safety management - pimpri chinchwad polytechnicpcpolytechnic.com/mechanical/pdf/15.pdf · grand...
TRANSCRIPT
Session 22
Safety Management
Safety Management - 2
ContentsEvolution of Safety Regulation Systems
Level 1: Prescriptive standardsLevel 2: Process standardsLevel 3: Risk-based safety management (non-prescriptive standards)Level 4: Safety Management System
Safety Management ProcessesSafety management system and manualSafety management plan
Safety Management System (SMS)Purpose and scopeGrand Challenges of SMS
Note: Some additional slides in lecture appendix
Safety Management - 3
A Typical Safety ArgumentRecall: (from this morning)
Top-level goalUsually in context that defines what “adequate safety” means
Primary ArgumentRisks are appropriately controlled
Secondary ArgumentValidity of the primary argument
Adequacy, and correct use, of the processes
EvidenceSupports all elements of argument
Safety Management - 4
Prescriptive StandardsRegulator
Prescribes particular detailed solution
Company / Certificate HolderEnsures that standards are followed
Produces evidence that solution has been appropriately implemented
Assumption (is it valid?)By implication, regulator has constructed appropriate safety case showing that “solutions” yield overall safety goal
Safety Management - 5
Prescriptive StandardsCan be sufficient if
There are few companies in a regulated sectorRegulator has good oversight of what each company is doing
Few differences between companies
There is a high level of state participationHeavy regulation is perceived acceptable by companies
Systems (social and technical “components”) are relatively stableHigh degree of confidence in prescribed solution, e.g. military aviation in the inter-war / post war period
Still workable for technical systems where there are accepted solutions
Unsuitable when there are too many differences between organisations
For example, the general regulation of civil aviation
Need a less prescriptive, more flexible and responsive approach…
Safety Management - 6
Process StandardsRegulator
Sets overall safety requirements
Prescribes safety and verification processes
Company / Certificate HolderUses the process to design the socio-technical system
Makes argument that proposed mechanisms will be sufficient
Provides evidence that process followed and design implemented
AssumptionsImplicit Secondary Argument
Reflects regulator’s judgement
Safety Management - 7
Process StandardsWork well in some sub-sectors, where there is:
Degree of similarity between regulated organisations / products
Relatively slow and gradual evolution of practices in the sector
e.g. some aspects of aircraft design / type certification
Unsuitable where there are fundamentally different business models
For example, modern civil aviation sector as a whole
Safety Management - 8
Risk-Based ApproachCompany / Certificate Holder
Selects the most appropriate methods and processes
Uses them to identify appropriate mechanisms for ensuring sufficient level of safety
Produces valid and coherent argument of safety plus supporting evidence (i.e. safety case)
RegulatorSets overall safety targets
Audits the safety case based on accumulated expertise
May take into account items in Significant Issues List (SIL)
Safety Management - 9
Risk-Based ApproachAdvantages
Enables companies to develop solutions suitable for their businessInput from regulator is at strategic policy level, e.g. top-level goals
Makes it clear that companies have liabilityNo “we complied with your standards” argument
Original risk-based approaches are now considered incompleteSafety activities of different organisations may not be coordinated
e.g. supply chain
Safety not fully integrated into the management of the businessNeed to address “soft issues”: human factors, training, culture (see Part 2 of lecture)
Too static on its ownAssumes ideal safety case the first time
Practice may diverge from safety caseOrganisation and operational context may change
Doesn’t require or encourage learningReactive approach to safety management
Safety Management - 10
Safety ManagementA safety management system (SMS)
is defined for an organisation
sets out approach to ensuring safety in all aspects of an organisation’s business
covers operation and general principles of developmentalthough not details of specific projects
is typically documented in a safety management manual (SMM)
A system safety programme plan (SSPP)is defined for a project
details safety-specific activities and products, e.g. safety cases
will link to project plans, e.g. milestones and reviews
