1 / 40

A Systemic Approach to Safety Management

A Systemic Approach to Safety Management. By Jaime Santos-Reyes. SEPI-ESIME-IPN-MEXICO. & Alan N. Beard. Heriot-Watt University, UK. Working On Safety, Netherlands, 2006. SEPI-ESIME-IPN-MEXICO. A Systemic Approach to Disaster Management. Contents Introduction Safety management systems

rey
Télécharger la présentation

A Systemic Approach to Safety Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Systemic Approach to Safety Management By Jaime Santos-Reyes SEPI-ESIME-IPN-MEXICO & Alan N. Beard Heriot-Watt University, UK. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  2. A Systemic Approach to Disaster Management Contents • Introduction • Safety management systems • The need for a systemic approach • A systemic safety management system model • Conclusions Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  3. Bhopal, India, 1984, (Bidwai, 1984) San Juanico, México, 1984, (Bleve, 1985) Piper Alpha, UK, 1988, (Cullen, 1990) Chernobyl, Ukraine, 1987, (Mosey, 1990) Train disaster, Pakistan, 2005, (BBC, 2005) Paddington train accident, UK, 1999, (Cullen, 2001) Eschede train accident, Germany, 1998 (Kuepper, 1999) Train accident, Japan, 2005, (BBC, 2005) Jet crash, Venezuela, 2005, (BBC, 2005) Oil rig fire, India, 2005, (BBC, 2005) Several accidents, PEMEX, Mexico, 2005, (Vidal, 2005) The above have highlighted the need for addressing safety proactively. In addition to this, the emergence of new regulations and international standards has driven organizations to improve their safety performance. As a result of this, organizations have to some extent shifted from a prescriptive approach to a flexible approach to risk. Under the prescriptive approach, regulations explain how to ‘achieve safety’, whilst with the flexible approach, regulations explains what organizations must achieve but leaves how they achieve it to them 1. Introduction Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  4. 2. Safety management systems • A great deal of effort has been made, by both academe and regulators, and industry, to investigate and develop approaches to address safety and the environment. • Environmental & quality management systems • BS EN ISO 14000 series • BS EN ISO 9000 series • Health & Safety Management Systems • HSG65 (1997)-Successful health & safety management • BS 8800: 2004-Occupational health & safety management systems guide • OHSAS 18001: Occupational health & safety management systems (OHSMS) • ANSI/AIHA Z10: Occupational health and safety management systems • ILO OSH: 2001-Guidelines on occupational safety & health management systems • Environmental & quality management systems • BS EN ISO 14000 series • BS EN ISO 9000 series • Other Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  5. 3. The need for a systemic approach • The approaches to safety reviewed in the last section seem to put emphasis on management functions, guidelines, industry standards, quality principles, to establish the SMS of organizations. These approaches may represent a step forward to managing safety but may not be enough to address the management of risk effectively. • Furthermore, it may be argued that these approaches are ‘systematic’. To be ‘systematic’ is to be ‘methodical’ or ‘tidy’. In this context it means that the approaches tend to concentrate on functions dealing with policy, organising, planning, audit, measuring performance, etc. • All of these functions are necessary but may not be sufficient to achieve effectiveness of a SMS. It is certainly important to be systematic. However, a SMS needs to be more than this; it is also necessary to try to be ‘systemic’. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  6. a SMS should try to consider the organization in its entirety; i.e. from top to bottom; the channels of communication, the people, etc. In addition, it should take into account the ‘environment’; i.e., all those circumstances that lie outside the system to which the system response is necessary; for example political & economic drivers. • In short, there is a need for a systemic approach. Systemic may be defined as trying to see things as a whole and attempting to see events, including failure, as products of a working of a system. • A systemic approach has been adopted to construct a SSMS model Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  7. 4. A systemic safety management system • The Systemic Safety Management System (SSMS) model is intended to maintain risk within an acceptable range in an organization’s operations in a coherent way. • The model is proposed as a sufficient structure for an effective safety management system. • It has a fundamentally preventive potentiality in that if all the sub-systems and channels of communication are present and working effectively the probability of a failure should be less than otherwise. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  8. The fundamental characteristics of the SSMS • The SSMS and Its Environment • Commitment to safety • A recursive structure (i.e. ‘layered’) and relative autonomy • A structural organization which consists of a ‘basic unit’ in which it is necessary to achieve five functions associated with systems 1 to 5. • Concepts of Viability, MRA (Maximum Risk Acceptable) and acceptable range of risk • Four principles of organization • ‘Paradigms’ are intended to act as ‘templates’ giving essential features for ‘human factors’ and for effective communication & control. