safety management - pimpri chinchwad polytechnicpcpolytechnic.com/mechanical/pdf/15.pdf · grand...

Session 22

Safety Management

Safety Management - 2

ContentsEvolution of Safety Regulation Systems

Level 1: Prescriptive standardsLevel 2: Process standardsLevel 3: Risk-based safety management (non-prescriptive standards)Level 4: Safety Management System

Safety Management ProcessesSafety management system and manualSafety management plan

Safety Management System (SMS)Purpose and scopeGrand Challenges of SMS

Note: Some additional slides in lecture appendix


A Typical Safety ArgumentRecall: (from this morning)

Top-level goalUsually in context that defines what “adequate safety” means

Primary ArgumentRisks are appropriately controlled

Secondary ArgumentValidity of the primary argument

Adequacy, and correct use, of the processes

EvidenceSupports all elements of argument


Prescriptive StandardsRegulator

Prescribes particular detailed solution

Company / Certificate HolderEnsures that standards are followed

Produces evidence that solution has been appropriately implemented

Assumption (is it valid?)By implication, regulator has constructed appropriate safety case showing that “solutions” yield overall safety goal


Prescriptive StandardsCan be sufficient if

There are few companies in a regulated sectorRegulator has good oversight of what each company is doing

Few differences between companies

There is a high level of state participationHeavy regulation is perceived acceptable by companies

Systems (social and technical “components”) are relatively stableHigh degree of confidence in prescribed solution, e.g. military aviation in the inter-war / post war period

Still workable for technical systems where there are accepted solutions

Unsuitable when there are too many differences between organisations

For example, the general regulation of civil aviation

Need a less prescriptive, more flexible and responsive approach…


Process StandardsRegulator

Sets overall safety requirements

Prescribes safety and verification processes

Company / Certificate HolderUses the process to design the socio-technical system

Makes argument that proposed mechanisms will be sufficient

Provides evidence that process followed and design implemented

AssumptionsImplicit Secondary Argument

Reflects regulator’s judgement


Process StandardsWork well in some sub-sectors, where there is:

Degree of similarity between regulated organisations / products

Relatively slow and gradual evolution of practices in the sector

e.g. some aspects of aircraft design / type certification

Unsuitable where there are fundamentally different business models

For example, modern civil aviation sector as a whole


Risk-Based ApproachCompany / Certificate Holder

Selects the most appropriate methods and processes

Uses them to identify appropriate mechanisms for ensuring sufficient level of safety

Produces valid and coherent argument of safety plus supporting evidence (i.e. safety case)

RegulatorSets overall safety targets

Audits the safety case based on accumulated expertise

May take into account items in Significant Issues List (SIL)


Risk-Based ApproachAdvantages

Enables companies to develop solutions suitable for their businessInput from regulator is at strategic policy level, e.g. top-level goals

Makes it clear that companies have liabilityNo “we complied with your standards” argument

Original risk-based approaches are now considered incompleteSafety activities of different organisations may not be coordinated

e.g. supply chain

Safety not fully integrated into the management of the businessNeed to address “soft issues”: human factors, training, culture (see Part 2 of lecture)

Too static on its ownAssumes ideal safety case the first time

Practice may diverge from safety caseOrganisation and operational context may change

Doesn’t require or encourage learningReactive approach to safety management


Safety ManagementA safety management system (SMS)

is defined for an organisation

sets out approach to ensuring safety in all aspects of an organisation’s business

covers operation and general principles of developmentalthough not details of specific projects

is typically documented in a safety management manual (SMM)

A system safety programme plan (SSPP)is defined for a project

details safety-specific activities and products, e.g. safety cases

will link to project plans, e.g. milestones and reviews

will derive some of its contents from the SMSbut may over-ride the SMS, e.g. to reflect national legislation

Focus on “functional safety” not occupational health and safety


Purpose of an SMSPrimary aim

to provide a framework for the planning, execution and monitoring of all activities needed to meet safety objectives

including policies for reducing / managing risk

Secondary aimsto ensure consistency between projects

e.g. by using same risk assessment criteria

to help meet / discharge legal and moral obligationse.g. the “duty of care”

to contain liability, should an accident occur

Aims met by setting outorganisation and responsibilities, e.g. for decision making

policies, e.g. on acceptable levels of risk

procedures, e.g. for incident reporting


ICAO SMM 2006

Overview

Responsibility for Managing Safety

State Safety programme

Understanding Safety

Basics of Safety Management

Risk Management

Hazard and Incident Reporting

Safety Investigations

Safety Analysis and Safety Studies

Safety Performance Monitoring

Emergency Response Planning

Establishing an SMS

Safety Assessments

Safety Auditing

Practical considerations for operating a SMS

Aircraft Operations

Air Traffic Services

Aerodrome Operations

Aircraft Maintenance

ICAO SMS: “a systematic approach to managing safety, including the necessary organizational structures, accountabilities, policies and procedures.”