will derive some of its contents from the SMSbut may over-ride the SMS, e.g. to reflect national legislation
Focus on “functional safety” not occupational health and safety
Safety Management - 11
Purpose of an SMSPrimary aim
to provide a framework for the planning, execution and monitoring of all activities needed to meet safety objectives
including policies for reducing / managing risk
Secondary aimsto ensure consistency between projects
e.g. by using same risk assessment criteria
to help meet / discharge legal and moral obligationse.g. the “duty of care”
to contain liability, should an accident occur
Aims met by setting outorganisation and responsibilities, e.g. for decision making
policies, e.g. on acceptable levels of risk
procedures, e.g. for incident reporting
Safety Management - 12
ICAO SMM 2006
Overview
Responsibility for Managing Safety
State Safety programme
Understanding Safety
Basics of Safety Management
Risk Management
Hazard and Incident Reporting
Safety Investigations
Safety Analysis and Safety Studies
Safety Performance Monitoring
Emergency Response Planning
Establishing an SMS
Safety Assessments
Safety Auditing
Practical considerations for operating a SMS
Aircraft Operations
Air Traffic Services
Aerodrome Operations
Aircraft Maintenance
ICAO SMS: “a systematic approach to managing safety, including the necessary organizational structures, accountabilities, policies and procedures.”
Safety Management - 13
Safety Management System- ICAO 9859 ViewEmbeds safety case into feedback and review layers
Continuous safety performance monitoring
Against clearly defined indicators and targets
Periodic internal SMS reviewThorough, open-ended
Review of all relevant data
Improve cost-effectivenessand safety
Significant events investigationsInternal (staff self-reporting)
Non-punitive!
Accidents & Incidents
Regulator lead
External auditsRegulator
Safety Management - 14
Safety Management System- ICAO 9859 View Documented and Implemented policies and procedures for managing risks
that integrate operations and technical systems with the management of financial and human resources to ensure aviation safety and the safety of
the public
SMS standards apply general principles for a particular applicationBut no prescriptive or process requirements
Massive change in companies’ safety management philosophyComplete responsibility for safetyMust understand what safety means and how is it being achieved
In the context of their business and operations
Significant change in “philosophy of regulation”Regulator checks whether operators have asked themselves all right questions
and responded adequatelyRegulator ensures that information is disseminated in the sectorSignificantly more space for a “subjective” judgement
Based on the vast accumulated knowledge
Safety Management - 15
SMS – Questions to askStrategy and basic organisation:
What are overall safety objectives?Objective and measurable!
What is the safety management organisation?Who has key responsibilities?How are they supported?
“Basic” risk management:What are hazards and risks of the operations?
Consider all aspects of operations and the environment
How do we ensure safety of our basic activities, considering:Communication and collaborative workingSpecial challenges
Monitoring and performance evaluation:How do we check that safety management is effective?How do we notice safety issues before these develop into accidents?
Safety Management - 16
SMS – Questions to askEmergency Planning:
What do we do if things go wrong?To minimise the effects
How do we prepare ourselves to learn from experience?
Change:How do we ensure that our organisation remains safe?
In the context of changes to operations and environmentIn the context of changes to safety management practices
Proactive learning:How do we ensure organisation itself doesn’t become a source of risk?How do we “drive” improvement process?How do we identify promising changes?
Safety Management - 17
SMS: ChallengesCulture & paradigm shift
Higher degree of responsibilityLonger-term investment
Developing SMS from “first principles”
Changing climate and attitudes in the organisation
Non-punitive reporting
Encouraging whistle blowing
Making staff aware of SMS in general and their roles in particular
Reliance on genuine commitment!
Regulation approachPresumed trust
Steep punitive “pyramid” if trust is abused
From inspections to auditsMore flexible / open-endedMore constructiveMore time-consuming!Require more judgment
Small/Medium Enterprises (SME)
Too complex an approach for small businesses?Too much of an investment necessary?