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  9. 4.1 Commitment to safety • An Externally Committed System (ECS) refers to the safety performance of systems that are committed to a particular purpose, function, or objective based on external reasons or motivation. This definition addresses both technical aspects and humans. For example, tasks in the organization are defined by others, etc. • An Internally Committed System (ICS) is a system that is committed to a particular purpose or objective based on its own reasons or motivation. In other words, an ICS refers to the critical awareness of self-reflective human beings regarding their purposes and the implications of their actions for all those who might be affected by the consequences. For instance, employees participate in defining tasks, etc. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  10. 5 4 4* 4* 3 2 3* system 1 ‘hot-line ’ Total environment SMU Operations 4.2 The SSMS & Its Environment Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  11. The environment ‘Environment’ may be understood as being those circumstances to which the SSMS response is necessary. ‘Environment’lies outside the SSMS but interacts with it; it is the source of circumstances that threaten the system; Examples: Socio Political (legislation, regulatory enforcement, major accidents, technology, trade unions, national & local cultures, etc.) Economical (trading conditions, economic interests, etc.) Physical (geographical location, climate, etc.) Total Environment Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  12. System 1 Recursion 1 (Level 1) TSMU TO 4.3 Recursive structure of the SSMS • Recursionmay be regarded as a ‘level’, which has other levels below or above it TSMU= Total Safety Management Unit TO= Total Operations Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  13. System 1 TSMU TO TO TSMU BSMU ASMU BO AO Recursion 2 (Level 2) Recursion 1 (Level 1) Recursive structure TSMU= Total Safety Management Unit TO= Total Operations ASMU= A-Safety Management Unit AO = A-Operations BSMU = B-Safety Management Unit BO = B-Operations System 1 Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  14. TSMU System 1 TO Total Operations System 1 BSMU ASMU TSMU BO AO Level 2 Vertical inter-dependence B-Operations System 1 B3SMU B2SMU B1SMU B3O B2O B1O A-Operations Sub-systems that form part of system 1 A3O A2O A1O Horizontal inter-dependence Recursion 3 (Level 3) System 1 Recursive structure of the SSMS model Recursion 1 (Level 1) TSMU= Total Safety Management Unit TO= Total Operations ASMU= A-Safety Management Unit AO = A-Operations BSMU = B-Safety Management Unit BO = B-Operations Recursion 3 (Level 3) Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  15. System 1 TRSMU TRO TRO TSMU RISMU TSMU TO RIO Level 2 Vertical inter-dependence System 1 TO System 1 RIO OSMU TKSMU SSMU OO TKO SO Recursion 3 (Level 3) (Level 1) Example-Recursive structure TRSMU= Total Railway Safety Management Unit TRO= Total Railway Operations RISMU= Rail Infrastructure Safety Management Unit RIO = Rail Infrastructure Operations TSMU = Train Safety Management Unit TO = Train Operations SSMU= Signalling Safety Management Unit SO = Signalling Operations TKSMU = Track Safety Management Unit TKO = Track Operations OSMU= Other Safety Management Unit OO = Other Operations Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  16. 5 4 4* 4* 3 2 3* system 1 ‘hot-line ’ Total environment SMU Operations 4.4 Structural organization of the SSMS Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  17. system 1 SMU Operations System 1: safety-policy implementation Function of system 1: System 1 implements safety policies in the operations of system 1. System 1 consists of one or more operations within an organization that deal directly with the organization’s ‘core’ activities. Components of system 1: The square boxdeals with all the managerial activity needed to run the operations and implements the safety policy of the organization. It monitors on a continuous basis the level of risk in the operations. Total environment The circle encloses all the relevant operations or activities that take place to produce products or services. It should be monitored because it is here where risks are created. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  18. System 1’s ‘environment’. The elliptical symbol represents the ‘environment’ of system 1. Environment lies outside the system 1 but interacts with it. It influences and is influenced by system 1. For instance, system 1 should monitor the resources and information entering the organization; so that hazards and risks are eliminated or minimized. system 1 SMU Operations In addition, system 1 should consider all those aspects described in section 4.2. The lines that connect the square, circle & the elliptical symbol refer to the channels of communication. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  19. SMU Operations system 1 Safety management and the monitoring process Control and communication may be regarded as the key concepts in the process of safety management and monitoring. The objective of the safety management system (SMS) is to maintain risk within an acceptable range & its main activities are: {a} to monitor the resources (e.g. materials, people, machines, etc) and information entering the organization; i.e. the operations, so that hazards and risks are eliminated or kept within an acceptable range. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  20. SMU Operations system 1 {b} to plan or set safety objectives (e.g. performance standards). These safety objectives may be represented in comparators. The function of a comparator is to enable comparison with the risk related ‘output’, that is, to compare risk related performance with the planned safety objectives. In doing this, the SMU can detect any deviation from the planned safety objectives through the comparator. If a deviation occurs then the SMU would adjust the ‘operations’ and bring it in line with the accepted criteria. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  21. SMU Operations system 1 {c} to devise “risk control systems” (RCS) which should, in principle, address the risks created in the operations of the organization. The RCS should reflect the risk profile; that is, the greater the risk, the more robust and reliable the control systems need to be. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  22. The main activities involved are the following: {1} Hazard identification: finding out what could possibly happen within the system which could lead to harm. This means identifying ‘crucial events’ and possible consequences. {2} Risk Analysis: to estimate the probabilities of particular consequences. {3} Risk Evaluation: deciding what to do i.e. how to control the risk; deciding on suitable measures to control or eliminate risk. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  23. De-composition of system 1 ESTO S&ES TAO S&ES MMO ES System 1 may be decomposed into geography or functions. System 1 de-composed on a basis of functions System 1 S&ES= Signaller & Engineer Supervisor ESTO = Engineer’s scrap train Operations S&ES = Signaller & Engineer Supervisor TAO = Tamping Operations ES= Engineer Supervisor MMO = Movement of S&C materials Operations Example: Maintenance work – Railway system Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  24. System 1 PAO PSMU System 1 CLO CSMU RIO RISMU TARO TSMU TO TSMU MCO MCSMU FLO FSMU RISMU = Rail Infrastructure Safety Management Unit RIO = Rail Infrastructure Operations TSMU= Train Safety Management Unit TO = Train Operations PSMU= Piper Safety Management Unit PAO = Piper Alpha Operations CSMU = Claymore Safety Management Unit CLO = Claymore Operations TSMU= Tartan Safety Management Unit TARO = Tartan Operations MCSMU = MC Safety Management Unit MCO = MCP-01 Operations FSMU = Flotta Safety Management Unit FLO = Flotta Operations (a) Track / Rail interface – Railway system (c) Piper Alpha field Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  25. Horizontal inter-dependence TSMU MCSMU FSMU CSMU PSMU MCPO TO PAO CO FTO HORIZONTAL INTER-DEPENDENCE PSMU= Piper Safety Management Unit PAO = Piper Alpha Operations CSMU = Claymore Safety Management Unit CO = Claymore Operations TSMU = Tartan Safety Management Unit TO = Tartan Operations MCSMU = MC Safety Management Unit MCPO = MCP Operations FSMU = Flotta Safety Management Unit FTO = Flotta Terminal Operations Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  26. 5 4 4* 4* 3 2 3* system 1 ‘hot-line ’ Total environment SMU Operations System 1 & systems 2,3 &3* System 1: implements safety policies in the organization’s operations. System 1 consists of one or more operations within the industry that deal directly with the organization’s ‘core’ business activities. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  27. 5 4 4* 3 2 3* System 1 ‘ hot-line’ Total Environment AO ASMU BSMU BO System 2: Safety–Co-ordination • to co-ordinate the activities of the operations of system 1 (System 1 is made of two or more sub-systems) • along with system 1, implements the safety plans received from system 3 • informs system 3 about the performance of the operations of system 1. • Examples: • maintenance schedules, process changes, etc. • co-ordination during an emergency Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  28. 5 4 4* 4* 3 2 3* system 1 ‘hot-line ’ Operations SMU System 3: Safety–functional • directly responsible for maintaining risk within an acceptable range in system 1. • ensures that system 1 implements the safety policies. • it achieves its function on a day-to-day basis according to the plans received from system 4 • requests from systems 1, 2&3* information about the performance of system 1 to formulate its safety plans & to communicate future needs to system 4. • responsible for allocating the necessary resources to system 1 to accomplish the safety plans; e.g. training, etc. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  29. 5 4 4* 4* 3 2 3* system 1 ‘hot-line ’ Operations SMU System 3*: safety – Audit • conduct audits sporadically into the operations of system 1 • intervenes in the operations of system 1 according to the plans received from system 3 • needs to ensure that the reports received from system 1 reflect not only the current status of the operations of system 1, but are also aligned with the overall objectives of the organization • Examples: • revisions of the adequacy & functioning of the fixed installations; i.e. fire fighting systems, electrical supply systems, water supply systems, etc.

