A Systemic Approach to A Systemic Approach to Safety ManagementSafety Management
ByBy
Jaime Santos-ReyesJaime Santos-Reyes
Working On Safety, Netherlands, Working On Safety, Netherlands, 20062006
SEPI-ESIME-IPN-SEPI-ESIME-IPN-MEXICOMEXICO
SEPI-ESIME-IPN-SEPI-ESIME-IPN-MEXICOMEXICO &&
Alan N. BeardAlan N. BeardHeriot-Watt University, Heriot-Watt University, UK.UK.
A Systemic Approach to Disaster A Systemic Approach to Disaster ManagementManagement
ContentsContents
IntroductionIntroduction Safety management systemsSafety management systems The need for a systemic approachThe need for a systemic approach A systemic safety management system A systemic safety management system
modelmodel ConclusionsConclusions
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
1.1. IntroductionIntroduction
Bhopal, India, 1984, (Bidwai, Bhopal, India, 1984, (Bidwai, 1984) 1984)
San Juanico, México, 1984, San Juanico, México, 1984, (Bleve, 1985)(Bleve, 1985)
Piper Alpha, UK, 1988, (Cullen, Piper Alpha, UK, 1988, (Cullen, 1990)1990)
Chernobyl, Ukraine, 1987, Chernobyl, Ukraine, 1987, (Mosey, 1990)(Mosey, 1990)
Train disaster, Pakistan, 2005, Train disaster, Pakistan, 2005, (BBC, 2005)(BBC, 2005)
Paddington train accident, UK, Paddington train accident, UK, 1999, (Cullen, 2001)1999, (Cullen, 2001)
Eschede train accident, Eschede train accident, Germany, 1998 (Kuepper, 1999)Germany, 1998 (Kuepper, 1999)
Train accident, Japan, 2005, Train accident, Japan, 2005, (BBC, 2005)(BBC, 2005)
Jet crash, Venezuela, 2005, Jet crash, Venezuela, 2005, (BBC, 2005)(BBC, 2005)
Oil rig fire, India, 2005, (BBC, Oil rig fire, India, 2005, (BBC, 2005)2005)
Several accidents, PEMEX, Several accidents, PEMEX, Mexico, 2005, (Vidal, 2005)Mexico, 2005, (Vidal, 2005)
The above have highlighted the The above have highlighted the need for addressing safety need for addressing safety proactively. proactively.
In addition to this, the In addition to this, the emergence of new regulations emergence of new regulations and international standards has and international standards has driven organizations to improve driven organizations to improve their safety performance. As a their safety performance. As a result of this, organizations result of this, organizations have to some extent shifted have to some extent shifted from a prescriptive approach to from a prescriptive approach to a flexible approach to risk. a flexible approach to risk.
Under the prescriptive Under the prescriptive approach, regulations explain approach, regulations explain how to ‘achieve safety’, whilst how to ‘achieve safety’, whilst with the flexible approach, with the flexible approach, regulations explains what regulations explains what organizations must achieve but organizations must achieve but leaves how they achieve it to leaves how they achieve it to them them
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
2.2. Safety management systemsSafety management systems A great deal of effort has been made, by both academe and A great deal of effort has been made, by both academe and
regulators, and industry, to investigate and develop approaches to regulators, and industry, to investigate and develop approaches to address safety and the environment.address safety and the environment.
