A chemical plant in Zhejiang passed 14 consecutive government safety inspections over three years. Their secret wasn’t more compliance staff—it was a genuinely operational dual prevention system that operators used every shift, not just before audits. When I asked the EHS manager what made it work, he said: “We stopped treating it as a filing exercise and started treating it like a process control system.” This article is about how to do that.
The Problem With Most Dual Prevention Systems
China’s State Council mandated the dual prevention system (双重预防机制, also called 双控体系) in 2016, and it’s been reinforced in every major safety regulation since—most recently in the 2021 Work Safety Law revision. Every industrial facility above a certain hazard threshold is required to have it.
The mandate is clear. The implementation, in most plants, is not.
Walk into a typical factory and you’ll find the dual prevention system living in three places: a binder on the EHS manager’s shelf, a filing cabinet of hazard identification forms, and a set of color-coded risk maps on the wall that nobody looks at. The system exists to satisfy inspectors, not to prevent accidents.
The plants that get real safety results from the dual prevention system do something fundamentally different: they integrate it into daily operations so that risk awareness and hazard reporting become part of how the plant runs, not a separate compliance activity.
This article breaks down what the dual prevention system actually requires, where most implementations fail, and how to build one that operators use because it makes their jobs easier, not because they’re told to.
Part 1: What the Dual Prevention System Actually Is
The dual prevention system has two connected components:
Tier 1: Risk Classification and Management (风险分级管控)
Identify every hazard in the facility. Assess the risk (severity × probability). Classify it into one of four color-coded risk levels. Assign control measures. Assign responsibility for monitoring each risk. Update when anything changes.
Tier 2: Hidden Hazard Investigation and Treatment (隐患排查治理)
Systematically check that the control measures identified in Tier 1 are actually in place and working. When a gap is found (a “hidden hazard” or 隐患), record it, assign corrective action, fix it, and verify the fix worked. Track trends.
The two tiers are a feedback loop: Tier 1 tells you what to control. Tier 2 tells you whether your controls are holding. When a hidden hazard is found in Tier 2 that wasn’t addressed by Tier 1 controls, Tier 1 gets updated. The system gets smarter over time.
Simple in concept. Hard in execution because it requires sustained operational discipline, not a one-time consulting engagement.
Part 2: The Four Risk Levels — And How to Assign Them Without Endless Arguments
Risk level determines everything: inspection frequency, approval authority for corrective actions, reporting requirements, and who’s accountable. Getting the classification right is the foundation—and the place where most systems fall into either over-classification (everything is “major,” so nothing is) or under-classification (nobody wants to admit their area is Red).
The Standard Framework
| Risk Level | Color | Acceptability | Approval Authority | Review Frequency |
|---|---|---|---|---|
| Level 1 (Major) | Red | Unacceptable without additional controls | Plant GM + Corporate | Monthly |
| Level 2 (Significant) | Orange | Tolerable with strict controls | Department Head + EHS Manager | Quarterly |
| Level 3 (Moderate) | Yellow | Acceptable with existing controls | Area Supervisor | Semi-annually |
| Level 4 (Low) | Blue | Acceptable, routine management | Team Leader | Annually |
How to Classify Without Subjectivity
The most common implementation failure: risk classification becomes a negotiation. The production manager argues for Yellow because Orange means more paperwork. The EHS manager argues for Orange because “better safe than sorry.” Neither argument is based on anything objective.
Use a matrix. It’s not perfect, but it’s consistent—and consistency is more important than precision for a system that needs to be maintained by operations personnel, not risk engineers.
Probability scale:
- A: Expected to occur in the facility lifetime (>1/year)
- B: Has occurred in similar facilities (1/10 years)
- C: Has occurred in the industry (1/100 years)
- D: Theoretically possible, no industry precedent
Severity scale:
- 1: Fatality or permanent disability
- 2: Lost-time injury or serious occupational illness
- 3: Medical treatment, restricted work
- 4: First aid or no injury
The matrix:
“`
A B C D
1 RED RED ORANGE ORANGE
2 RED ORANGE ORANGE YELLOW
3 ORANGE ORANGE YELLOW BLUE
4 YELLOW YELLOW BLUE BLUE
“`
Every hazard gets a letter-number pair, and the matrix gives the color. No arguments. If two people assess the same hazard differently, the higher severity wins, and the assessment gets reviewed by the EHS manager.