Very large companies…
Safety Management - 18
Rail Safety Management
Example 2: Rail Safety Management systemsDesigned to limit risk of injury to persons or damage to property; and protect commercial interests by running safe railway
Legislated for by the Australian Rail Safety Act 1998Rail Safety Regulations 1999 Part 2 reference Australian Standard AS 4292.1, as the standard for Rail Safety Management
AS/NZ 4292 – Rail Safety ManagementSection 1: Scope and General
Section 2: Management Policy and Structure
Section 3: Risk and Incident Management
Section 4: Personnel Management
Section 5: Goods and Services Procurement
Section 6: Engineering and Operational Systems Safety
Section 7: Interstate Operation (not contractor requirements)
Safety Management - 19
Organisation and Responsibilities
Ultimate responsibility for safety at “the top”main board for a company
perhaps just the Engineering or Technical Director
Secretary of State for the U.K. MoD
Organisation definesdelegation of responsibility
named individuals / posts with “sign off” authority
committees and other joint management to ensure appropriate knowledge brought to bear, e.g. design, operations, maintenance
communication pathse.g. for incident reporting
independent reporting chainso junior staff can report safety concerns outside “the line”
Safety Management - 20
Independent ReportingPurpose of independent reporting
management decisions are often compromisesmay sometimes treat safety inappropriately
independent mechanismsgive way for concerned engineers to bring such lapses to senior management attention
once attempts to resolve locally have failed
Often have separate director for independent reportinge.g. Quality Director, when projects report to Technical or Engineering Director
Use of independent reporting should be exceptionsa good safety culture will promote resolution “in the line”
Final resort“whistle-blowing”
Safety Management - 21
Purpose of an SSPPPrimary aim
to define the process for achieving and assessing product safety, for a given project
including defining links to the primary development plans
Secondary aimto ensure project risks are controlled, as well as safety risks
for example, by defining a safety case strategy early in the project
Aims met by setting outproduct identification and project scope
project organisation and responsibilities
requirements and applicable standards
hazard log and hazard tracking strategy
safety case strategy
a technical plan, e.g. a bar chart, and definition of methods
Safety Management - 22
Organisation and Responsibilities
Project Leadersafety responsibility for the project
accepts and signs off key documents
ultimately makes decisionstrade-offs between safety and availability
but advised by various committees (e.g. System Safety Panel)
Primary safety workdone by designers, or safety specialists
at minimum, specialists act as independent reviewers
Independent Verification and Validation (IV&V)main design assessment work, independent of designers
e.g. review and testing
Safety Management - 23
Technical Plan
Programme of worktechnical safety activities
bar chart expanding on PHI, PHA, etc.
defined in a phased manner
e.g. plan for SSHA defined as a result of PHA and associated design revisions
identify what methods or techniques to use at each stage
define methods or techniques e.g. guidewords and team structure for HAZOP
often done by reference to other company documentation
link to development plan
Safety Case Strategyhow it is intended to demonstrate safety
Safety Management - 24
ISAsIndependent Safety Auditor (ISA)
provides independent check thatplan implemented as defined
analogy with financial auditor
usually audits SMP and method definitions
and samples other deliverables
is not intended to give advice
Can be confusion with Independent Safety Advisor
providing advice to help direct project, not check on progress
Independent Safety Assessorsafety aspect of IV&V, as defined here
Other specialist advisors, if needede.g. on nuclear safety, lasers or software
Safety Management - 25
Managing Safety RiskBest approach is to establish a single, closed loop, hazard tracking system
to be used throughout development and in service
Most safety standards require establishment of a Hazard Log, with entries for (at least)