Environmental & quality management systemsEnvironmental & quality management systems
BS EN ISO 14000 seriesBS EN ISO 14000 series BS EN ISO 9000 seriesBS EN ISO 9000 series
Health & Safety Management SystemsHealth & Safety Management Systems HSG65 (1997)-Successful health & safety managementHSG65 (1997)-Successful health & safety management BS 8800: 2004-Occupational health & safety management systems BS 8800: 2004-Occupational health & safety management systems
guideguide OHSAS 18001: Occupational health & safety management systems OHSAS 18001: Occupational health & safety management systems
(OHSMS)(OHSMS) ANSI/AIHA Z10ANSI/AIHA Z10: Occupational health and safety management systems: Occupational health and safety management systems ILO OSH: 2001-Guidelines on occupational safety & health ILO OSH: 2001-Guidelines on occupational safety & health
management systemsmanagement systems
Environmental & quality management systemsEnvironmental & quality management systems BS EN ISO 14000 seriesBS EN ISO 14000 series BS EN ISO 9000 seriesBS EN ISO 9000 series
OtherOther
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
3. The need for a systemic approach3. The need for a systemic approach The approaches to safety reviewed in the last The approaches to safety reviewed in the last
section seem to put emphasis on management section seem to put emphasis on management functions, guidelines, industry standards, quality functions, guidelines, industry standards, quality principles, to establish the SMS of organizations. principles, to establish the SMS of organizations. These approaches may represent a step forward These approaches may represent a step forward to managing safety but may not be enough to to managing safety but may not be enough to address the management of risk effectively.address the management of risk effectively.
Furthermore, it may be argued that these Furthermore, it may be argued that these approaches are ‘systematic’. To be ‘systematic’ approaches are ‘systematic’. To be ‘systematic’ is to be ‘methodical’ or ‘tidy’. In this context it is to be ‘methodical’ or ‘tidy’. In this context it means that the approaches tend to concentrate means that the approaches tend to concentrate on functions dealing with policy, organising, on functions dealing with policy, organising, planning, audit, measuring performance, etc. planning, audit, measuring performance, etc.
All of these functions are necessary but may not All of these functions are necessary but may not be sufficient to achieve effectiveness of a SMS. be sufficient to achieve effectiveness of a SMS. It is certainly important to be systematic. It is certainly important to be systematic. However, a SMS needs to be more than this; it is However, a SMS needs to be more than this; it is also necessary to try to be ‘systemic’. also necessary to try to be ‘systemic’.
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
a SMS should try to consider the a SMS should try to consider the organization in its entirety; i.e. from top to organization in its entirety; i.e. from top to bottom; the channels of communication, bottom; the channels of communication, the people, etc. In addition, it should take the people, etc. In addition, it should take into account the ‘environment’; i.e., all into account the ‘environment’; i.e., all those circumstances that lie outside the those circumstances that lie outside the system to which the system response is system to which the system response is necessary; for example political & necessary; for example political & economic drivers. economic drivers.
In short, there is a need for a In short, there is a need for a systemicsystemic approach. approach. SystemicSystemic may be defined as may be defined as trying to see things as a whole and trying to see things as a whole and attempting to see events, including failure, attempting to see events, including failure, as products of a working of a system. as products of a working of a system.
A A systemicsystemic approach has been adopted to approach has been adopted to construct a SSMS modelconstruct a SSMS model
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
4. A systemic safety management 4. A systemic safety management systemsystem
The Systemic Safety Management System The Systemic Safety Management System (SSMS) model is intended to maintain risk (SSMS) model is intended to maintain risk within an acceptable range in an within an acceptable range in an organization’s operations in a coherent way. organization’s operations in a coherent way.
The model is proposed as a The model is proposed as a sufficientsufficient structure for an effective safety structure for an effective safety management system. management system.
It has a fundamentally It has a fundamentally preventivepreventive potentiality in that if all the sub-systems potentiality in that if all the sub-systems and channels of communication are present and channels of communication are present and working effectively the probability of a and working effectively the probability of a failure should be less than otherwise. failure should be less than otherwise.
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
The fundamental characteristics of the The fundamental characteristics of the SSMSSSMS
The SSMS and Its EnvironmentThe SSMS and Its Environment Commitment to safetyCommitment to safety A recursive structure (i.e. ‘layered’) and A recursive structure (i.e. ‘layered’) and
relative autonomyrelative autonomy A structural organization which consists of A structural organization which consists of
a ‘basic unit’ in which it is necessary to a ‘basic unit’ in which it is necessary to achieve five functions associated with achieve five functions associated with systems 1 to 5.systems 1 to 5.