What Most Plants Miss: The Hazard Inventory Scope
A hazard inventory that only covers chemical storage tanks and pressure vessels is incomplete. The dual prevention system scope should cover:
- Process hazards: toxic, flammable, reactive, explosive materials and conditions
- Equipment hazards: rotating machinery, electrical, pressurized systems, lifting equipment
- Work activity hazards: confined space entry, hot work, working at height, energized work
- Environmental hazards: releases to air/water/soil, waste mismanagement
- Human factors: fatigue, understaffing, inadequate training, unclear procedures
For a typical medium-sized chemical plant, expect 200-500 identified hazards in the initial assessment. If you have fewer than 100, you’re probably not looking hard enough.
Part 3: Hidden Hazard Investigation — Making It a Daily Habit, Not a Monthly Chore
The investigation side of the system is where theory meets reality. Every plant has hazards. The question is whether anyone notices and reports them before they cause an incident.
The Four Investigation Levels
The system requires hazard investigation at multiple organizational levels, with different frequency and scope:
Level 1: Operator Shift Inspection (every shift)
The operator walks their area at the start of each shift. Checklist-based. Covers their assigned equipment and work area. Checks the Tier 1 controls: Are the safeguards in place? Any new hazards since last shift? Any abnormal conditions?
Key design principle: the operator checklist should take 15 minutes maximum. If it’s longer, operators will rush through it or falsify it. Prioritize the items that can kill someone or shut down the plant. Everything else goes on a less frequent inspection.
Level 2: Area Supervisor Weekly Inspection (weekly)
Broader scope. Covers cross-area issues the operator might miss: housekeeping, access/egress, emergency equipment condition, permit-to-work compliance. Supervisor inspections should find things operators miss—that’s their value. If supervisors are finding the same things operators find, your operator checklist is too broad.
Level 3: Department Monthly Inspection (monthly)
Department head or deputy leads this. Management visibility. Checks whether the lower-level inspections are actually happening and generating corrective actions. Reviews open corrective actions for timeliness. Identifies systemic issues: three similar hazards in three different areas means the process, not the people, needs fixing.
Level 4: Plant Quarterly Comprehensive Inspection (quarterly)
Cross-department team. Plant manager or deputy leads. Focuses on systemic and management-level issues. Reviews the dual prevention system itself: Is it working? Are risk levels accurate? Are we finding fewer hazards over time (as we should be) or the same ones repeatedly?
The Reporting Mechanism: Make It Frictionless
If reporting a hazard requires filling out a paper form and submitting it to the EHS office, most hazards won’t get reported. The operator who notices a loose handrail at 2 AM on night shift will make a mental note to “mention it tomorrow” and won’t.
Effective systems use one of:
- QR code at each area: scan, take a photo, type one sentence, submit. 30 seconds.
- WeChat mini-program: already installed, already logged in. Same 30-second submission.
- DCS/SCADA integration: for process deviations, the alarm log IS the hazard report. No separate filing.
The submission captures: what, where, when, who reported it, and optionally a photo. The EHS system handles routing, assignment, tracking, and closure verification. The reporter’s job is to notice and report—not to classify, not to assess, not to fix.
Corrective Action: The Three-Day Rule
A hazard reported and not assigned within 24 hours is a systemic failure. A corrective action open for more than 90 days without an approved exception is a systemic failure. Between those two points:
- Level 4 (Blue) hazards: fix within 30 days, or document why longer is acceptable
- Level 3 (Yellow) hazards: fix within 14 days
- Level 2 (Orange) hazards: fix within 7 days, or implement temporary controls within 48 hours
- Level 1 (Red) hazards: immediate temporary controls (same shift), permanent fix within 72 hours, or stop the activity
Temporary controls are not optional for Red and Orange hazards. If you can’t fix it immediately, you must make it safe. A leaking flange on a steam line at 10 bar that can’t be isolated until the next scheduled shutdown: the temporary control is a steam barrier, warning signs, restricted access, and operator checks every 2 hours. Documented. Approved by the area supervisor.
