, Ted gradually grasps this critical aspect, ultimately leading to AFC Richmond's advantage. Among the myriad lessons he learns about the intricate game of soccer—or, as many call it, "football"—this particular revelation hits home in the final episode. In many ways, compliance resembles this important aspect of sports, focusing on staying within the boundaries and keeping the game play in check. For compliance, these boundaries stem from legal obligations and the expectations imposed by internal and external stakeholders. Straying beyond these boundaries results in non-conformance, manifesting as defects, violations, malpractice, injuries, and, if left unaddressed, even the erosion of stakeholder trust. Prolonged negligence in this regard may culminate in mission failure, business setbacks, or even the derailment of one's career. That's why, it is crucial to remain firmly between the lines of play. The above control chart is used by many organization to monitor their game play and predict when they are at risk of operating off-side. However, these are not the only lines that are important to pay attention to. There are other lines —lines of defence – that help to stay ahead of risk. In recent decades, regulatory frameworks have evolved, shifting away from rigid directives and embracing a more outcome-oriented approach. This shift involves effectively contending with uncertainty to minimize public harm and maximize mission success. In this case organizations endeavour to keep uncertainty and its detrimental consequences at bay, ensuring that treats never infiltrate the lines of defence to reach critical assets, capabilities, or resources. Keeping uncertainty from penetrating lines of defence is also critical to mission success. Many ask why we describe compliance as: staying between the lines and ahead of risk. Now you know. By adhering to the boundaries, compliance helps to avoid non-conformance and protect the integrity of a company's operations. At the same time, compliance work to keep risks at bay, preserving the robustness of defence mechanisms and maintaining the ability to outpace potential threats associated with: safety, security, sustainability, quality, and so on. It is an unwavering commitment to mission success that propels compliance to consistently stay one step ahead, fortifying defences and safeguarding them from any compromise. One more thing... In the TV Series "Ted Lasso" coaching was not only about enforcing discipline which is how we often think of compliance. It was about helping players be a better version of themselves both on and off the field. In the say way, compliance is not only about audits and enforcement. It is about helping organizations be a better version of itself. And when they are they will meet all their obligations and keep all their promises. This is the secret of Lasso way and the secret of those who are successful at compliance.

Meeting performance and outcome-based obligations requires a different implementation methodology Compliance operability is achieved when essential functions, behaviors, and interactions exist at levels sufficient to produce a measure of compliance outcomes. The following outlines stages that organizations may follow to first achieve compliance operability followed by increasing levels of effectiveness. These stages are based on the Lean Startup Method by Eric Ries along with steps of team formation (forming, storming, norming and performing) as building an operational system requires similar stages for all parts to work together to achieve the outcomes of compliance.

As with many things in life there are more than one side to every story. The same is true when it comes to compliance. There is the act of conforming and the thing we are conforming to. When we set high standards that create a better version of ourselves, our products, or the world around us, compliance is usually not a problem. We may not have the capabilities to achieve the standard so we improve our performance, adhere to the rules, and stay between the lines because we know that by doing so we will achieve the desired results. However, when standards are low or malicious, compliance becomes a problem, and rightly so. Conformance with practices, rules and behaviours that create unfavourable results that makes things worse should be challenged and when necessary avoided. As Gandalf from the Lord of the Rings said, "Even the very wise cannot see all ends." So we need to be mindful that we cannot know the true end to everything we do. However, blind conformance is never a good idea and has led to unintended consequences and in some cases atrocities that should never have happened. Compliance can be a problem, but it's not usually the act of conformance which bothers most people. It is what we are complying to which is what causes the most heart burn. What do you think?

