A Systemic Approach to Safety Management

A Systemic Approach to A Systemic Approach to Safety ManagementSafety Management

ByBy

Jaime Santos-ReyesJaime Santos-Reyes

Working On Safety, Netherlands, Working On Safety, Netherlands, 20062006

SEPI-ESIME-IPN-SEPI-ESIME-IPN-MEXICOMEXICO

SEPI-ESIME-IPN-SEPI-ESIME-IPN-MEXICOMEXICO &&

Alan N. BeardAlan N. BeardHeriot-Watt University, Heriot-Watt University, UK.UK.

A Systemic Approach to Disaster A Systemic Approach to Disaster ManagementManagement

ContentsContents

IntroductionIntroduction Safety management systemsSafety management systems The need for a systemic approachThe need for a systemic approach A systemic safety management system A systemic safety management system

modelmodel ConclusionsConclusions

SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICOWorking On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006

1.1. IntroductionIntroduction

Bhopal, India, 1984, (Bidwai, Bhopal, India, 1984, (Bidwai, 1984) 1984)

San Juanico, México, 1984, San Juanico, México, 1984, (Bleve, 1985)(Bleve, 1985)

Piper Alpha, UK, 1988, (Cullen, Piper Alpha, UK, 1988, (Cullen, 1990)1990)

Chernobyl, Ukraine, 1987, Chernobyl, Ukraine, 1987, (Mosey, 1990)(Mosey, 1990)

Train disaster, Pakistan, 2005, Train disaster, Pakistan, 2005, (BBC, 2005)(BBC, 2005)

Paddington train accident, UK, Paddington train accident, UK, 1999, (Cullen, 2001)1999, (Cullen, 2001)

Eschede train accident, Eschede train accident, Germany, 1998 (Kuepper, 1999)Germany, 1998 (Kuepper, 1999)

Train accident, Japan, 2005, Train accident, Japan, 2005, (BBC, 2005)(BBC, 2005)

Jet crash, Venezuela, 2005, Jet crash, Venezuela, 2005, (BBC, 2005)(BBC, 2005)

Oil rig fire, India, 2005, (BBC, Oil rig fire, India, 2005, (BBC, 2005)2005)

Several accidents, PEMEX, Several accidents, PEMEX, Mexico, 2005, (Vidal, 2005)Mexico, 2005, (Vidal, 2005)

The above have highlighted the The above have highlighted the need for addressing safety need for addressing safety proactively. proactively.

In addition to this, the In addition to this, the emergence of new regulations emergence of new regulations and international standards has and international standards has driven organizations to improve driven organizations to improve their safety performance. As a their safety performance. As a result of this, organizations result of this, organizations have to some extent shifted have to some extent shifted from a prescriptive approach to from a prescriptive approach to a flexible approach to risk. a flexible approach to risk.

Under the prescriptive Under the prescriptive approach, regulations explain approach, regulations explain how to ‘achieve safety’, whilst how to ‘achieve safety’, whilst with the flexible approach, with the flexible approach, regulations explains what regulations explains what organizations must achieve but organizations must achieve but leaves how they achieve it to leaves how they achieve it to them them

Working On Safety, Netherlands, 2006Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICOSEPI-ESIME-IPN-MEXICO

2.2. Safety management systemsSafety management systems A great deal of effort has been made, by both academe and A great deal of effort has been made, by both academe and

regulators, and industry, to investigate and develop approaches to regulators, and industry, to investigate and develop approaches to address safety and the environment.address safety and the environment.