Safety Management System- ICAO 9859 ViewEmbeds safety case into feedback and review layers

Continuous safety performance monitoring

Against clearly defined indicators and targets

Periodic internal SMS reviewThorough, open-ended

Review of all relevant data

Improve cost-effectivenessand safety

Significant events investigationsInternal (staff self-reporting)

Non-punitive!

Accidents & Incidents

Regulator lead

External auditsRegulator


Safety Management System- ICAO 9859 View Documented and Implemented policies and procedures for managing risks

that integrate operations and technical systems with the management of financial and human resources to ensure aviation safety and the safety of

the public

SMS standards apply general principles for a particular applicationBut no prescriptive or process requirements

Massive change in companies’ safety management philosophyComplete responsibility for safetyMust understand what safety means and how is it being achieved

In the context of their business and operations

Significant change in “philosophy of regulation”Regulator checks whether operators have asked themselves all right questions

and responded adequatelyRegulator ensures that information is disseminated in the sectorSignificantly more space for a “subjective” judgement

Based on the vast accumulated knowledge


SMS – Questions to askStrategy and basic organisation:

What are overall safety objectives?Objective and measurable!

What is the safety management organisation?Who has key responsibilities?How are they supported?

“Basic” risk management:What are hazards and risks of the operations?

Consider all aspects of operations and the environment

How do we ensure safety of our basic activities, considering:Communication and collaborative workingSpecial challenges

Monitoring and performance evaluation:How do we check that safety management is effective?How do we notice safety issues before these develop into accidents?


SMS – Questions to askEmergency Planning:

What do we do if things go wrong?To minimise the effects

How do we prepare ourselves to learn from experience?

Change:How do we ensure that our organisation remains safe?

In the context of changes to operations and environmentIn the context of changes to safety management practices

Proactive learning:How do we ensure organisation itself doesn’t become a source of risk?How do we “drive” improvement process?How do we identify promising changes?


SMS: ChallengesCulture & paradigm shift

Higher degree of responsibilityLonger-term investment

Developing SMS from “first principles”

Changing climate and attitudes in the organisation

Non-punitive reporting

Encouraging whistle blowing

Making staff aware of SMS in general and their roles in particular

Reliance on genuine commitment!

Regulation approachPresumed trust

Steep punitive “pyramid” if trust is abused

From inspections to auditsMore flexible / open-endedMore constructiveMore time-consuming!Require more judgment

Small/Medium Enterprises (SME)

Too complex an approach for small businesses?Too much of an investment necessary?

Very large companies…


Rail Safety Management

Example 2: Rail Safety Management systemsDesigned to limit risk of injury to persons or damage to property; and protect commercial interests by running safe railway

Legislated for by the Australian Rail Safety Act 1998Rail Safety Regulations 1999 Part 2 reference Australian Standard AS 4292.1, as the standard for Rail Safety Management

AS/NZ 4292 – Rail Safety ManagementSection 1: Scope and General

Section 2: Management Policy and Structure

Section 3: Risk and Incident Management

Section 4: Personnel Management

Section 5: Goods and Services Procurement

Section 6: Engineering and Operational Systems Safety

Section 7: Interstate Operation (not contractor requirements)


Organisation and Responsibilities

Ultimate responsibility for safety at “the top”main board for a company

perhaps just the Engineering or Technical Director

Secretary of State for the U.K. MoD

Organisation definesdelegation of responsibility

named individuals / posts with “sign off” authority

committees and other joint management to ensure appropriate knowledge brought to bear, e.g. design, operations, maintenance

communication pathse.g. for incident reporting

independent reporting chainso junior staff can report safety concerns outside “the line”


Independent ReportingPurpose of independent reporting

management decisions are often compromisesmay sometimes treat safety inappropriately

independent mechanismsgive way for concerned engineers to bring such lapses to senior management attention

once attempts to resolve locally have failed

Often have separate director for independent reportinge.g. Quality Director, when projects report to Technical or Engineering Director

Use of independent reporting should be exceptionsa good safety culture will promote resolution “in the line”