description of hazard, and hazard risk index
status of hazard and its control
residual risk
actions to address the hazard
recommended hazard controls
signature of appropriate authority to close out
Explicit hazard log not a requirement of ARP guidancesystematic approach to tracking safety issues clearly a necessity
Safety Management - 26
Hazard Log Entry
Hazard No. HM034Hazard Title Windscreen overheats Status: OpenDescription Loss of structural integrity of windscreen due to overheatingCons. A3 Sev. 2 Prob. 3e-8 HRI: 10ClosureSummaryPrimaryeffects
Windscreen: strength reduced / damaged / fractured
Consequences Pilot injury, and possible loss of aircraftSystems Structures, Elec. Heating, ECS Heating, WarningResponsibility Electrical
Risk assessment results - separate consequence description
Responsibility assigned
Action not specified - will be for reduction of hazard probability
Safety Management - 27
Hazard Tracking Example
Hazard No. HM034Hazard Title Windscreen overheats2/7/94 PHA Report BAe/WAW/075 – Hazard Identified10/4/96 SCR Assessment – accepted for development flying, within
specified reduced envelope, at 9th CSG20/9/96 SCR Assessment for Windscreen anti-misting system
(BAe/WAW/487 Issue D updated with amended reliability forhazard log summary (table updated)
Hazard No. used as cross-reference to log
Progress of hazard management from
identification to closure
Decision before mitigation action complete - flight
restriction to manage risk
Safety Management - 28
Revised Hazard Log Entry
Hazard No. HM034Hazard Title Windscreen overheats Status: ClosedDescription Loss of structural integrity of windscreen due to overheatingCons. A3 Sev. 2 Prob. 2e-10 HRI: 18ClosureSummary
Anti-misting system reduces probability of hazard to tolerablelevel. Training required to ensure pilots use anti-mistingsystem, in appropriate conditions.
Primaryeffects
Windscreen: strength reduced / damaged / fractured
Consequences Pilot injury, and possible loss of aircraftSystems Structures, Elec. Heating, ECS Heating, WarningResponsibility Electrical
Revised HRI (now Tolerable)
Reduced hazard probability
Closure addedNote: other entries not modified
nature of hazard not changed
May be better to havenew entry, so changecan be seen explicitly
Safety Management - 29
Safety Life-Cycle - Link to Hazard Log
- P l a t f o r m C o n c e p t- I n i t i a l H a z a r d L i s t
- S a f e P l a t f o r m- S a f e t y C a s e
( P r e d i c t i v e ) C a u s a l A n a l y s i s C a u s a l A n a l y s i s
I n t e g r a t i o n o f S a f e t y E v i d e n c e
P S S A S S A
H a z a r d I d e n t i f i c a t i o n
C o n s e q u e n c e A n a l y s i s
F H A
P H I
1. Initial entry made
2. Severity added3. Risk estimate added
4. Risk estimate revised
5. Risk figure finalised
Risk reduction action
Design completed
Numbered items are actions on hazard log
Safety Management - 30
Management of Hazard Log 1Hazard log
produced and maintained during developmenttool support desirable
specialist tools, but can do with a database
issued periodically (hazard log reports)open hazards reviewed
decisions on tolerable levels of reduction madethis is (typically) an ALARP decision
may need to involve operational authority
is almost inevitably assessed by a committee (e.g. the Project Safety Panel)
Panel will have to balance cost and likely risk reduction
period depends on scale of project, number of open risks, etc.may also be on identification of significant new risk
Safety Management - 31
Management of Hazard Log 2
Hazard No. HM034Hazard Title Windscreen overheats2/7/94 PHA Report BAe/WAW/075 – Hazard Identified10/4/96 SCR Assessment – accepted for development flying, within
specified reduced envelope, at 9th CSG20/9/96 SCR Assessment for Windscreen anti-misting system
(BAe/WAW/487 Issue D updated with amended reliability forhazard log summary (table updated)
Hazard No. HM034Hazard Title Windscreen overheats Status: ClosedDescription Loss of structural integrity of windscreen due to overheatingCons. A3 Sev. 2 Prob. 2e-10 HRI: 18ClosureSummary
Anti-misting system reduces probability of hazard to tolerablelevel. Training required to ensure pilots use anti-mistingsystem, in appropriate conditions.