Audits have been used for many years to confirm the integrity of financial statements and that proper accounting procedures have been used. In recent decades auditing has also become table stakes not only for finance, but also quality, safety, environmental and regulatory management systems. As with accountancy, the auditing function does not evaluate the effectiveness of your financial system, nor does it do so for quality, safety, or environmental systems. Auditing only confirms that you are following acceptable practices (usually defined by a standard) and the outputs of the system have not been interfered or tampered with. The evaluation and auditing of system effectiveness is not part of the auditing or the compliance function, so which function is it a part of and what should it be auditing? Auditing as Quality Control / Assurance Auditing has become the core function across almost all compliance domains similar to what quality control and assurance functions have done for quality management. The American Society for Quality (ASQ) defines quality control as follows: Quality Control – can be defined as "part of quality management focused on fulfilling  quality requirements ." Quality Assurance – can be defined as "part of quality management focused on providing confidence that quality requirements will be fulfilled." Quality control is more the inspection aspect of quality management. It answers the question of are we following the right steps the right way? Whereas, quality assurance on the other hand relates more to quality outcomes. The confidence provided by quality assurance is twofold — internally to management and externally to: customers, government agencies, regulators, certifiers, and third parties. Assurance is demonstrated when "all the planned and systematic activities implemented within the quality system can be demonstrated to provide confidence that a product or service will fulfill requirements for quality." However, even assurance that the right steps have been done the right way is not enough to ensure compliance outcomes. Something else is needed. A Shift that Shouldn't be Ignored Before we look at the answer to these questions, we first need to recognize a shift that is happening with respect to regulatory designs. Increasingly, regulatory and standards bodies are transforming their operations, taking on a more risk-based approach focused on outcomes and continuous improvement. This has resulted in the introduction of regulations and standards that are moving away from prescriptive to performance and risk-based requirements. Organizations are expected to establish their own means (the how) by which they will achieve targeted goals and objectives. This affords greater latitude for organizations to better address complex and systemic problems. It also holds them accountable for the outcomes of their systems, where in the past they have only been responsible for the outputs of prescriptive requirements. This shift has in many cases come with much confusion. It is not uncommon to find performance-based frameworks including prescriptive "shall" statements related to "how" it should be done. After years under the tutelage of prescriptive regulation the pull towards having something to audit is very strong which while understandable creates confusion for those adopting new and updated regulations and standards. What Then Should Be Audited? Increasingly, obligations that arise from regulation along with industry standards are requiring that organizations make progress towards what is often called, Vision Zero targets. These include zero harm, zero fatalities, zero incidents, zero emissions, zero violations and so on. Advancing these goals requires risk-based approaches and the continuous improvement of capabilities to generate appropriate levels of performance for progress to be made. When we now think about compliance we should be considering the goals that are being targeted. An important distinction that can made is between " terminal " and " instrumental " goals. Terminal goals are the highest level objective that we want to reach. They define the "ends" of our compliance programs, for example: zero defects, zero fatalities, zero violations, zero releases, zero fines, and others. Instrumental goals are intermediate outcomes or results that are critical or that must occur in order to achieve the higher-level outcome. These are often used to define Measures of Effectiveness (MoE) for compliance programs as they provide clear indication of progress towards terminal goals. Measures of Effectiveness can be used to validate compliance programs to ensure that they are fit for the purpose of advancing outcomes. The following are Measures of Success for compliance frameworks that support performance and outcome-based obligations (see previous figure): Measures of Effectiveness (MoE) – critical to program success, independent of any technical implementation (i.e. the how). Focuses on the ends not the means. Measures of Performance (MoP) – measures that relate to the operations of the compliance program, systems, and processes. These are the measures of capabilities needed to be effective. Measures of Conformance (MoC) – critical to compliance, where failure maybe cause for reassessment of the program. These tend to be prescriptive legal requirements but may include voluntary practices. Auditing has traditionally been helpful to verify Measures of Conformance but now needs to support Measures of Performance and Effectiveness . The latter is the task of governance and program management. Together they identify the destination and then steer the organization towards it. To be effective they need compelling answers to these questions: Where should we be heading? How will we get there? What is our strategy? What capabilities and resources do we