Concepts of Concepts of ViabilityViability, MRA (Maximum Risk , MRA (Maximum Risk Acceptable) and acceptable range of riskAcceptable) and acceptable range of risk
Four principles of organizationFour principles of organization ‘‘Paradigms’ are intended to act as Paradigms’ are intended to act as
‘templates’ giving essential features for ‘templates’ giving essential features for ‘human factors’ and for effective ‘human factors’ and for effective communication & control.communication & control.
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
4.14.1 Commitment to safetyCommitment to safety
An Externally Committed System (ECS) refers to An Externally Committed System (ECS) refers to the safety performance of systems that are the safety performance of systems that are committed to a particular purpose, function, or committed to a particular purpose, function, or objective based on external reasons or objective based on external reasons or motivation. This definition addresses both motivation. This definition addresses both technical aspects and humans. For example, tasks technical aspects and humans. For example, tasks in the organization are defined by others, etc.in the organization are defined by others, etc.
An Internally Committed System (ICS) is a system An Internally Committed System (ICS) is a system that is committed to a particular purpose or that is committed to a particular purpose or objective based on its own reasons or motivation. objective based on its own reasons or motivation. In other words, an ICS refers to the critical In other words, an ICS refers to the critical awareness of self-reflective human beings awareness of self-reflective human beings regarding their purposes and the implications of regarding their purposes and the implications of their actions for all those who might be affected their actions for all those who might be affected by the consequences. For instance, employees by the consequences. For instance, employees participate in defining tasks, etc.participate in defining tasks, etc.
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
4.24.2 The SSMS & Its EnvironmentThe SSMS & Its Environment
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
4*
55
44
33 2
SMU
Total environment
3* system 1system 1
‘hot-
line ’
Operations
4*4*
The environmentThe environment
Tota
l
En
vir
on
men
t
‘‘Environment’Environment’ may be understood as being may be understood as being those circumstances to which the SSMS those circumstances to which the SSMS response is necessary.response is necessary.
‘‘Environment’Environment’ lies outside the SSMS but interacts lies outside the SSMS but interacts with it; it is the source of circumstances that threaten with it; it is the source of circumstances that threaten the system;the system;
Examples:Examples:
Socio Political Socio Political (legislation, regulatory enforcement, (legislation, regulatory enforcement, major accidents, technology, trade unions, national & major accidents, technology, trade unions, national & local cultures, etc.)local cultures, etc.)
Economical Economical (trading conditions, economic interests, (trading conditions, economic interests, etc.)etc.)
Physical Physical (geographical location, climate, etc.)(geographical location, climate, etc.)
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
4.34.3 Recursive structure of the SSMSRecursive structure of the SSMS RecursionRecursion may be regarded as a ‘level’, may be regarded as a ‘level’,
which has other levels below or above itwhich has other levels below or above it
TSMU
System System 11
TO
Recursion Recursion 11 (Level 1)(Level 1)
TSMU= Total Safety Management Unit
TO= Total Operations
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
ASMU= A-Safety Management UnitAO = A-OperationsBSMU = B-Safety Management UnitBO = B-Operations
System 1System 1
Recursion Recursion 11 (Level 1)(Level 1)
TSMU= Total Safety Management UnitTO= Total Operations
System 1System 1
TSMU
TO
TO
ASMUBSMU
BO AO
Recursion Recursion 22 (Level 2)(Level 2)
TSMU
Recursive structureRecursive structure
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
TSMU= Total Safety Management UnitTO= Total Operations
Recursion 1 (Level 1)
Recursive structure of the SSMS Recursive structure of the SSMS modelmodel
ASMU= A-Safety Management UnitAO = A-OperationsBSMU = B-Safety Management UnitBO = B-Operations
System 1
A-Operations
TSMU
TSMU
BO
BSMU
TO
Level 2
B-Operations
B3O
B2SMU
B1SMU
B1O
B2O
A3O
B3SMU
Total Operations
Sub-systems that form part of
system 1
System 1
System 1
A2O A1O
System 1
Horizontal inter-dependence
Vert
ical in
ter-
dependence
AO
ASMU
Recursion 3 (Level 3)
Recursion 3 (Level 3)
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
TRSMU= Total Railway Safety Management Unit
TRO= Total Railway Operations
(Level 1)Example-Recursive Example-Recursive structurestructure
RISMU= Rail Infrastructure Safety Management UnitRIO = Rail Infrastructure OperationsTSMU = Train Safety Management UnitTO = Train Operations
System 1
RIO
TSMU
TRSMU
TO
TSMU
TRO
Level 2
TO
OO
OSMU
TRO
System 1
TKO SO
System 1
Vert
ical in
ter-
dependence
RIO
RISMU
Recursion 3 (Level 3)
TKSMU
SSMU
SSMU= Signalling Safety Management UnitSO = Signalling OperationsTKSMU = Track Safety Management UnitTKO = Track OperationsOSMU= Other Safety Management UnitOO = Other Operations
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
4*
55
44
33 2
SMU
Total environment
3* system 1system 1
‘hot-
line ’
Operations
4*4*
4.44.4 Structural organization of the Structural organization of the SSMSSSMS
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
Total environment
SMU
system system 11
Operations
System 1: safety-policy implementationSystem 1: safety-policy implementationFunction of system 1:System 1 implements safety policies in the operations of system 1. System 1 consists of one or more operations within an organization that deal directly with the organization’s ‘core’ activities.