Environmental & quality management systemsEnvironmental & quality management systems

BS EN ISO 14000 seriesBS EN ISO 14000 series BS EN ISO 9000 seriesBS EN ISO 9000 series

Health & Safety Management SystemsHealth & Safety Management Systems HSG65 (1997)-Successful health & safety managementHSG65 (1997)-Successful health & safety management BS 8800: 2004-Occupational health & safety management systems BS 8800: 2004-Occupational health & safety management systems

guideguide OHSAS 18001: Occupational health & safety management systems OHSAS 18001: Occupational health & safety management systems

(OHSMS)(OHSMS) ANSI/AIHA Z10ANSI/AIHA Z10: Occupational health and safety management systems: Occupational health and safety management systems ILO OSH: 2001-Guidelines on occupational safety & health ILO OSH: 2001-Guidelines on occupational safety & health

management systemsmanagement systems

Environmental & quality management systemsEnvironmental & quality management systems BS EN ISO 14000 seriesBS EN ISO 14000 series BS EN ISO 9000 seriesBS EN ISO 9000 series

OtherOther


http://www.eaglegroupusa.com/Z10.htm

3. The need for a systemic approach3. The need for a systemic approach The approaches to safety reviewed in the last The approaches to safety reviewed in the last

section seem to put emphasis on management section seem to put emphasis on management functions, guidelines, industry standards, quality functions, guidelines, industry standards, quality principles, to establish the SMS of organizations. principles, to establish the SMS of organizations. These approaches may represent a step forward These approaches may represent a step forward to managing safety but may not be enough to to managing safety but may not be enough to address the management of risk effectively.address the management of risk effectively.

Furthermore, it may be argued that these Furthermore, it may be argued that these approaches are ‘systematic’. To be ‘systematic’ approaches are ‘systematic’. To be ‘systematic’ is to be ‘methodical’ or ‘tidy’. In this context it is to be ‘methodical’ or ‘tidy’. In this context it means that the approaches tend to concentrate means that the approaches tend to concentrate on functions dealing with policy, organising, on functions dealing with policy, organising, planning, audit, measuring performance, etc. planning, audit, measuring performance, etc.

All of these functions are necessary but may not All of these functions are necessary but may not be sufficient to achieve effectiveness of a SMS. be sufficient to achieve effectiveness of a SMS. It is certainly important to be systematic. It is certainly important to be systematic. However, a SMS needs to be more than this; it is However, a SMS needs to be more than this; it is also necessary to try to be ‘systemic’. also necessary to try to be ‘systemic’.


a SMS should try to consider the a SMS should try to consider the organization in its entirety; i.e. from top to organization in its entirety; i.e. from top to bottom; the channels of communication, bottom; the channels of communication, the people, etc. In addition, it should take the people, etc. In addition, it should take into account the ‘environment’; i.e., all into account the ‘environment’; i.e., all those circumstances that lie outside the those circumstances that lie outside the system to which the system response is system to which the system response is necessary; for example political & necessary; for example political & economic drivers. economic drivers.

In short, there is a need for a In short, there is a need for a systemicsystemic approach. approach. SystemicSystemic may be defined as may be defined as trying to see things as a whole and trying to see things as a whole and attempting to see events, including failure, attempting to see events, including failure, as products of a working of a system. as products of a working of a system.

A A systemicsystemic approach has been adopted to approach has been adopted to construct a SSMS modelconstruct a SSMS model


4. A systemic safety management 4. A systemic safety management systemsystem

The Systemic Safety Management System The Systemic Safety Management System (SSMS) model is intended to maintain risk (SSMS) model is intended to maintain risk within an acceptable range in an within an acceptable range in an organization’s operations in a coherent way. organization’s operations in a coherent way.

The model is proposed as a The model is proposed as a sufficientsufficient structure for an effective safety structure for an effective safety management system. management system.

It has a fundamentally It has a fundamentally preventivepreventive potentiality in that if all the sub-systems potentiality in that if all the sub-systems and channels of communication are present and channels of communication are present and working effectively the probability of a and working effectively the probability of a failure should be less than otherwise. failure should be less than otherwise.


The fundamental characteristics of the The fundamental characteristics of the SSMSSSMS

The SSMS and Its EnvironmentThe SSMS and Its Environment Commitment to safetyCommitment to safety A recursive structure (i.e. ‘layered’) and A recursive structure (i.e. ‘layered’) and

relative autonomyrelative autonomy A structural organization which consists of A structural organization which consists of

a ‘basic unit’ in which it is necessary to a ‘basic unit’ in which it is necessary to achieve five functions associated with achieve five functions associated with systems 1 to 5.systems 1 to 5.