need to get there? What obstacles are in the way? How will we measure our progress? The audit function now forms a validation function connected with progress towards targeted outcomes rather than only conformance to shall statements. Those in the pharma and medical device industry will recognize this distinction between verification and validation . You can build a pacemaker that meets all design specifications (which you can verify) and yet fails to keep your heart pumping. This is precisely the shift that is happening with safety, environmental and regulatory objectives. You can build a system that conforms to all the standards and yet fails to make any progress on outcomes. This is why compliance now should audit outcomes over outputs. Additional Reading: https://www.leancompliance.ca/post/four-misuses-of-audits https://www.leancompliance.ca/post/four-steps-to-proactive-compliance

When it comes to implementing systems, or achieving anything of significant scope, size, or complexity we will at some point be advised to pursue low hanging fruit and easy wins as a place start. This advice is usually well intended and at some level of analysis makes sense. It can help get things started while not getting bogged down with the hard stuff. It also doesn’t cost very much to make progress, at least at first. This will help concerned parties (i.e. upper management) feel better about our project when achievements are reported early and often. So what's the problem? The problem with fruit The reason why we want to pick low hanging fruit first is that they are already ripe. They also are at risk of falling on the ground or rotting on the vine. However, what is most important is that they are ready to be picked – we don't have to wait, just grab a basket and start picking. When it comes to projects beyond the simple ones the fruit analogy breaks down. To start with we are often not picking from only one tree or the same fruit. In fact we may not even have orchards growing any fruit at all. We need to build the orchard first and cultivate it so it will grow the fruit we need. The biggest problem with the fruit analogy and particular low hanging fruit is that it leads to working on the easiest things first and leaves what is most at risk and what really matters to the end. This is when budgets are less, options are few, and there is very little patience to deal with things as we often will hear “just get it done.” Those that manage project risk will know that it is best to front load efforts with the hard things, deliverables that are most uncertain, and particularly the tasks that will generate the greatest impact – the things that really matter. Projects need to drive down uncertainty hard, fast, and first while focusing on those things that create the greatest value. This is where real progress needs to be made. Compliance is fond of picking low hanging fruit Unfortunately, when it comes to compliance, we like low hanging fruit and far too much. Compliance often imagines non-conformance or audit findings as low hanging fruit or more specifically bad fruit. We look for them using audits, we pick them from the ground and take corrective action to pick them from the tree next year. We then rinse and repeat in the name of continuous improvement. At the end of the year we pat ourselves on the back for having picked so many bad fruit. This reactive and reductive mindset is so prevalent that it is evidenced across almost every dimension of compliance when organizations concentrate their efforts on: Addressing elements rather than the principles of a standard or regulation Closing gaps rather than addressing root causes Meeting mandatory requirements rather than all commitments Relying on best efforts rather than best results Focusing on Inspection / auditing rather than capabilities / performance Achieving certification rather than better outcomes Waiting (being reactive) rather than anticipating (being proactive) These practices always leave the hard stuff to later and often for someone else to take care of. As a result, risks are never properly dealt with and the outcomes of compliance are never realized. It is no wonder why compliance programs are seldom effective. Compliance is too busy picking bad fruit that it never gets around to preventing the fruit from getting bad in the first place. We need a better analogy and a better approach. Compliance needs to leave low hanging fruit to the end. In fact, It should abandon the fruit analogy all together. Compliance is better imagined as treating a disease rather than picking fruit. The prognosis of poor compliance if left untreated is the loss of a business and perhaps even the loss of life. We are better off to treat the disease not the symptoms. In fact, we are better off to prevent the disease in the first place. Maintaining the health of an organization and its stakeholders should be the goal of effective compliance. This mindset will lead to a focus on anticipation, contending with risk, practising healthy behaviours, and treating illnesses over just focusing on symptoms (or once again picking fruit). If followed, this holistic approach will increase the probability of the organization being around for years to come. It will mean doing the hard things first as we all know when we are trying to improve our own health. For starters, we have to exercise and eat well. Not easy, but necessary if we want to improve our health and also experience the benefits of a healthier life style. The same is true for compliance. We need to do the hard things first. We need to exercise the behaviours and practices that produce better outcomes so that organizations can finally realize the benefits of their compliance efforts. Time to leave the low hanging fruit and easy wins aside. It's time to do the hard stuff. Not easy, but necessary.