Consider use of web technology to manage log
ConsequenceDescription
Fault Tree Analysis
Instance ofHRI Table
PHI (A) Report
Meeting Minutes
Safety Analysis Report
May Contain
Extract from Hazard Log
Extract from Hazard Tracking System
Safety Management - 32
Transition to Service
Handover of hazard log to operational authority
joint review of hazard log / hazard tracking systemall risks addressed
all risks reduced ALARP, or practical procedures to managee.g. operational limitations, pending remedial development
will need “sign off” by operational authority
status of ongoing remedial action adequately understood
hazard log passed on as basis for operational safety management
FRACAS - so the severity of events (incidents) is knownaction limits to give early warning of impending problems
Safety Management - 33
Operational SafetySafety management does not stop at end of development process
Also need to ensure operation is accident freeor at least to keep accidents to a tolerable level
Main safety-related activities in-service are:
maintenancepreserve (safety related) system as designed and manufactured
improve the design where design not “safe enough”, or improvements now possible
monitoring and management of failuresAccident and incident analysis
Monitoring and evaluation of failures
Corrective actions based as a result of analysis
ARP 5150 defines systematic approach
Safety Management - 34
ARP 5150 Monitoring Process
ESTABLISHEXPECTATIONS
ESTABLISHMONITOR
PARAMETERS COLLECT &
ANALYZEDATA
PROBLEMOR
TRENDNOTED?
NO
LE
SS
ON
SL
EA
RN
ED
ASSESSEVENT& RISK
SIGNIFICANTEVENT-- ACTION
REQUIRED?
INTERNAL/ EXTERNAL
ACTION?
INT
EXT
NO
NOTIFYRESPONSIBLE
PARTY
A
SELECTACTION
ACTIONAPPROVED?
NO
YES
MOREANALYSIS?
YES
ACTIONAPPLICABILIT
Y REVIEW
IMPLEMENTACTION?
SCHEDULE
DOCUMENT &CLOSE
NO
YES
INPUTS FROM OTHER
LEVELS ORMONITORING
OUPUT TO "ASSESSEVENT AND RISK"
AT OTHER LEVEL(S)
ACTIONSFROM OTHERLEVELS ORSOURCES
DEVELOPACTIONS
ACTIONSTO OTHER LEVELS
DETERMINEINTERNAL/EXTERNAL
ISSUERESOLUTION
YES
REVIEWSELECTED
ACTION FORAPPROVAL
NO
YES
A
A
Establish Monitor Parameters
Monitor For Events
Assess Event & Risk
Develop Action PlanDisposition Action Plan
IMPLEMENT
Safety Management - 35
Roles in ARP 5150 Process
Supplier AssessmentProcess
Airframer AssessmentProcess
Operator AssessmentProcess
ESTABLISHEXPECTATIONS
ESTABLISHMONITOR
PARAMETERS
COLLECT &ANALYZE DATA
PROBLEMOR
TRENDNOTED?
NO
LE
SS
ON
S L
EA
RN
ED
ASSESSEVENT& RISK
SIGNIFICANT EVENT--ACTION REQUIRED?
INTERNAL/ EXTERNAL
ACTION?
INT
EXT
NO
NOTIFYRESPONSIBL
E PARTY
A
SELECT ACTIONACTION
APPROVED?
NO
YES
MOREANALYSIS?
YES
ACTIONAPPLICABILITY
REVIEW
IMPLEMENTACTION?