Final resort“whistle-blowing”


Purpose of an SSPPPrimary aim

to define the process for achieving and assessing product safety, for a given project

including defining links to the primary development plans

Secondary aimto ensure project risks are controlled, as well as safety risks

for example, by defining a safety case strategy early in the project

Aims met by setting outproduct identification and project scope

project organisation and responsibilities

requirements and applicable standards

hazard log and hazard tracking strategy

safety case strategy

a technical plan, e.g. a bar chart, and definition of methods


Organisation and Responsibilities

Project Leadersafety responsibility for the project

accepts and signs off key documents

ultimately makes decisionstrade-offs between safety and availability

but advised by various committees (e.g. System Safety Panel)

Primary safety workdone by designers, or safety specialists

at minimum, specialists act as independent reviewers

Independent Verification and Validation (IV&V)main design assessment work, independent of designers

e.g. review and testing


Technical Plan

Programme of worktechnical safety activities

bar chart expanding on PHI, PHA, etc.

defined in a phased manner

e.g. plan for SSHA defined as a result of PHA and associated design revisions

identify what methods or techniques to use at each stage

define methods or techniques e.g. guidewords and team structure for HAZOP

often done by reference to other company documentation

link to development plan

Safety Case Strategyhow it is intended to demonstrate safety


ISAsIndependent Safety Auditor (ISA)

provides independent check thatplan implemented as defined

analogy with financial auditor

usually audits SMP and method definitions

and samples other deliverables

is not intended to give advice

Can be confusion with Independent Safety Advisor

providing advice to help direct project, not check on progress

Independent Safety Assessorsafety aspect of IV&V, as defined here

Other specialist advisors, if needede.g. on nuclear safety, lasers or software


Managing Safety RiskBest approach is to establish a single, closed loop, hazard tracking system

to be used throughout development and in service

Most safety standards require establishment of a Hazard Log, with entries for (at least)

description of hazard, and hazard risk index

status of hazard and its control

residual risk

actions to address the hazard

recommended hazard controls

signature of appropriate authority to close out

Explicit hazard log not a requirement of ARP guidancesystematic approach to tracking safety issues clearly a necessity


Hazard Log Entry

Hazard No. HM034Hazard Title Windscreen overheats Status: OpenDescription Loss of structural integrity of windscreen due to overheatingCons. A3 Sev. 2 Prob. 3e-8 HRI: 10ClosureSummaryPrimaryeffects

Windscreen: strength reduced / damaged / fractured

Consequences Pilot injury, and possible loss of aircraftSystems Structures, Elec. Heating, ECS Heating, WarningResponsibility Electrical

Risk assessment results - separate consequence description

Responsibility assigned

Action not specified - will be for reduction of hazard probability


Hazard Tracking Example

Hazard No. HM034Hazard Title Windscreen overheats2/7/94 PHA Report BAe/WAW/075 – Hazard Identified10/4/96 SCR Assessment – accepted for development flying, within

specified reduced envelope, at 9th CSG20/9/96 SCR Assessment for Windscreen anti-misting system

(BAe/WAW/487 Issue D updated with amended reliability forhazard log summary (table updated)

Hazard No. used as cross-reference to log

Progress of hazard management from

identification to closure

Decision before mitigation action complete - flight

restriction to manage risk


Revised Hazard Log Entry

Hazard No. HM034Hazard Title Windscreen overheats Status: ClosedDescription Loss of structural integrity of windscreen due to overheatingCons. A3 Sev. 2 Prob. 2e-10 HRI: 18ClosureSummary

Anti-misting system reduces probability of hazard to tolerablelevel. Training required to ensure pilots use anti-mistingsystem, in appropriate conditions.

Primaryeffects

Windscreen: strength reduced / damaged / fractured

Consequences Pilot injury, and possible loss of aircraftSystems Structures, Elec. Heating, ECS Heating, WarningResponsibility Electrical

Revised HRI (now Tolerable)