Concepts of Concepts of ViabilityViability, MRA (Maximum Risk , MRA (Maximum Risk Acceptable) and acceptable range of riskAcceptable) and acceptable range of risk

Four principles of organizationFour principles of organization ‘‘Paradigms’ are intended to act as Paradigms’ are intended to act as

‘templates’ giving essential features for ‘templates’ giving essential features for ‘human factors’ and for effective ‘human factors’ and for effective communication & control.communication & control.


4.14.1 Commitment to safetyCommitment to safety

An Externally Committed System (ECS) refers to An Externally Committed System (ECS) refers to the safety performance of systems that are the safety performance of systems that are committed to a particular purpose, function, or committed to a particular purpose, function, or objective based on external reasons or objective based on external reasons or motivation. This definition addresses both motivation. This definition addresses both technical aspects and humans. For example, tasks technical aspects and humans. For example, tasks in the organization are defined by others, etc.in the organization are defined by others, etc.

An Internally Committed System (ICS) is a system An Internally Committed System (ICS) is a system that is committed to a particular purpose or that is committed to a particular purpose or objective based on its own reasons or motivation. objective based on its own reasons or motivation. In other words, an ICS refers to the critical In other words, an ICS refers to the critical awareness of self-reflective human beings awareness of self-reflective human beings regarding their purposes and the implications of regarding their purposes and the implications of their actions for all those who might be affected their actions for all those who might be affected by the consequences. For instance, employees by the consequences. For instance, employees participate in defining tasks, etc.participate in defining tasks, etc.


4.24.2 The SSMS & Its EnvironmentThe SSMS & Its Environment


4*

55

44

33 2

SMU

Total environment

3* system 1system 1

‘hot-

line ’

Operations

4*4*

The environmentThe environment

Tota

l

En

vir

on

men

t

‘‘Environment’Environment’ may be understood as being may be understood as being those circumstances to which the SSMS those circumstances to which the SSMS response is necessary.response is necessary.

‘‘Environment’Environment’ lies outside the SSMS but interacts lies outside the SSMS but interacts with it; it is the source of circumstances that threaten with it; it is the source of circumstances that threaten the system;the system;

Examples:Examples:

Socio Political Socio Political (legislation, regulatory enforcement, (legislation, regulatory enforcement, major accidents, technology, trade unions, national & major accidents, technology, trade unions, national & local cultures, etc.)local cultures, etc.)

Economical Economical (trading conditions, economic interests, (trading conditions, economic interests, etc.)etc.)

Physical Physical (geographical location, climate, etc.)(geographical location, climate, etc.)


4.34.3 Recursive structure of the SSMSRecursive structure of the SSMS RecursionRecursion may be regarded as a ‘level’, may be regarded as a ‘level’,

which has other levels below or above itwhich has other levels below or above it

TSMU

System System 11

TO

Recursion Recursion 11 (Level 1)(Level 1)

TSMU= Total Safety Management Unit

TO= Total Operations


ASMU= A-Safety Management UnitAO = A-OperationsBSMU = B-Safety Management UnitBO = B-Operations

System 1System 1


TSMU= Total Safety Management UnitTO= Total Operations

System 1System 1

TSMU

TO

TO

ASMUBSMU

BO AO


TSMU

Recursive structureRecursive structure


TSMU= Total Safety Management UnitTO= Total Operations

Recursion 1 (Level 1)

Recursive structure of the SSMS Recursive structure of the SSMS modelmodel

ASMU= A-Safety Management UnitAO = A-OperationsBSMU = B-Safety Management UnitBO = B-Operations

System 1

A-Operations

TSMU

TSMU

BO

BSMU

TO

Level 2

B-Operations

B3O

B2SMU

B1SMU

B1O

B2O

A3O

B3SMU

Total Operations

Sub-systems that form part of

system 1

System 1

System 1

A2O A1O

System 1

Horizontal inter-dependence

Vert

ical in

ter-

dependence

AO

ASMU




TRSMU= Total Railway Safety Management Unit

TRO= Total Railway Operations

(Level 1)Example-Recursive Example-Recursive structurestructure

RISMU= Rail Infrastructure Safety Management UnitRIO = Rail Infrastructure OperationsTSMU = Train Safety Management UnitTO = Train Operations