SCHEDULE
DOCUMENT &CLOSE
NO
YES
INPUTS FROM
OTHER lEVELS ORMONITORING
ACTIONSFROM OTHER LEVELS
OR SOURCES
DEVELOPACTIONS
ACTIONSTO OTHER LEVELS
DETERMINEINTERNAL/
EXTERNAL ISSUERESOLUTION
YES
REVIEWSELECTED
ACTION FORAPPROVAL
NO
YES
A
A
Establish Monitor Parameters
Monitor For Events
Assess Event & Risk
Develop Action PlanDisposition Action Plan
IMPLEMENT
OUPUT TO "ASSESSEVENT AND RISK"
AT OTHER LEVEL(S)
OUPUT TO "ASSESSEVENT AND RISK"
AT OTHER LEVEL(S)
OUPUT TO "ASSESSEVENT AND RISK"
AT OTHER LEVEL(S)
INPUTS FROM
OTHER lEVELS ORMONITORING
INPUTS FROM
OTHER lEVELS ORMONITORING
ACTIONSFROM OTHERLEVELS ORSOURCES
ACTIONSFROM OTHER LEVELS
OR SOURCES
Safety Management - 36
Observations
SMS/SMM and SSPP may overlap a lotdon’t repeat, refer (but better to repeat than not to write it down!)
SSPP may legitimately conflict with SMS/SMMe.g. if product is for a new market, uses new technology, or involves work with another company
It is possible to “overwhelm” a project with plansif the safety activities are limited, just extend the main plan
Ultimately, safety is achieved by peoplethe way they work (and the culture in which they work) are key
Slides 37-42 are to be used as reference material and will not be presented
Safety Management - 37
Organisational Concerns
Compliance-orientedDo minimum - anything more is beyond ALARP
Reactive / inertial frameworkAssume right until proven otherwise
Looking for safety issues discouraged
Unfair reporting systems
Static safety managementAssume environment and organisation unchangingIgnore uncertainty in safety assessment
No fixed requirementsProvides rational incentives for “over-compliance”
Reinforces ALARP
Proactive frameworkOnly assumes SMS is good enough to operate
Recognise inherent uncertainty
Proactive & predictive “feedback”
Fair (non-punitive) reporting
Active management of change and uncertainty
Assess changes
Monitor performance
Periodically review the whole SMS
Concerns SMS “response”
Safety Management - 38
Organisational Concerns
Safety an “over the wall” activityNot integrated into overall management
Unrealistic policies
Clumsy internal regulationUnmanageably complex and bureaucratic
Not acted upon
Poor safety cultureIts something we have to do to ‘tick’ regulator’s boxes
Its of no utility to business
Accidents are too unlikely to worry
You need to “really try” to cause an accident
Integrated approach to safety Integrated into overall managementRational & realistic policies
Recognises primary function of the business
Allows flexibility in designing most suitable SMS
Audits check for “dead weight”
Requires and encourages strong safety culture
Covered by auditsEncourages staff engagement in safety managementRequires safety promotion
Concerns SMS “response”
Safety Management - 39
SMS Content 1What should organisation
consider?
What are overall safety objectives
how do we know if we have achieved them?
Who has safety responsibility
how are they supported?
What goes in SMS?
Definition of safety requirements
measurable
objective
achievable
Individual roles and responsibilities
Organisation
reporting structures
including independent lines of reporting
committees, panels
Safety Management - 40
SMS Content 2What should organisation consider?
How do we ensure safety of our basic activities, considering
environment
locations in which we operate
operations
especially those demanding high levels of skill or concentration
communication and collaborative working
equipment
special challenges
hazardous materials
What goes in SMS?
Hazard identification and risk assessment methodology
Procedures for hazard logging / tracking
Approach to risk control/reduction
Risk acceptance criteria
Basis for trade-off decisions
Specialist safety analysis methodology
Safety-related working procedures
Skills, training
Safety Management - 41
SMS Content 3What should organisation
consider?
How do we ensure safety of activities is maintained?
What do we do if things go wrong?
What goes in SMS?
Performance monitoring
Data collection
Review and analysisTrends and anomalies
Corrective actions
Policies for managing change
Emergency planningTraining and drills
Safety Management - 42
SMS Content 4What should organisation
consider?
How do we ensure organisation itself does not become a source of risk?
What goes in SMS?
Policies for continual self-review
Auditing
Policies for continual improvement
Improving safety targets
Organisational learning
Cultural aspirations
Training
Communication