Audits were first adopted by financial institutions to identify and prevent fraud. Their focus was to test the integrity of accounting procedures and financial data. Since then, audit practices have developed alongside of changes to standardized accountancy to become a crucial role in governance, risk, and compliance activities. At the same time, the audit function has grown beyond the financial function to cover other compliance programs such as: occupational health and safety, process safety management, environmental, quality, security, and so on. However, there are important differences between auditing financial statements and ensuring compliance outcomes particularly when it involves safety. Not understanding these differences has resulted in the misapplication of audits as outlined in the following four misuses: 1. Audits go beyond the "what" and provide remedies for the "how" Auditing should verify the integrity of reports and the processes used to create them. However, all too often, audits are used to prescribe "how" compliance should be met. Providing remedies happens all too frequently with external but also with internal auditors that have their own view of how compliance should be done. This practice was rightly stopped in the financial sector as audit firms cannot provide advice of this kind. Unfortunately, this correction has not yet taken hold across many regulatory, standards and certification organizations supporting quality, safety, security, sustainability, and other compliance objectives. 2. Audit findings are used to set compliance obligations Audit findings produce a list of corrective actions that are often used directly by compliance managers to establish what the obligations should be. This poses several problems particularly when the audit findings inappropriately prescribe remedies as discussed earlier. Another problem is that findings can be based on an auditor's interpretation of a standard or regulation, This leaves companies struggling to revise their approaches only to have them change again the following year when a different auditor conducts the audit. Companies should not immediately accept remedies or an auditor's particular interpretation. Instead, companies should decide for themselves the level of commitment for each obligation and hold management accountable for the means by which they are met. Compliance accountability is a managerial role and not that of an audit committee or auditor. 3. Audit findings are used as the only source for compliance improvement Many companies only use audit findings to drive change to their compliance programs. These findings can be helpful but are not enough as audit findings are too slow to provide feedback, and are too late to prevent risk from becoming a reality. Relying only on audits doesn't make sense when it comes to safety, quality or dealing with the environment. This is like waiting until you hit the guard rail before you realize that you were driving outside the lines. Companies need to use leading indicators and actions instead of waiting for an audit to tell them when they are off side. Also, findings never consider stakeholder or voluntary goals that companies may choose to pursue. Standards along with regulations are at best minimum specifications and companies may choose to go above and beyond them and often do. It is observed that over 50% of obligations are driven by stakeholder expectations not regulatory requirements. This is expected to increase with further adoption of ESG objectives. Including the entire scope of obligations would help promote trust, strengthen a company's social license and demonstrate that compliance is valued. Doing the minimum that regulation demands is a weak position especially when it comes to safety. 4. The audit function inappropriately assumes managerial accountability for compliance The lack of clear accountability for compliance obligations often results in the audit function taking on this role and determining how compliance should be met and what the obligations should be. This diminishes the responsibility of managers who have the compliance role and should be the ones who are accountable. In addition, the audit function requires significant resources to fill in the accountability gap which they are unable to do. This results in many companies being uncertain of where the goal line is and where they are in relationship to it. As a result, they spend tremendous effort in preparing for and conducting audits every year to discover the status of their compliance. Companies are now conducting pre-audits to get ready for internal audits to get ready for external audits. All of these in hopes that they satisfy a benchmark specified by an external auditor or regulator which is something that companies should already know and be certain of. When it comes to safety or cybersecurity, waiting for an audit every year (or every other year) is far too late to find this out and creates unnecessary risk for employees and stakeholders. All of these audit misuses result in significant waste and more importantly the lack of compliance assurance, the very thing that organizations (inappropriately) look to audit to provide. Companies should take ownership of their compliance obligations and execute proactive steps to ensure they are met. They should not defer or wait for an external auditor to tell them if they have achieved their own compliance obligations. Meeting compliance obligations is a performance process just like anything else a company does and it is time to bring it back inside and in front where it belongs.

There are many places in business where performance is critical and the drive to excel pushes organizations beyond their current limits to achieve remarkable outcomes and we call this the pursuit of excellence. However, when it comes to compliance this pursuit is one that few companies take. Compliance excellence is something that companies rarely discuss let alone put on their list of strategic priorities. And yet, it is a lack of effective compliance that contributes significantly to why many are often only one recall, one explosion, one violation, or one mishap away from losing their regulator license and what is becoming as important their social license to operate. While there are many volumes of books, papers, legal briefs, and other documents concerning compliance many of them focus on complying with prescriptive obligations mostly through the narrow lens of legal affairs. In the rare cases where the lens is broadened it results in a stack of separate departments each addressing a different obligation source; one for safety, quality, environmental, cybersecurity, and so on. Each function having their own resources, systems, processes, and practices, and even its own culture. Although implemented separately, what they do have in common is the same reactive strategy reinforced by an audit / fix cycle. This approach is characterized by looking at what has already happened, correcting non-conformance, and then determining how to prevent them in the future. Not only is this expensive (at least three times), it is too slow and too late to make any real and significant difference in outcomes. A reactive strategy is like steering your car by looking through the rear view mirror. You only see things through the lens of past performance, and often after you hit the guard rail; hoping that it has stopped you from going over the cliff. Compliance needs to change from looking at where it has travelled to where it is going. This provides a better outlook and affords the opportunity to better stay between the lines and prevent risks that might otherwise diminish or possibly destroy value creation. While this is a road less travelled it is the road to effective compliance and one that leads to better outcomes.