Reduced hazard probability

Closure addedNote: other entries not modified

nature of hazard not changed

May be better to havenew entry, so changecan be seen explicitly


Safety Life-Cycle - Link to Hazard Log

- P l a t f o r m C o n c e p t- I n i t i a l H a z a r d L i s t

- S a f e P l a t f o r m- S a f e t y C a s e

( P r e d i c t i v e ) C a u s a l A n a l y s i s C a u s a l A n a l y s i s

I n t e g r a t i o n o f S a f e t y E v i d e n c e

P S S A S S A

H a z a r d I d e n t i f i c a t i o n

C o n s e q u e n c e A n a l y s i s

F H A

P H I

1. Initial entry made

2. Severity added3. Risk estimate added

4. Risk estimate revised

5. Risk figure finalised

Risk reduction action

Design completed

Numbered items are actions on hazard log


Management of Hazard Log 1Hazard log

produced and maintained during developmenttool support desirable

specialist tools, but can do with a database

issued periodically (hazard log reports)open hazards reviewed

decisions on tolerable levels of reduction madethis is (typically) an ALARP decision

may need to involve operational authority

is almost inevitably assessed by a committee (e.g. the Project Safety Panel)

Panel will have to balance cost and likely risk reduction

period depends on scale of project, number of open risks, etc.may also be on identification of significant new risk


Management of Hazard Log 2

Hazard No. HM034Hazard Title Windscreen overheats2/7/94 PHA Report BAe/WAW/075 – Hazard Identified10/4/96 SCR Assessment – accepted for development flying, within

specified reduced envelope, at 9th CSG20/9/96 SCR Assessment for Windscreen anti-misting system

(BAe/WAW/487 Issue D updated with amended reliability forhazard log summary (table updated)

Hazard No. HM034Hazard Title Windscreen overheats Status: ClosedDescription Loss of structural integrity of windscreen due to overheatingCons. A3 Sev. 2 Prob. 2e-10 HRI: 18ClosureSummary

Anti-misting system reduces probability of hazard to tolerablelevel. Training required to ensure pilots use anti-mistingsystem, in appropriate conditions.

Consider use of web technology to manage log

ConsequenceDescription

Fault Tree Analysis

Instance ofHRI Table

PHI (A) Report

Meeting Minutes

Safety Analysis Report

May Contain

Extract from Hazard Log

Extract from Hazard Tracking System


Transition to Service

Handover of hazard log to operational authority

joint review of hazard log / hazard tracking systemall risks addressed

all risks reduced ALARP, or practical procedures to managee.g. operational limitations, pending remedial development

will need “sign off” by operational authority

status of ongoing remedial action adequately understood

hazard log passed on as basis for operational safety management

FRACAS - so the severity of events (incidents) is knownaction limits to give early warning of impending problems


Operational SafetySafety management does not stop at end of development process

Also need to ensure operation is accident freeor at least to keep accidents to a tolerable level

Main safety-related activities in-service are:

maintenancepreserve (safety related) system as designed and manufactured

improve the design where design not “safe enough”, or improvements now possible

monitoring and management of failuresAccident and incident analysis

Monitoring and evaluation of failures

Corrective actions based as a result of analysis

ARP 5150 defines systematic approach


ARP 5150 Monitoring Process

ESTABLISHEXPECTATIONS

ESTABLISHMONITOR

PARAMETERS COLLECT &

ANALYZEDATA

PROBLEMOR

TRENDNOTED?

NO

LE

SS

ON

SL

EA

RN

ED

ASSESSEVENT& RISK

SIGNIFICANTEVENT-- ACTION

REQUIRED?

INTERNAL/ EXTERNAL

ACTION?

INT

EXT

NO

NOTIFYRESPONSIBLE

PARTY

A

SELECTACTION

ACTIONAPPROVED?

NO

YES

MOREANALYSIS?

YES

ACTIONAPPLICABILIT

Y REVIEW

IMPLEMENTACTION?

SCHEDULE

DOCUMENT &CLOSE

NO

YES

INPUTS FROM OTHER

LEVELS ORMONITORING

OUPUT TO "ASSESSEVENT AND RISK"

AT OTHER LEVEL(S)

ACTIONSFROM OTHERLEVELS ORSOURCES

DEVELOPACTIONS

ACTIONSTO OTHER LEVELS

DETERMINEINTERNAL/EXTERNAL

ISSUERESOLUTION

YES

REVIEWSELECTED

ACTION FORAPPROVAL

NO

YES

A

A

Establish Monitor Parameters

Monitor For Events

Assess Event & Risk

Develop Action PlanDisposition Action Plan

IMPLEMENT


Roles in ARP 5150 Process

Supplier AssessmentProcess

Airframer AssessmentProcess

Operator AssessmentProcess

ESTABLISHEXPECTATIONS

ESTABLISHMONITOR

PARAMETERS

COLLECT &ANALYZE DATA

PROBLEMOR

TRENDNOTED?

NO

LE

SS

ON

S L

EA

RN

ED

ASSESSEVENT& RISK

SIGNIFICANT EVENT--ACTION REQUIRED?