The circle encloses all the relevant operations or activities thattake place to produce products or services.
It should be monitored because it is here where risks are created.
Components of system 1:The square box deals with all the managerial activityneeded to run the operations and implements the safety policy of the organization.
It monitors on a continuous basis the level of risk in the operations.
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
SMU
system system 11
Operations
System 1’s ‘environment’.
The elliptical symbol represents the ‘environment’ of system 1. Environment lies outside the system 1 but interacts with it. It influences and is influenced by system 1.
For instance, system 1 should monitor the resources and information entering the organization; so that hazards and risks are eliminated or minimized.
In addition, system 1 should consider all those aspects described in section 4.2.
The lines that connect the square, circle & the elliptical symbol refer to the channels of communication.
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
Safety management and the monitoring process
Control and communication may be regarded as the key concepts in the process of safety management and monitoring.
The objective of the safety management system (SMS) is to maintain risk within an acceptable range & its main activities are:
SMU
system system 11
Operations
{a} to monitor the resources (e.g. materials, people, machines, etc) and information entering the organization; i.e. the operations, so that hazards and risks are eliminated or kept within an acceptable range.
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
{b} to plan or set safety objectives (e.g. performance standards). These safety objectives may be represented in comparators. The function of a comparator is to enable comparison with the risk related ‘output’, that is, to compare risk related performance with the planned safety objectives.
In doing this, the SMU can detect any deviation from the planned safety objectives through the comparator.
If a deviation occurs then the SMU would adjust the ‘operations’ and bring it in line with the accepted criteria.
SMU
system system 11
Operations
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
{c} to devise “risk control systems” (RCS) which should, in principle, address the risks created in the operations of the organization.
The RCS should reflect the risk profile; that is, the greater the risk, the more robust and reliable the control systems need to be.
SMU
system system 11
Operations
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
The main activities involved are the following:
{1} Hazard identification: finding out what could possibly happen within the system which could lead to harm.
This means identifying ‘crucial events’ and possible consequences.
{2} Risk Analysis: to estimate the probabilities of particular consequences.
{3} Risk Evaluation: deciding what to do i.e. how to control the risk; deciding on suitable measures to control or eliminate risk.