It is common nowadays to come across articles that claim that robots and AI will take over people's jobs. Some might even argue that this is already happening and will continue to increase with advancements in artificial intelligence (AI). In fact, if things continue on this course, all our jobs will be at risk. It is always difficult to predict the impact of new technologies. However, we don’t need to look very far in the past to see that automation of various kinds has already disrupted the workforce. There are numerous examples of this, such as: factory automation, large-scale machinery, and even computing itself that have significantly changed the way we live and work. Many of these changes have made both the workplace and the work itself better. We no longer need thousands of workers doing back-breaking work using shovels to mine for the raw materials that fuel our businesses, as an example. Nevertheless, these kinds of claims stir up uncertainty and fear for those that are dependent on jobs that might be displaced. This begs the question as to what should we do about all this? A question from the past When I first started my career, I worked for a semiconductor manufacturer and was responsible for computing and information technology. At that time, enterprise computing was going through its second iteration with the introduction of ERP, CRM, and other company-wide applications. The possibility that certain jobs would no longer be needed was significant and this required careful consideration. And so I met with the president of the company to discuss how to proceed. He asked me a question that I have not forgotten. He said to me, “to understand how to deal with this challenge, you first need to answer the question, “what will people be doing 20 years from now?”" This at the time did not seem like a practical question to be asking but in hindsight was exactly the right question. Why do we work at all? If you have teenage or even college age children you may have heard them ask similar questions, "why do I have to get a job and why do I have to work?" Perhaps, their motives for asking are less than noble. However, as parents we try to come up with a suitable answer to persuade them to get a job. There are many arguments one could use as to why work is important and why we are meant to work. However, the most relevant, specifically when it concerns the accelerated advancement of robotics and AI, is appealing to human potential. When we look at people (particularly younger ones) what we see in them is mostly raw potential. They have most of their life ahead of them and can become anything they want (more or less). Their potential has the ability to move themselves and society forward towards greater things. That is why we are saddened when people do not live up to their potential and why we celebrate, particularly when it is for good, when they do. However, to live up to one’s potential requires work and lots of it. My parents worked very hard lives so that I and my other siblings could have a better life and for that I am very grateful. Given the chance my parents could have been so many other things. However, they took the potential they had and turned that into something tangible. All their hard work provided for our family so that we could have opportunities they did not. You could say they were passing their potential forward through their hard work. Humans have been doing this for as long as humans have been around. Deep down we know that our potential is not effective unless it is converted to something real and this always requires substantial amount of work. In fact, quite often it requires a life time’s worth and only manifests itself in future generations. Back to the future So back to the question that was posed to me years ago and I believe is still relevant today, “What will people be doing 20 years from now?” Here is my answer. We will always find ways to make work more efficient, robotics and AI are just recent examples. However, what is also in our DNA is our ability to take human potential and turn it into something great. Robots and AI may improve efficiency and this will no doubt displace workers. When this happens, we need to show dignity and respect for the hard work these workers have done. Who knows when we might be on the other side and told that our job is no longer needed. In fact, it is very likely that one day this will happen, if it hasn’t already. At the same time, there is still room for hope. There will always be a need for humans to work as long as there is potential, and there is no sign that this is in short supply. An organization's purpose will include the making of profit. However, companies can exist for a greater purpose. They can exist to create opportunities for people to work so that their potential can be realized to some degree. The greater the degree, the more humanized the workplace becomes. At the same time, when workers are used like “machinery” the work becomes dehumanizing. Perhaps, this is where robotics and AI can help the most, by replacing work that is inherently dehumanizing and replacing it with what we do best - doing the work to turn potential into something great.