INTERNAL/ EXTERNAL

ACTION?

INT

EXT

NO

NOTIFYRESPONSIBL

E PARTY

A

SELECT ACTIONACTION

APPROVED?

NO

YES

MOREANALYSIS?

YES

ACTIONAPPLICABILITY

REVIEW

IMPLEMENTACTION?

SCHEDULE

DOCUMENT &CLOSE

NO

YES

INPUTS FROM

OTHER lEVELS ORMONITORING

ACTIONSFROM OTHER LEVELS

OR SOURCES

DEVELOPACTIONS

ACTIONSTO OTHER LEVELS

DETERMINEINTERNAL/

EXTERNAL ISSUERESOLUTION

YES

REVIEWSELECTED

ACTION FORAPPROVAL

NO

YES

A

A

Establish Monitor Parameters

Monitor For Events

Assess Event & Risk

Develop Action PlanDisposition Action Plan

IMPLEMENT


AT OTHER LEVEL(S)


AT OTHER LEVEL(S)


AT OTHER LEVEL(S)

INPUTS FROM


INPUTS FROM


ACTIONSFROM OTHERLEVELS ORSOURCES

ACTIONSFROM OTHER LEVELS

OR SOURCES


Observations

SMS/SMM and SSPP may overlap a lotdon’t repeat, refer (but better to repeat than not to write it down!)

SSPP may legitimately conflict with SMS/SMMe.g. if product is for a new market, uses new technology, or involves work with another company

It is possible to “overwhelm” a project with plansif the safety activities are limited, just extend the main plan

Ultimately, safety is achieved by peoplethe way they work (and the culture in which they work) are key

Slides 37-42 are to be used as reference material and will not be presented


Organisational Concerns

Compliance-orientedDo minimum - anything more is beyond ALARP

Reactive / inertial frameworkAssume right until proven otherwise

Looking for safety issues discouraged

Unfair reporting systems

Static safety managementAssume environment and organisation unchangingIgnore uncertainty in safety assessment

No fixed requirementsProvides rational incentives for “over-compliance”

Reinforces ALARP

Proactive frameworkOnly assumes SMS is good enough to operate

Recognise inherent uncertainty

Proactive & predictive “feedback”

Fair (non-punitive) reporting

Active management of change and uncertainty

Assess changes

Monitor performance

Periodically review the whole SMS

Concerns SMS “response”


Organisational Concerns

Safety an “over the wall” activityNot integrated into overall management

Unrealistic policies

Clumsy internal regulationUnmanageably complex and bureaucratic

Not acted upon

Poor safety cultureIts something we have to do to ‘tick’ regulator’s boxes

Its of no utility to business

Accidents are too unlikely to worry

You need to “really try” to cause an accident

Integrated approach to safety Integrated into overall managementRational & realistic policies

Recognises primary function of the business

Allows flexibility in designing most suitable SMS

Audits check for “dead weight”

Requires and encourages strong safety culture

Covered by auditsEncourages staff engagement in safety managementRequires safety promotion

Concerns SMS “response”


SMS Content 1What should organisation

consider?

What are overall safety objectives

how do we know if we have achieved them?

Who has safety responsibility

how are they supported?

What goes in SMS?

Definition of safety requirements

measurable

objective

achievable

Individual roles and responsibilities

Organisation

reporting structures

including independent lines of reporting

committees, panels


SMS Content 2What should organisation consider?

How do we ensure safety of our basic activities, considering

environment

locations in which we operate

operations

especially those demanding high levels of skill or concentration

communication and collaborative working

equipment

special challenges

hazardous materials

What goes in SMS?

Hazard identification and risk assessment methodology

Procedures for hazard logging / tracking

Approach to risk control/reduction

Risk acceptance criteria

Basis for trade-off decisions

Specialist safety analysis methodology

Safety-related working procedures

Skills, training



consider?

How do we ensure safety of activities is maintained?

What do we do if things go wrong?

What goes in SMS?

Performance monitoring

Data collection

Review and analysisTrends and anomalies

Corrective actions

Policies for managing change

Emergency planningTraining and drills



consider?

How do we ensure organisation itself does not become a source of risk?

What goes in SMS?

Policies for continual self-review

Auditing

Policies for continual improvement

Improving safety targets

Organisational learning

Cultural aspirations

Training

Communication

safety management - pimpri chinchwad polytechnicpcpolytechnic.com/mechanical/pdf/15.pdf · grand...

Documents