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
De-composition of system 1De-composition of system 1System 1 may be decomposed into geography or functions. System 1 de-composed on a basis of functions
S&ES= Signaller & Engineer Supervisor
ESTO = Engineer’s scrap train Operations
S&ES = Signaller & Engineer Supervisor
TAO = Tamping Operations
ES= Engineer Supervisor
MMO = Movement of S&C materials Operations
System 1
ESTO
TAO
MMO
S&ES
S&ES
ES
Example: Maintenance work – Railway system
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
RISMU = Rail Infrastructure RISMU = Rail Infrastructure Safety Management UnitSafety Management UnitRIO = Rail Infrastructure RIO = Rail Infrastructure OperationsOperationsTSMU= Train Safety TSMU= Train Safety Management UnitManagement UnitTO = Train OperationsTO = Train Operations
System 1
TO
RIO RISMU
TSMU
PSMU= Piper Safety Management UnitPSMU= Piper Safety Management UnitPAO = Piper Alpha OperationsPAO = Piper Alpha OperationsCSMU = Claymore Safety Management CSMU = Claymore Safety Management UnitUnitCLO = Claymore OperationsCLO = Claymore OperationsTSMU= Tartan Safety Management UnitTSMU= Tartan Safety Management UnitTARO = Tartan OperationsTARO = Tartan OperationsMCSMU = MC Safety Management UnitMCSMU = MC Safety Management UnitMCO = MCP-01 OperationsMCO = MCP-01 OperationsFSMU = Flotta Safety Management UnitFSMU = Flotta Safety Management UnitFLO = Flotta OperationsFLO = Flotta Operations
System 1 PAO
MCO
TARO
FLO
CLO
FSMU
MCSMU
TSMU
CSMU
PSMU
(a) Track / Rail interface – Railway system (c) Piper Alpha field
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
Horizontal inter-dependenceHorizontal inter-dependence
PSMU= Piper Safety Management UnitPSMU= Piper Safety Management Unit PAO = Piper Alpha PAO = Piper Alpha OperationsOperationsCSMU = Claymore Safety Management UnitCSMU = Claymore Safety Management Unit CO = Claymore OperationsCO = Claymore OperationsTSMU = Tartan Safety Management UnitTSMU = Tartan Safety Management Unit TO = Tartan TO = Tartan OperationsOperationsMCSMU = MC Safety Management UnitMCSMU = MC Safety Management Unit MCPO = MCP MCPO = MCP OperationsOperationsFSMU = Flotta Safety Management UnitFSMU = Flotta Safety Management Unit FTO = Flotta FTO = Flotta Terminal OperationsTerminal Operations
PSMU
PAO
MCPO
TSMU CSMU
COTO
MCSMU
FTO
FSMU
HORIZONTAL INTER-DEPENDENCE
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
4*
55
44
33 2
SMU
Total environment
3* system 1system 1
‘hot-
line ’
Operations
4*4*
System 1 & systems 2,3 &3*System 1 & systems 2,3 &3*
System 1: implements safety policies in the organization’s operations. System 1 consists of one or more operations within the industry that deal directly with the organization’s ‘core’ business activities.
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
System 2: Safety–Co-ordinationSystem 2: Safety–Co-ordination
• to co-ordinate the activities of to co-ordinate the activities of the operations of system 1 the operations of system 1 (System 1 is made of two or (System 1 is made of two or more sub-systems)more sub-systems)
• along with system 1, along with system 1, implements the safety plans implements the safety plans received from system 3received from system 3
• informs system 3 about the informs system 3 about the performance of the operations performance of the operations of system 1.of system 1.
• Examples:Examples:
• maintenance schedules, maintenance schedules, process changes, etc.process changes, etc.
• co-ordination during an co-ordination during an emergencyemergency
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
4*
5
4
32
Total Environme
nt
3*
System 1
‘ hot-line’
ASMU
BSMUBO
AO
System 3: Safety–functionalSystem 3: Safety–functional• directly responsible for directly responsible for maintaining risk within an maintaining risk within an acceptable range in system 1.acceptable range in system 1.
• ensures that system 1 ensures that system 1 implements the safety implements the safety policies.policies.
• it achieves its function on a it achieves its function on a day-to-day basis according to day-to-day basis according to the plans received from the plans received from system 4system 4
• requests from systems 1, requests from systems 1, 2&3* information about the 2&3* information about the performance of system 1 to performance of system 1 to formulate its safety plans & to formulate its safety plans & to communicate future needs to communicate future needs to system 4.system 4.
• responsible for allocating responsible for allocating the necessary resources to the necessary resources to system 1 to accomplish the system 1 to accomplish the safety plans; e.g. training, etc.safety plans; e.g. training, etc.
