A Systemic Approach to Safety Management

1
A Systemic Approach to Safety Management

• By
• Jaime Santos-Reyes

SEPI-ESIME-IPN-MEXICO
Alan N. Beard
Heriot-Watt University, UK.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
2
A Systemic Approach to Disaster Management

• Contents
• Introduction
• Safety management systems
• The need for a systemic approach
• A systemic safety management system model
• Conclusions

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
3
1. Introduction

• Bhopal, India, 1984, (Bidwai, 1984)
• San Juanico, México, 1984, (Bleve, 1985)
• Piper Alpha, UK, 1988, (Cullen, 1990)
• Chernobyl, Ukraine, 1987, (Mosey, 1990)
• Train disaster, Pakistan, 2005, (BBC, 2005)
• Paddington train accident, UK, 1999, (Cullen,
  2001)
• Eschede train accident, Germany, 1998 (Kuepper,
  1999)
• Train accident, Japan, 2005, (BBC, 2005)
• Jet crash, Venezuela, 2005, (BBC, 2005)
• Oil rig fire, India, 2005, (BBC, 2005)
• Several accidents, PEMEX, Mexico, 2005, (Vidal,
  2005)

• The above have highlighted the need for
  addressing safety proactively.
• In addition to this, the emergence of new
  regulations and international standards has
  driven organizations to improve their safety
  performance. As a result of this, organizations
  have to some extent shifted from a prescriptive
  approach to a flexible approach to risk.
• Under the prescriptive approach, regulations
  explain how to achieve safety, whilst with the
  flexible approach, regulations explains what
  organizations must achieve but leaves how they
  achieve it to them

Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
4
2. Safety management systems

• A great deal of effort has been made, by both
  academe and regulators, and industry, to
  investigate and develop approaches to address
  safety and the environment.
• Environmental quality management systems
• BS EN ISO 14000 series
• BS EN ISO 9000 series
• Health Safety Management Systems
• HSG65 (1997)-Successful health safety
  management
• BS 8800 2004-Occupational health safety
  management systems guide
• OHSAS 18001 Occupational health safety
  management systems (OHSMS)
• ANSI/AIHA Z10 Occupational health and safety
  management systems
• ILO OSH 2001-Guidelines on occupational safety
  health management systems
• Environmental quality management systems
• BS EN ISO 14000 series
• BS EN ISO 9000 series
• Other

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
5
3. The need for a systemic approach

• The approaches to safety reviewed in the last
  section seem to put emphasis on management
  functions, guidelines, industry standards,
  quality principles, to establish the SMS of
  organizations. These approaches may represent a
  step forward to managing safety but may not be
  enough to address the management of risk
  effectively.
• Furthermore, it may be argued that these
  approaches are systematic. To be systematic
  is to be methodical or tidy. In this context
  it means that the approaches tend to concentrate
  on functions dealing with policy, organising,
  planning, audit, measuring performance, etc.
• All of these functions are necessary but may not
  be sufficient to achieve effectiveness of a SMS.
  It is certainly important to be systematic.
  However, a SMS needs to be more than this it is
  also necessary to try to be systemic.

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
6

• a SMS should try to consider the organization in
  its entirety i.e. from top to bottom the
  channels of communication, the people, etc. In
  addition, it should take into account the
  environment i.e., all those circumstances that
  lie outside the system to which the system
  response is necessary for example political
  economic drivers.
• In short, there is a need for a systemic
  approach. Systemic may be defined as trying to
  see things as a whole and attempting to see
  events, including failure, as products of a
  working of a system.
• A systemic approach has been adopted to construct
  a SSMS model

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
7
4. A systemic safety management system

• The Systemic Safety Management System (SSMS)
  model is intended to maintain risk within an
  acceptable range in an organizations operations
  in a coherent way.
• The model is proposed as a sufficient structure
  for an effective safety management system.
• It has a fundamentally preventive potentiality in
  that if all the sub-systems and channels of
  communication are present and working effectively
  the probability of a failure should be less than
  otherwise.

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
8
The fundamental characteristics of the SSMS

• The SSMS and Its Environment
• Commitment to safety
• A recursive structure (i.e. layered) and
  relative autonomy
• A structural organization which consists of a
  basic unit in which it is necessary to achieve
  five functions associated with systems 1 to 5.
• Concepts of Viability, MRA (Maximum Risk
  Acceptable) and acceptable range of risk
• Four principles of organization
• Paradigms are intended to act as templates
  giving essential features for human factors and
  for effective communication control.

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
9
4.1 Commitment to safety

• An Externally Committed System (ECS) refers to
  the safety performance of systems that are
  committed to a particular purpose, function, or
  objective based on external reasons or
  motivation. This definition addresses both
  technical aspects and humans. For example, tasks
  in the organization are defined by others, etc.
• An Internally Committed System (ICS) is a system
  that is committed to a particular purpose or
  objective based on its own reasons or motivation.
  In other words, an ICS refers to the critical
  awareness of self-reflective human beings
  regarding their purposes and the implications of
  their actions for all those who might be affected
  by the consequences. For instance, employees
  participate in defining tasks, etc.