The scientific method and engineering method are two approaches that are frequently used to develop technology and solve real-world problems. While these two methods share some similarities, they have significant differences in their goals, processes, and outcomes. In the context of public safety, the differences between these two methods can have far-reaching implications for society. In this article, we consider the role that each has on protecting the public from harm and steps that can be taken to improve the responsible use of technology. Separation of Concerns The scientific method is a process that involves observing natural phenomena, developing hypotheses, testing those hypotheses through experiments, and drawing conclusions based on the results. The scientific method is primarily focused on understanding the underlying principles of phenomena and uncovering new knowledge. Scientists are responsible for adhering to ethical guidelines and minimizing the risks of their experiments. They are also expected to communicate their findings to the broader scientific community and the public. On the other hand, the engineering method is focused on using scientific knowledge to solve practical problems and develop new technologies. Engineers use the principles and theories developed by scientists to design, build, and test new products or systems. The engineering method involves a range of activities, including research and development, prototyping, testing, and refining designs. Engineers are responsible for ensuring that their designs are safe, reliable, and effective. They must also consider the ethical and social implications of their designs and take steps to mitigate any potential risks. Who is Responsible for Public Safety? Both disciplines are involved in innovation and both are responsible for public safety. However, when it comes to ensuring public safety, the engineering method is seen as the primary protection against public harm. The reason for this is simple: Engineers are accountable and must answer for the safety of their designs. This is the duty of all engineers: Hold paramount the safety, health, and welfare of the public. When these responsibilities are ignored, engineers are in possible violation of legal and social contracts but also moral imperatives. As a result, engineers prove the technology first before it is used to solve real-world problems. The pharma and medical device industries provide excellent examples of how this works. Before a new drug or medical device is approved for use by the public, it must undergo rigorous testing and evaluation. This process involves multiple phases of clinical trials, during which the safety and effectiveness of the drug or device are carefully monitored. Only after this testing is complete and the risks and benefits are well understood can the drug or device be made available to the public. This is consistent with the engineering method. However, we don't seem to be following this approach across all domains particularly those connected with social media and AI. When it comes to those, we seem to be conducting experiments involving the public at scale without concern for public safety, mitigating the harms, or taking responsibility for the results. Ethical Failure? As previously mentioned, when it comes to public safety, those using the scientific method must ensure safe experimentation and take necessary precautions. In addition, those using the engineering method are responsible for the safe development and use of technologies in the public arena. The responsibility for ensuring public safety falls more heavily on engineers, who play a crucial role in the design and development of technology, infrastructure, and products. For this reason, engineering involves testing and evaluating new technologies before they are made available to the public. This is particularly important in fields such as pharma and medical devices. and should be for other fields including social media and AI. Whether the latter is a science experiment gone wild, or an engineering prototype rolled out to the public before it is ready, the violation of ethical obligations is clear. There is a common belief that technology, particularly information technology, is neutral, and that the responsibility for how people use the technology lies solely with the individuals who use it. However, this view overlooks the fact that technology is created by people who make deliberate decisions about its design, development, and implementation. In my first year of engineering design we were taught that engineering is never neutral. For example, sometimes it is better to build a better shovel than introduce massive combines to improve agricultural productivity. The former improves productivity while maintaining livelihoods and communities. The other improves productivity but often destroys livelihoods, communities, and most likely the environment as well. Social impacts are necessary design considerations for all who practise engineering. While experimenting or testing out new technologies where there is the possibility of significant risk to the public may not be illegal in every field it is questionable as it violates ethical obligations to hold the safety, health, and welfare of the public paramount. Some people argue that regulations aren't needed because they can stifle innovation and creativity. However, satisfying safety, social, and sustainability requirements may initially seem like a challenge, but they actually encourage more innovation rather than less. There may be individuals or companies who believe that they don't need to employ scientists or engineers in order to produce their products or services. This may lead to the belief that they have no professional obligations towards public safety. This view is misguided. Even if a company doesn't employ scientists or engineers, they still have a responsibility to ensure that their products or services are safe for public use if not on legal but ethical grounds. Ethical Line of Defence The pursuit of technological advancement often comes at the expense of public well-being, with negative impacts on society and the environment being overlooked or deferred to a later time. The mode of operation can be well stated as: Play now, pay later And yes we will all be paying for it later. While the dilemma between innovation and responsibility is not new there is an immediate cause for concern when it comes to the use of technology in the public arena at the scale, and acceleration we have seen in recent decades. Governments will in due course enact legislation and design regulations to contend with public risk including those associated with social media, and AI. In the meantime, this should not give free license to scientists or engineers to ignore their ethical responsibilities. Scientists and engineers should not hide behind a technical shield. They have a duty and responsibility to the public. They must individually and together form an ethical line of defence by: Taking ownership of all their obligations with respect to legal, regulatory and also ethical responsibilities. Being transparent concerning the communication of risks when engaging the public. Speaking up on issues concerning technical and public risk. Advocating for the safety, health, and welfare of the public. For those that choose to act responsibly they will face many challenges and pressures to conform not to moral imperatives but to other less noble ones. This kind of compliance is a waste and a tax, not on production, but on the public who will ultimately pay for earlier decisions to tolerate risk – the good with the bad. We can do better. We must do better.