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
4*
55
44
33 2
SMU
3*system 1system 1
‘hot-
line ’
Operations
4*4*
System 3*: safety – AuditSystem 3*: safety – Audit
4*
55
44
33 2
SMU
3*system 1system 1
‘hot-
line ’
Operations
4*4*
• conduct audits sporadically conduct audits sporadically into the operations of system into the operations of system 11
• intervenes in the operations intervenes in the operations of system 1 according to the of system 1 according to the plans received from system 3plans received from system 3
• needs to ensure that the needs to ensure that the reports received from system reports received from system 1 reflect not only the current 1 reflect not only the current status of the operations of status of the operations of system 1, but are also aligned system 1, but are also aligned with the overall objectives of with the overall objectives of the organizationthe organization
• Examples: Examples:
• revisions of the adequacy revisions of the adequacy & functioning of the fixed & functioning of the fixed installations; i.e. fire installations; i.e. fire fighting systems, electrical fighting systems, electrical supply systems, water supply systems, water supply systems, etc.supply systems, etc.
System 4: safety – developmentSystem 4: safety – development
• concerned with safety concerned with safety related research & related research & development for the continual development for the continual adaptation of the safety adaptation of the safety management system as a management system as a wholewhole
By considering strengths, By considering strengths, weaknesses, threats & weaknesses, threats & opportunities, system 4 can opportunities, system 4 can suggest changes to the safety suggest changes to the safety policiespolicies
• first, it deals with the policy first, it deals with the policy received from system 5received from system 5
• second, it senses all relevant second, it senses all relevant threats & opportunities from threats & opportunities from the ‘total environment’the ‘total environment’
• third, deals with all relevant third, deals with all relevant needs of system 1’s needs of system 1’s performance & its potential performance & its potential future. future.
55
44
33 2
SMU
3*system 1system 1
‘hot-
line ’
OperationsTota
l En
vir
onm
ent
Tota
l En
vir
onm
ent
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
System 4*: safety–Confidential reportSystem 4*: safety–Confidential report
55
44
33 2
SMU
3* system 1system 1
‘hot-
line ’
Operations
4*4*
• is part of system 4 and is is part of system 4 and is concerned with confidential concerned with confidential reports or causes of concern reports or causes of concern from any person, about any from any person, about any aspects, some of which may aspects, some of which may require the direct and require the direct and immediate intervention of immediate intervention of system 5.system 5.
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
System 5: safety–PolicySystem 5: safety–Policy• responsible for deliberating responsible for deliberating disaster prevention policies & disaster prevention policies & for making normative for making normative decisionsdecisions
• according to alternative according to alternative plans received from system 4, plans received from system 4, system 5 considers and system 5 considers and chooses feasible alternatives, chooses feasible alternatives, which aim to maintain the risk which aim to maintain the risk within an acceptable range in within an acceptable range in the operations of system 1.the operations of system 1.
• it also monitors the it also monitors the interaction between systems 3 interaction between systems 3 & 4.& 4.
• Examples: Examples:
•Promote the culture of Promote the culture of safety throughout the safety throughout the whole system; whole system;
55
44
33 2
SMU
3*system 1system 1
‘hot-
line ’
Operations
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
Hot-line: any cause of concernHot-line: any cause of concern
4*
55
44
33 2
SMU
3* system 1system 1
‘‘ hot-
line ’
hot-
line ’
Operations
4*4*
• direct communication or direct communication or ‘Hot-line’ for use in an ‘Hot-line’ for use in an exceptional circumstancesexceptional circumstances
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
Viability = P (the SSMS has the capacity to maintain the risk within an acceptable range for a stated period of time).
complementary to the concepts, Risk and Reliability:Risk = P (particular adverse consequence)
Reliability = P (item or system will perform a required function, under stated conditions, for a stated period of time)
Viability is defined in relation to an acceptable range for the risk, which may be regarded as a range from zero risk to a MRA.Given this, there is a general expectation that the risk should be well below the MRA.