System 1

RIO

TSMU

TRSMU

TO

TSMU

TRO

Level 2

TO

OO

OSMU

TRO

System 1

TKO SO

System 1

Vert

ical in

ter-

dependence

RIO

RISMU


TKSMU

SSMU

SSMU= Signalling Safety Management UnitSO = Signalling OperationsTKSMU = Track Safety Management UnitTKO = Track OperationsOSMU= Other Safety Management UnitOO = Other Operations


4*

55

44

33 2

SMU

Total environment

3* system 1system 1

‘hot-

line ’

Operations

4*4*

4.44.4 Structural organization of the Structural organization of the SSMSSSMS


Total environment

SMU

system system 11

Operations

System 1: safety-policy implementationSystem 1: safety-policy implementationFunction of system 1:System 1 implements safety policies in the operations of system 1. System 1 consists of one or more operations within an organization that deal directly with the organization’s ‘core’ activities.

The circle encloses all the relevant operations or activities thattake place to produce products or services.

It should be monitored because it is here where risks are created.

Components of system 1:The square box deals with all the managerial activityneeded to run the operations and implements the safety policy of the organization.

It monitors on a continuous basis the level of risk in the operations.


SMU

system system 11

Operations

System 1’s ‘environment’.

The elliptical symbol represents the ‘environment’ of system 1. Environment lies outside the system 1 but interacts with it. It influences and is influenced by system 1.

For instance, system 1 should monitor the resources and information entering the organization; so that hazards and risks are eliminated or minimized.

In addition, system 1 should consider all those aspects described in section 4.2.

The lines that connect the square, circle & the elliptical symbol refer to the channels of communication.


Safety management and the monitoring process

Control and communication may be regarded as the key concepts in the process of safety management and monitoring.

The objective of the safety management system (SMS) is to maintain risk within an acceptable range & its main activities are:

SMU

system system 11

Operations

{a} to monitor the resources (e.g. materials, people, machines, etc) and information entering the organization; i.e. the operations, so that hazards and risks are eliminated or kept within an acceptable range.


{b} to plan or set safety objectives (e.g. performance standards). These safety objectives may be represented in comparators. The function of a comparator is to enable comparison with the risk related ‘output’, that is, to compare risk related performance with the planned safety objectives.

In doing this, the SMU can detect any deviation from the planned safety objectives through the comparator.

If a deviation occurs then the SMU would adjust the ‘operations’ and bring it in line with the accepted criteria.

SMU

system system 11

Operations


{c} to devise “risk control systems” (RCS) which should, in principle, address the risks created in the operations of the organization.

The RCS should reflect the risk profile; that is, the greater the risk, the more robust and reliable the control systems need to be.

SMU

system system 11

Operations


The main activities involved are the following:

{1} Hazard identification: finding out what could possibly happen within the system which could lead to harm.

This means identifying ‘crucial events’ and possible consequences.

{2} Risk Analysis: to estimate the probabilities of particular consequences.

{3} Risk Evaluation: deciding what to do i.e. how to control the risk; deciding on suitable measures to control or eliminate risk.


De-composition of system 1De-composition of system 1System 1 may be decomposed into geography or functions. System 1 de-composed on a basis of functions

S&ES= Signaller & Engineer Supervisor

ESTO = Engineer’s scrap train Operations

S&ES = Signaller & Engineer Supervisor

TAO = Tamping Operations

ES= Engineer Supervisor

MMO = Movement of S&C materials Operations

System 1

ESTO

TAO

MMO

S&ES

S&ES

ES

Example: Maintenance work – Railway system


RISMU = Rail Infrastructure RISMU = Rail Infrastructure Safety Management UnitSafety Management UnitRIO = Rail Infrastructure RIO = Rail Infrastructure OperationsOperationsTSMU= Train Safety TSMU= Train Safety Management UnitManagement UnitTO = Train OperationsTO = Train Operations