Process safety refers to a systematic approach within industries to prevent and mitigate the occurrence of hazardous incidents and accidents during the operation of chemical, petrochemical, food production, pharmaceutical, and other similar processes. The primary goal of process safety is to ensure the protection of personnel, the environment, and assets while maintaining the efficiency and productivity of operations. To minimize the likelihood and consequence of accidents, safety barriers (i.e. guardrails) are put in place as a layer of protection. It is often necessary to isolate, bypass, or remove components of this critical protection to allow for maintenance and other activities to be conducted. These components are often called, " Safety Critical Equipment" and the process to bypass them is called, "Critical Defeats." While defeating safety critical equipment is necessary it needs to be done in a controlled and safe manner. Examples of safety critical equipment include: Safety instrumented systems DCS or PLC shutdowns and interlocks Emergency shutdown valves PSVs Car seals Fire and Gas detection systems Mechanical shutdowns and so on Digital shutdowns may be also be necessary with respect to the implementation of AI systems and "human-in-the-loop" safety barriers. Critical defeats are most often temporary and short in duration measured in shifts and do not typically extend beyond 7 days. Longer duration and non-routine defeats are usually handled through the facility or asset Management of Change ( MOC ) process. To maintain safety a clear and robust approach is needed to cover the approval and execution of critical defeats. At a minimum the documentation for authorizing a critical defeat should include: What is being defeated The reason the defeat is being applied What risks are created or exposed by the defeat What alternate protection is available What precautions are required to mitigate the risks How long the defeat is to be applied What level it needed to authorize the defeat As with Management of Change, a process approach helps to reduce risk by ensuring that all steps involved including approvals are executed and done in the correct sequence. An example process for Critical Defeats is shown below: After the defeat is approved, it should be communicated to operators and all other people who work on the equipment or process. It is common practice to include this information in shift logs or on display boards and discussed during handovers. In addition, the following activities are helpful to further manage risk: Clearly define roles and properly train personnel to the appropriate level of competency Ensure that there is an alternate layer of protection in place Limit the number of active defeats allowed at any given time Limit the duration for how long a defeat can remain active Tag by-passed devices Monitor active defeats on a daily basis Conduct weekly audits to ensure the proper reinstatement of the defeated devices or systems. Establishing a robust process to manage the defeat of critical protection is essential to maintaining safety. If you have an existing process, now is a good time to look at how it is performing to identify areas that can be improved. An important first step is to map the actual process and compare that to written procedures. Look at gaps in the process and where waste exists such as waiting for approvals, incomplete information, over processing, and so on. The critical defeat process should be viewed as a resource to keep everyone safe and not as an obstacle to getting work done. Short cuts done here expose workers and the organization to unnecessary and avoidable risk. Questions for Improvement What gaps exists between your current critical defeats procedure and how defeats are actually approved and implemented? What safety critical equipment is missing from the procedure? Who should be and is currently not being notified when critical defeats are approved and become active? What steps are being taken to ensure the reinstatement of defeated equipment? What steps can be taken to improve how risks are identified, mitigated and managed? How can you help to improve the way critical defeats are handled?

When it comes to performance-based compliance you need to manage both compliance and obligation risk. Compliance risk are the effects of uncertainty of non-conformance. These impede outcomes. Obligation risk (i.e. opportunities) are the effects of uncertainty of conformance. These advance outcomes. To manage both the following are helpful tools, and systems: Bow-Tie Analysis - evaluate risk and controls to optimize risk buy-down and opportunity invest-up plans ISO 31000 Risk Management System - provides a framework to manage risks and opportunities across their life-cycle. Don't create an opportunity for threats to penetrate your defenses or opportunities to be missed by missing a step. ISO 19600 Compliance Management System - provides a framework to manage all your obligations under one governance system. It does this by establishing processes to identify, implement, evaluate, and maintain all mandatory and voluntary obligations covering: quality, safety, environment, security, regulatory, and other risk-based obligations. The goal of ISO 19600 is to ensure effectiveness. When obligation risk is addressed ahead of time it reduces the probability of compliance risk. Not only will you protect against loss but you also advance outcomes at the same time. It pays to be proactive.