4.54.5 The Viability, reliability, risk & The Viability, reliability, risk & MRA MRA
Totally unacceptable region
Acceptable region
MRA
Zero risk
Communication
Communication is vital in the management of safety of anyorganization. The communication paradigm is intended to help to identified weaknesses of the SSMS; i.e., links missing, inadequate, etc. A communication paradigm has been suggested by Fortune and Peters (1995).
The model shows a dynamic two-way process of communication in which the sender’s message can be used to modify subsequent messages.
4.6 Paradigms for Communication and control
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
Rules forsymbol use
English language
rules
Destination
Train driver
DecoderAlarm sound in the cab &
message flashes up on a screen-Cab
Channel
Cab Secure Radio (CSR) or DOO radio
Encoder
Message sent by
keyboard
Source
Signaller
Rules forsymbol use
EnglishLanguage
rules
Rules forsymbol use
Language of the signaller
Rules forsymbol use
Language of the train
driver
Feedback verification
Close approximation
Close approximation
Noise
(Assuming to be special terms in the (Assuming to be special terms in the railway industry plus the English railway industry plus the English
language)language)
(Assumed to be English grammar plus (Assumed to be English grammar plus special language between signallers & special language between signallers &
train driver)train driver)
Message: “an emergency stop message”
e.g. faulty keyboards
e.g. faulty secure radio
e.g. faulty alarm in the driver’s cab.Failure of the screen on the driver’s dashboard to flash up the message
Noise
Noise
Communication paradigm - example of communicationCommunication paradigm - example of communication between a signaller and a train driver.between a signaller and a train driver.
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
Control
A basic control paradigm is shown in Fig. B2.This diagram is intended to be interpreted in a very general sense and not simply in a ‘hard engineering’ way. The management or controller and the system or organization under control is inseparable in the SSMS model.
The sources of control are spread through the whole structure of the SSMS rather than localised within a separate system.
Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO
Operations
Proactive
adjuster
Output
Basis for comparison
Input
Unexpected disturbances
Comparator
Input changer-A
Reactive adjuster
Input changer -B
Control ParadigmControl Paradigm
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
5.5. ConclusionsConclusions A Systemic Safety Management System (SSMS) A Systemic Safety Management System (SSMS)
model has been put forward. model has been put forward. The SSMS aims to maintain risk within an acceptable range The SSMS aims to maintain risk within an acceptable range
in the operations of any organization in a coherent way.in the operations of any organization in a coherent way.
If the features of the model; i.e. the systems, their If the features of the model; i.e. the systems, their associated functions, and the channels of communication associated functions, and the channels of communication are in place and working effectively then the probability of are in place and working effectively then the probability of an accident should be less than otherwise. an accident should be less than otherwise.
In this way the SSMS has a fundamentally In this way the SSMS has a fundamentally preventive preventive potentialitypotentiality. The model is intended to provide a sufficient . The model is intended to provide a sufficient set of features (including structure and process) to achieve set of features (including structure and process) to achieve the aim of maintaining risk within an acceptable range. the aim of maintaining risk within an acceptable range.
The idea of the The idea of the viabilityviability of a safety management system of a safety management system has been introduced; the viability being the probability that has been introduced; the viability being the probability that the safety management system will be able to maintain the the safety management system will be able to maintain the risk within an acceptable range for a given period of time. risk within an acceptable range for a given period of time.
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006
ConclusionsConclusions The model is capable of being applied The model is capable of being applied
proactively in the case of a new system or an proactively in the case of a new system or an existing one as well as reactively. existing one as well as reactively.
In the latter case a past failure, whether In the latter case a past failure, whether disastrous or not, may be examined using the disastrous or not, may be examined using the SSMS model. In this way, lessons may be drawn SSMS model. In this way, lessons may be drawn from past accidents. from past accidents.
It may also be employed as a ‘template’ to It may also be employed as a ‘template’ to examine an existing SMS. examine an existing SMS.
In the case of a new installation the safety In the case of a new installation the safety management system should be considered at management system should be considered at the very beginning of the design stage; not as a the very beginning of the design stage; not as a ‘bolt-on’ at the end.‘bolt-on’ at the end.
It is hoped that this approach will lead to more It is hoped that this approach will lead to more effective management of safety. effective management of safety.
SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006