System 1

TO

RIO RISMU

TSMU

PSMU= Piper Safety Management UnitPSMU= Piper Safety Management UnitPAO = Piper Alpha OperationsPAO = Piper Alpha OperationsCSMU = Claymore Safety Management CSMU = Claymore Safety Management UnitUnitCLO = Claymore OperationsCLO = Claymore OperationsTSMU= Tartan Safety Management UnitTSMU= Tartan Safety Management UnitTARO = Tartan OperationsTARO = Tartan OperationsMCSMU = MC Safety Management UnitMCSMU = MC Safety Management UnitMCO = MCP-01 OperationsMCO = MCP-01 OperationsFSMU = Flotta Safety Management UnitFSMU = Flotta Safety Management UnitFLO = Flotta OperationsFLO = Flotta Operations

System 1 PAO

MCO

TARO

FLO

CLO

FSMU

MCSMU

TSMU

CSMU

PSMU

(a) Track / Rail interface – Railway system (c) Piper Alpha field


Horizontal inter-dependenceHorizontal inter-dependence

PSMU= Piper Safety Management UnitPSMU= Piper Safety Management Unit PAO = Piper Alpha PAO = Piper Alpha OperationsOperationsCSMU = Claymore Safety Management UnitCSMU = Claymore Safety Management Unit CO = Claymore OperationsCO = Claymore OperationsTSMU = Tartan Safety Management UnitTSMU = Tartan Safety Management Unit TO = Tartan TO = Tartan OperationsOperationsMCSMU = MC Safety Management UnitMCSMU = MC Safety Management Unit MCPO = MCP MCPO = MCP OperationsOperationsFSMU = Flotta Safety Management UnitFSMU = Flotta Safety Management Unit FTO = Flotta FTO = Flotta Terminal OperationsTerminal Operations

PSMU

PAO

MCPO

TSMU CSMU

COTO

MCSMU

FTO

FSMU

HORIZONTAL INTER-DEPENDENCE


4*

55

44

33 2

SMU

Total environment

3* system 1system 1

‘hot-

line ’

Operations

4*4*

System 1 & systems 2,3 &3*System 1 & systems 2,3 &3*

System 1: implements safety policies in the organization’s operations. System 1 consists of one or more operations within the industry that deal directly with the organization’s ‘core’ business activities.


System 2: Safety–Co-ordinationSystem 2: Safety–Co-ordination

• to co-ordinate the activities of to co-ordinate the activities of the operations of system 1 the operations of system 1 (System 1 is made of two or (System 1 is made of two or more sub-systems)more sub-systems)

• along with system 1, along with system 1, implements the safety plans implements the safety plans received from system 3received from system 3

• informs system 3 about the informs system 3 about the performance of the operations performance of the operations of system 1.of system 1.

• Examples:Examples:

• maintenance schedules, maintenance schedules, process changes, etc.process changes, etc.

• co-ordination during an co-ordination during an emergencyemergency


4*

5

4

32

Total Environme

nt

3*

System 1

‘ hot-line’

ASMU

BSMUBO

AO

System 3: Safety–functionalSystem 3: Safety–functional• directly responsible for directly responsible for maintaining risk within an maintaining risk within an acceptable range in system 1.acceptable range in system 1.

• ensures that system 1 ensures that system 1 implements the safety implements the safety policies.policies.

• it achieves its function on a it achieves its function on a day-to-day basis according to day-to-day basis according to the plans received from the plans received from system 4system 4

• requests from systems 1, requests from systems 1, 2&3* information about the 2&3* information about the performance of system 1 to performance of system 1 to formulate its safety plans & to formulate its safety plans & to communicate future needs to communicate future needs to system 4.system 4.

• responsible for allocating responsible for allocating the necessary resources to the necessary resources to system 1 to accomplish the system 1 to accomplish the safety plans; e.g. training, etc.safety plans; e.g. training, etc.