Part 4: Making It Stick — Integration With Existing Systems
The dual prevention system fails when it’s treated as a standalone compliance exercise. It works when it’s integrated into the systems the plant is already running.
Integration Points
Permit to Work (PTW): Every PTW should reference the risk classification for the work area. The permit issuer checks whether the dual prevention system has any open Red or Orange hazards in the work zone. If yes, the permit includes additional controls or is denied until the hazard is addressed.
Management of Change (MOC): When equipment, process, or personnel change, the dual prevention system must be updated. The MOC checklist includes: “Does this change introduce new hazards? Does it affect existing risk classifications? Does it require new control measures?” If the answer to any is yes, the hazard inventory gets updated before the change is approved, not after.
Incident Investigation: Every incident (including near-misses) triggers a review of the relevant hazard inventory entries. Was the hazard identified? Was it correctly classified? Were the controls adequate? If the incident occurred because of a hazard that wasn’t in the inventory, the inventory gets updated. This is how the system learns.
Training: Operator training includes the hazard inventory for their work area. Not as a separate “safety training module”—as part of process training. “Here’s how the reactor works. Here’s what can go wrong. Here’s what the controls are. Here’s where to look for problems.” Safety isn’t a separate subject; it’s part of knowing how to run the equipment.
The Metrics That Matter
Don’t measure “number of hazards identified.” That incentivizes finding trivial issues to hit targets. Measure:
- Closure rate: percentage of corrective actions closed within their target timeframe. Target: >95%.
- Reopen rate: percentage of closed corrective actions that were reopened because the fix didn’t work. Target: <5%.
- Repeat hazard rate: percentage of new hazards that are substantively identical to previously identified and closed hazards. Target: trending toward zero.
- Near-miss reporting rate: near-misses per 1,000 worked hours. Should increase initially (as reporting culture improves), then plateau or decrease (as hazards are systematically addressed).
- Time to assign: average hours from hazard report to assignment. Target: <24 hours for Yellow and above, <48 hours for Blue.
If you measure only “number of hazards found,” you’ll get a lot of unsecured cable ties reported. If you measure closure rate and repeat rate, you’ll get systemic problems actually fixed.
Part 5: The Audit Test — Can You Pass Without a Warning?
When the government inspector arrives, they’re looking for three things:
- The documentation exists — hazard inventory, risk classification records, inspection records, corrective action tracking. This is the minimum bar and the one most plants focus on.
- The system is being used — inspection records show dates, times, findings, and signatures. Corrective actions have before/after photos. Risk classifications have been updated within the last year. The system is alive, not archived.
- Frontline personnel know it — ask an operator: “What are the Red-level hazards in your area? What controls are in place? When did you last report a hazard? What happened to it?” If the operator can’t answer, the system isn’t operational regardless of what the binders say.
The plants that pass without warnings or corrective orders are the ones where Level 3 is the norm, not the aspiration. The inspector can tell the difference between a paper system and an operational one within 30 minutes of being on the shop floor.
Summary
The dual prevention system is fundamentally a feedback loop: identify hazards → classify risk → implement controls → inspect controls → fix gaps → update hazard inventory → repeat.
The implementation doesn’t need to be complicated. It needs to be:
- Simple enough that operators use it without being reminded
- Fast enough that reporting a hazard takes less time than ignoring it
- Visible enough that people see their reports leading to fixes
- Integrated enough that it’s part of running the plant, not separate from it
The plants with the best safety records don’t have the most elaborate dual prevention documentation. They have the one where the loop actually closes.
*What’s your experience with the dual prevention system? If you’ve seen an implementation that actually worked—or one that was pure paperwork—I’d like to hear about it.*