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
10
4.2 The SSMS Its Environment
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
11
The environment
Environment may be understood as being those
circumstances to which the SSMS response is
necessary. Environment lies outside the SSMS
but interacts with it it is the source of
circumstances that threaten the
system Examples Socio Political (legislation,
regulatory enforcement, major accidents,
technology, trade unions, national local
cultures, etc.) Economical (trading conditions,
economic interests, etc.) Physical (geographical
location, climate, etc.)
Total Environment
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
12
4.3 Recursive structure of the SSMS

• Recursion may be regarded as a level, which has
  other levels below or above it

TSMU Total Safety Management Unit TO Total
Operations
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
13
Recursive structure
Recursion 1 (Level 1)
TSMU Total Safety Management Unit TO Total
Operations
ASMU A-Safety Management Unit AO
A-Operations BSMU B-Safety Management Unit BO
B-Operations
System 1
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
14
Recursive structure of the SSMS model
Recursion 1 (Level 1)
TSMU Total Safety Management Unit TO Total
Operations
ASMU A-Safety Management Unit AO
A-Operations BSMU B-Safety Management Unit BO
B-Operations
Recursion 3 (Level 3)
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
15
Example-Recursive structure
(Level 1)
TRSMU Total Railway Safety Management Unit TRO
Total Railway Operations
RISMU Rail Infrastructure Safety Management
Unit RIO Rail Infrastructure Operations TSMU
Train Safety Management Unit TO Train Operations
SSMU Signalling Safety Management Unit SO
Signalling Operations TKSMU Track Safety
Management Unit TKO Track Operations OSMU
Other Safety Management Unit OO Other Operations
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
16
4.4 Structural organization of the SSMS
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
17
System 1 safety-policy implementation
Function of system 1 System 1 implements safety
policies in the operations of system 1. System 1
consists of one or more operations within an
organization that deal directly with the
organizations core activities.
Components of system 1 The square box deals with
all the managerial activity needed to run the
operations and implements the safety policy of
the organization. It monitors on a
continuous basis the level of risk
in the operations.
Total environment
The circle encloses all the relevant
operations or activities that take place to
produce products or services. It should be
monitored because it is here where risks are
created.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
18
System 1s environment. The elliptical symbol
represents the environment of system 1.
Environment lies outside the system 1 but
interacts with it. It influences and is
influenced by system 1.
For instance, system 1 should monitor the
resources and information entering the
organization so that hazards and risks are
eliminated or minimized.
system 1
SMU
Operations
In addition, system 1 should consider all those
aspects described in section 4.2. The lines that
connect the square, circle the elliptical
symbol refer to the channels of communication.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
19
Safety management and the monitoring
process Control and communication may be
regarded as the key concepts in the process of
safety management and monitoring.
The objective of the safety management system
(SMS) is to maintain risk within an acceptable
range its main activities are
a to monitor the resources (e.g.
materials, people, machines, etc) and
information entering the organization
i.e. the operations, so
that hazards and risks are eliminated
or kept within an acceptable range.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
20
b to plan or set safety objectives (e.g.
performance standards). These safety objectives
may be represented in comparators. The function
of a comparator is to enable comparison with the
risk related output, that is, to compare risk
related performance with the planned safety
objectives. In doing this, the SMU can detect
any deviation from the planned safety objectives
through the
comparator.
If a deviation occurs then the
SMU would
adjust the operations
and bring it in line
with the accepted
criteria.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
21
c to devise risk control systems (RCS) which
should, in principle, address the risks created
in the operations of the organization. The RCS
should reflect the risk profile that is, the
greater the risk, the more robust
and reliable the control systems
need to be.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
22
The main activities involved are the
following 1 Hazard identification finding
out what could possibly happen within the system
which could lead to harm. This means identifying
crucial events and possible consequences. 2
Risk Analysis to estimate the probabilities of
particular consequences. 3 Risk Evaluation
deciding what to do i.e. how to control the
risk deciding on suitable measures to control
or eliminate risk.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
23
De-composition of system 1
System 1 may be decomposed into geography or
functions. System 1 de-composed on a basis of
functions
System 1
SES Signaller Engineer Supervisor ESTO
Engineers scrap train Operations SES
Signaller Engineer Supervisor TAO Tamping
Operations ES Engineer Supervisor MMO
Movement of SC materials Operations
Example Maintenance work Railway system
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
24
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
25
Horizontal inter-dependence
PSMU Piper Safety Management Unit PAO Piper
Alpha Operations CSMU Claymore Safety
Management Unit CO Claymore Operations TSMU
Tartan Safety Management Unit TO Tartan
Operations MCSMU MC Safety Management
Unit MCPO MCP Operations FSMU Flotta Safety
Management Unit FTO Flotta Terminal Operations
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
26
System 1 systems 2,3 3
System 1 implements safety policies in the
organizations operations. System 1 consists of
one or more operations within the industry that
deal directly with the organizations core
business activities.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
27
System 2 SafetyCo-ordination

• to co-ordinate the activities of the operations
  of system 1 (System 1 is made of two or more
  sub-systems)
• along with system 1, implements the safety plans
  received from system 3
• informs system 3 about the performance of the
  operations of system 1.
• Examples
• maintenance schedules, process changes, etc.
• co-ordination during an emergency

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
28
System 3 Safetyfunctional

• directly responsible for maintaining risk within
  an acceptable range in system 1.
• ensures that system 1 implements the safety
  policies.
• it achieves its function on a day-to-day basis
  according to the plans received from system 4
• requests from systems 1, 23 information about
  the performance of system 1 to formulate its
  safety plans to communicate future needs to
  system 4.
• responsible for allocating the necessary
  resources to system 1 to accomplish the safety
  plans e.g. training, etc.