4*

55

44

33 2

SMU

3*system 1system 1

‘hot-

line ’

Operations

4*4*

System 3*: safety – AuditSystem 3*: safety – Audit

4*

55

44

33 2

SMU

3*system 1system 1

‘hot-

line ’

Operations

4*4*

• conduct audits sporadically conduct audits sporadically into the operations of system into the operations of system 11

• intervenes in the operations intervenes in the operations of system 1 according to the of system 1 according to the plans received from system 3plans received from system 3

• needs to ensure that the needs to ensure that the reports received from system reports received from system 1 reflect not only the current 1 reflect not only the current status of the operations of status of the operations of system 1, but are also aligned system 1, but are also aligned with the overall objectives of with the overall objectives of the organizationthe organization

• Examples: Examples:

• revisions of the adequacy revisions of the adequacy & functioning of the fixed & functioning of the fixed installations; i.e. fire installations; i.e. fire fighting systems, electrical fighting systems, electrical supply systems, water supply systems, water supply systems, etc.supply systems, etc.

System 4: safety – developmentSystem 4: safety – development

• concerned with safety concerned with safety related research & related research & development for the continual development for the continual adaptation of the safety adaptation of the safety management system as a management system as a wholewhole

By considering strengths, By considering strengths, weaknesses, threats & weaknesses, threats & opportunities, system 4 can opportunities, system 4 can suggest changes to the safety suggest changes to the safety policiespolicies

• first, it deals with the policy first, it deals with the policy received from system 5received from system 5

• second, it senses all relevant second, it senses all relevant threats & opportunities from threats & opportunities from the ‘total environment’the ‘total environment’

• third, deals with all relevant third, deals with all relevant needs of system 1’s needs of system 1’s performance & its potential performance & its potential future. future.

55

44

33 2

SMU

3*system 1system 1

‘hot-

line ’

OperationsTota

l En

vir

onm

ent

Tota

l En

vir

onm

ent


System 4*: safety–Confidential reportSystem 4*: safety–Confidential report

55

44

33 2

SMU

3* system 1system 1

‘hot-

line ’

Operations

4*4*

• is part of system 4 and is is part of system 4 and is concerned with confidential concerned with confidential reports or causes of concern reports or causes of concern from any person, about any from any person, about any aspects, some of which may aspects, some of which may require the direct and require the direct and immediate intervention of immediate intervention of system 5.system 5.


System 5: safety–PolicySystem 5: safety–Policy• responsible for deliberating responsible for deliberating disaster prevention policies & disaster prevention policies & for making normative for making normative decisionsdecisions

• according to alternative according to alternative plans received from system 4, plans received from system 4, system 5 considers and system 5 considers and chooses feasible alternatives, chooses feasible alternatives, which aim to maintain the risk which aim to maintain the risk within an acceptable range in within an acceptable range in the operations of system 1.the operations of system 1.

• it also monitors the it also monitors the interaction between systems 3 interaction between systems 3 & 4.& 4.

• Examples: Examples:

•Promote the culture of Promote the culture of safety throughout the safety throughout the whole system; whole system;

55

44

33 2

SMU

3*system 1system 1

‘hot-

line ’

Operations


Hot-line: any cause of concernHot-line: any cause of concern

4*

55

44

33 2

SMU

3* system 1system 1

‘‘ hot-

line ’

hot-

line ’

Operations

4*4*

• direct communication or direct communication or ‘Hot-line’ for use in an ‘Hot-line’ for use in an exceptional circumstancesexceptional circumstances



Viability = P (the SSMS has the capacity to maintain the risk within an acceptable range for a stated period of time).

complementary to the concepts, Risk and Reliability:Risk = P (particular adverse consequence)

Reliability = P (item or system will perform a required function, under stated conditions, for a stated period of time)

Viability is defined in relation to an acceptable range for the risk, which may be regarded as a range from zero risk to a MRA.Given this, there is a general expectation that the risk should be well below the MRA.

4.54.5 The Viability, reliability, risk & The Viability, reliability, risk & MRA MRA

Totally unacceptable region

Acceptable region

MRA

Zero risk

Communication

Communication is vital in the management of safety of anyorganization. The communication paradigm is intended to help to identified weaknesses of the SSMS; i.e., links missing, inadequate, etc. A communication paradigm has been suggested by Fortune and Peters (1995).