  30. 5 4 3 2 3* system 1 ‘hot-line ’ Total Environment Operations SMU System 4: safety – development • concerned with safety related research & development for the continual adaptation of the safety management system as a whole • By considering strengths, weaknesses, threats & opportunities, system 4 can suggest changes to the safety policies • first, it deals with the policy received from system 5 • second, it senses all relevant threats & opportunities from the ‘total environment’ • third, deals with all relevant needs of system 1’s performance & its potential future. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  31. 5 4 4* 3 2 3* system 1 ‘hot-line ’ Operations SMU System 4*: safety–Confidential report • is part of system 4 and is concerned with confidential reports or causes of concern from any person, about any aspects, some of which may require the direct and immediate intervention of system 5. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  32. 5 4 3 2 3* system 1 ‘hot-line ’ Operations SMU System 5: safety–Policy • responsible for deliberating disaster prevention policies & for making normative decisions • according to alternative plans received from system 4, system 5 considers and chooses feasible alternatives, which aim to maintain the risk within an acceptable range in the operations of system 1. • it also monitors the interaction between systems 3 & 4. • Examples: • Promote the culture of safety throughout the whole system; Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  33. 5 4 4* 4* 3 2 3* system 1 ‘hot-line ’ Operations SMU Hot-line: any cause of concern • direct communication or ‘Hot-line’ for use in an exceptional circumstances Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  34. Totally unacceptable region MRA • Acceptable region • Zero risk 4.5 The Viability, reliability, risk & MRA Viability = P (the SSMS has the capacity to maintain the risk within an acceptable range for a stated period of time). complementary to the concepts, Risk and Reliability: Risk = P (particular adverse consequence) Reliability = P (item or system will perform a required function, under stated conditions, for a stated period of time) Viability is defined in relation to an acceptable range for the risk, which may be regarded as a range from zero risk to a MRA. Given this, there is a general expectation that the risk should be well below the MRA. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  35. 4.6 Paradigms for Communication and control Communication Communication is vital in the management of safety of any organization. The communication paradigm is intended to help to identified weaknesses of the SSMS; i.e., links missing, inadequate, etc. A communication paradigm has been suggested by Fortune and Peters (1995). The model shows a dynamic two-way process of communication in which the sender’s message can be used to modify subsequent messages. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  36. (Assuming to be special terms in the railway industry plus the English language) Rules for symbol use Language of the signaller Rules for symbol use Language of the train driver Close approximation Message: “an emergency stop message” Feedback verification Source Signaller Encoder Message sent by keyboard Channel Cab Secure Radio (CSR) or DOO radio Decoder Alarm sound in the cab & message flashes up on a screen-Cab Destination Train driver Noise Noise Noise e.g. faulty alarm in the driver’s cab. Failure of the screen on the driver’s dashboard to flash up the message e.g. faulty keyboards e.g. faulty secure radio Rules for symbol use English language rules Rules for symbol use English Language rules Close approximation (Assumed to be English grammar plus special language between signallers & train driver) Communication paradigm - example of communication between a signaller and a train driver. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  37. Control A basic control paradigm is shown in Fig. B2. This diagram is intended to be interpreted in a very general sense and not simply in a ‘hard engineering’ way. The management or controller and the system or organization under control is inseparable in the SSMS model. The sources of control are spread through the whole structure of the SSMS rather than localised within a separate system. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  38. Unexpected disturbances Input Output Operations Input changer-A Input changer -B Proactive adjuster Basis for comparison Comparator Reactive adjuster Control Paradigm Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  39. 5. Conclusions • A Systemic Safety Management System (SSMS) model has been put forward. • The SSMS aims to maintain risk within an acceptable range in the operations of any organization in a coherent way. • If the features of the model; i.e. the systems, their associated functions, and the channels of communication are in place and working effectively then the probability of an accident should be less than otherwise. • In this way the SSMS has a fundamentally preventive potentiality. The model is intended to provide a sufficient set of features (including structure and process) to achieve the aim of maintaining risk within an acceptable range. • The idea of the viability of a safety management system has been introduced; the viability being the probability that the safety management system will be able to maintain the risk within an acceptable range for a given period of time. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

  40. Conclusions • The model is capable of being applied proactively in the case of a new system or an existing one as well as reactively. • In the latter case a past failure, whether disastrous or not, may be examined using the SSMS model. In this way, lessons may be drawn from past accidents. • It may also be employed as a ‘template’ to examine an existing SMS. • In the case of a new installation the safety management system should be considered at the very beginning of the design stage; not as a ‘bolt-on’ at the end. • It is hoped that this approach will lead to more effective management of safety. Working On Safety, Netherlands, 2006 SEPI-ESIME-IPN-MEXICO

More Related