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
29
System 3 safety Audit

• conduct audits sporadically into the operations
  of system 1
• intervenes in the operations of system 1
  according to the plans received from system 3
• needs to ensure that the reports received from
  system 1 reflect not only the current status of
  the operations of system 1, but are also aligned
  with the overall objectives of the organization
• Examples
• revisions of the adequacy functioning of the
  fixed installations i.e. fire fighting systems,
  electrical supply systems, water supply systems,
  etc.

30
System 4 safety development

• concerned with safety related research
  development for the continual adaptation of the
  safety management system as a whole
• By considering strengths, weaknesses, threats
  opportunities, system 4 can suggest changes to
  the safety policies
• first, it deals with the policy received from
  system 5
• second, it senses all relevant threats
  opportunities from the total environment
• third, deals with all relevant needs of system
  1s performance its potential future.

Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
31
System 4 safetyConfidential report

• is part of system 4 and is concerned with
  confidential reports or causes of concern from
  any person, about any aspects, some of which may
  require the direct and immediate intervention of
  system 5.

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
32
System 5 safetyPolicy

• responsible for deliberating disaster prevention
  policies for making normative decisions
• according to alternative plans received from
  system 4, system 5 considers and chooses feasible
  alternatives, which aim to maintain the risk
  within an acceptable range in the operations of
  system 1.
• it also monitors the interaction between systems
  3 4.
• Examples
• Promote the culture of safety throughout the
  whole system

Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
33
Hot-line any cause of concern

• direct communication or Hot-line for use in an
  exceptional circumstances

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
34
4.5 The Viability, reliability, risk MRA
Viability P (the SSMS has the capacity to
maintain the risk within an acceptable range for
a stated period of time). complementary to the
concepts, Risk and Reliability Risk P
(particular adverse consequence) Reliability P
(item or system will perform a required function,
under stated conditions, for a stated period of
time) Viability is defined in relation to an
acceptable range for the risk, which may be
regarded as a range from zero risk to a
MRA. Given this, there is a general expectation
that the risk should be well below the MRA.
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
35
4.6 Paradigms for Communication and control
Communication Communication is vital in the
management of safety of any organization. The
communication paradigm is intended to help to
identified weaknesses of the SSMS i.e., links
missing, inadequate, etc. A communication
paradigm has been suggested by Fortune and
Peters (1995). The model shows a dynamic
two-way process of communication in which the
senders message can be used to modify
subsequent messages.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
36
Communication paradigm - example of
communication between a signaller and a train
driver.
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
37
Control A basic control paradigm is shown in
Fig. B2. This diagram is intended to be
interpreted in a very general sense and not
simply in a hard engineering way. The
management or controller and the system or
organization under control is inseparable in the
SSMS model. The sources of control are spread
through the whole structure of the SSMS rather
than localised within a separate system.
Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICO
38
Unexpected disturbances
Output
Input
Operations
Input changer-A
Input changer -B
Proactive adjuster
Basis for comparison
Comparator
Reactive adjuster
Control Paradigm
SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
39
5. Conclusions

• A Systemic Safety Management System (SSMS) model
  has been put forward.
• The SSMS aims to maintain risk within an
  acceptable range in the operations of any
  organization in a coherent way.
• If the features of the model i.e. the systems,
  their associated functions, and the channels of
  communication are in place and working
  effectively then the probability of an accident
  should be less than otherwise.
• In this way the SSMS has a fundamentally
  preventive potentiality. The model is intended to
  provide a sufficient set of features (including
  structure and process) to achieve the aim of
  maintaining risk within an acceptable range.
• The idea of the viability of a safety management
  system has been introduced the viability being
  the probability that the safety management system
  will be able to maintain the risk within an
  acceptable range for a given period of time.

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006
40
Conclusions

• The model is capable of being applied proactively
  in the case of a new system or an existing one as
  well as reactively.
• In the latter case a past failure, whether
  disastrous or not, may be examined using the SSMS
  model. In this way, lessons may be drawn from
  past accidents.
• It may also be employed as a template to
  examine an existing SMS.
• In the case of a new installation the safety
  management system should be considered at the
  very beginning of the design stage not as a
  bolt-on at the end.
• It is hoped that this approach will lead to more
  effective management of safety.

SEPI-ESIME-IPN-MEXICO
Working On Safety, Netherlands, 2006