The model shows a dynamic two-way process of communication in which the sender’s message can be used to modify subsequent messages.

4.6 Paradigms for Communication and control


Rules forsymbol use

English language

rules

Destination

Train driver

DecoderAlarm sound in the cab &

message flashes up on a screen-Cab

Channel

Cab Secure Radio (CSR) or DOO radio

Encoder

Message sent by

keyboard

Source

Signaller

Rules forsymbol use

EnglishLanguage

rules

Rules forsymbol use

Language of the signaller

Rules forsymbol use

Language of the train

driver

Feedback verification

Close approximation

Close approximation

Noise

(Assuming to be special terms in the (Assuming to be special terms in the railway industry plus the English railway industry plus the English

language)language)

(Assumed to be English grammar plus (Assumed to be English grammar plus special language between signallers & special language between signallers &

train driver)train driver)

Message: “an emergency stop message”

e.g. faulty keyboards

e.g. faulty secure radio

e.g. faulty alarm in the driver’s cab.Failure of the screen on the driver’s dashboard to flash up the message

Noise

Noise

Communication paradigm - example of communicationCommunication paradigm - example of communication between a signaller and a train driver.between a signaller and a train driver.


Control

A basic control paradigm is shown in Fig. B2.This diagram is intended to be interpreted in a very general sense and not simply in a ‘hard engineering’ way. The management or controller and the system or organization under control is inseparable in the SSMS model.

The sources of control are spread through the whole structure of the SSMS rather than localised within a separate system.


Operations

Proactive

adjuster

Output

Basis for comparison

Input

Unexpected disturbances

Comparator

Input changer-A

Reactive adjuster

Input changer -B

Control ParadigmControl Paradigm


5.5. ConclusionsConclusions A Systemic Safety Management System (SSMS) A Systemic Safety Management System (SSMS)

model has been put forward. model has been put forward. The SSMS aims to maintain risk within an acceptable range The SSMS aims to maintain risk within an acceptable range

in the operations of any organization in a coherent way.in the operations of any organization in a coherent way.

If the features of the model; i.e. the systems, their If the features of the model; i.e. the systems, their associated functions, and the channels of communication associated functions, and the channels of communication are in place and working effectively then the probability of are in place and working effectively then the probability of an accident should be less than otherwise. an accident should be less than otherwise.

In this way the SSMS has a fundamentally In this way the SSMS has a fundamentally preventive preventive potentialitypotentiality. The model is intended to provide a sufficient . The model is intended to provide a sufficient set of features (including structure and process) to achieve set of features (including structure and process) to achieve the aim of maintaining risk within an acceptable range. the aim of maintaining risk within an acceptable range.

The idea of the The idea of the viabilityviability of a safety management system of a safety management system has been introduced; the viability being the probability that has been introduced; the viability being the probability that the safety management system will be able to maintain the the safety management system will be able to maintain the risk within an acceptable range for a given period of time. risk within an acceptable range for a given period of time.


ConclusionsConclusions The model is capable of being applied The model is capable of being applied

proactively in the case of a new system or an proactively in the case of a new system or an existing one as well as reactively. existing one as well as reactively.

In the latter case a past failure, whether In the latter case a past failure, whether disastrous or not, may be examined using the disastrous or not, may be examined using the SSMS model. In this way, lessons may be drawn SSMS model. In this way, lessons may be drawn from past accidents. from past accidents.

It may also be employed as a ‘template’ to It may also be employed as a ‘template’ to examine an existing SMS. examine an existing SMS.

In the case of a new installation the safety In the case of a new installation the safety management system should be considered at management system should be considered at the very beginning of the design stage; not as a the very beginning of the design stage; not as a ‘bolt-on’ at the end.‘bolt-on’ at the end.

It is hoped that this approach will lead to more It is hoped that this approach will lead to more effective management of safety. effective management of safety.


A Systemic Approach to Safety Management

Documents

Transcript of A Systemic Approach to Safety Management