4-4-safety management.ppt
TRANSCRIPT
Session 22
Safety Management
Safety Management - 2
ContentsEvolution of Safety Regulation Systems
Level 1: Prescriptive standardsLevel 2: Process standardsLevel 3: Risk-based safety management (non-prescriptive standards)Level 4: Safety Management System
Safety Management ProcessesSafety management system and manualSafety management plan
Safety Management System (SMS)Purpose and scopeGrand Challenges of SMS
Note: Some additional slides in lecture appendix
Safety Management - 3
A Typical Safety ArgumentRecall: (from this morning)
Top-level goalUsually in context that defines what “adequate safety” means
Primary ArgumentRisks are appropriately controlled
Secondary ArgumentValidity of the primary argumentAdequacy, and correct use, of the processes
EvidenceSupports all elements of argument
System and/orOrganisation areSufficiently Safe
All Hazards areSufficiently
Mitigated Against
Methods and ProcessesUsed to Construct SafetyCase and its Evidence are
Fit For Purpose
...
......
...
Argument overindividual hazards
Argument overindividual methods
and processes
Definition of“Sufficiently Safe”:Mandatory Safety
Targets
Description of themethodology
List of identifiedhazards
...Evidence of implementation
...Evidence of the process being followed
Safety Management - 4
Prescriptive StandardsRegulator
Prescribes particular detailed solution
Company / Certificate HolderEnsures that standards are followedProduces evidence that solution has been appropriately implemented
Assumption (is it valid?)By implication, regulator has constructed appropriate safety case showing that “solutions” yield overall safety goal
System and/orOrganisation areSufficiently Safe
All Hazards areSufficiently
Mitigated Against
Methods and ProcessesUsed to Construct SafetyCase and its Evidence are
Fit For Purpose
...
......
...
Argument overindividual hazards
Argument overindividual methods
and processes
Definition of“Sufficiently Safe”:Mandatory Safety
Targets
Description of themethodology
List of identifiedhazards
...Evidence of implementation
...Evidence of the process being followed
Safety Case is trustworthybecause of trustworthiness ofthe expertise of the regulator
Safety Management - 5
Prescriptive StandardsCan be sufficient if
There are few companies in a regulated sectorRegulator has good oversight of what each company is doingFew differences between companies
There is a high level of state participationHeavy regulation is perceived acceptable by companies
Systems (social and technical “components”) are relatively stableHigh degree of confidence in prescribed solution, e.g. military aviation in the inter-war / post war period
Still workable for technical systems where there are accepted solutions
Unsuitable when there are too many differences between organisations
For example, the general regulation of civil aviationNeed a less prescriptive, more flexible and responsive approach…
Safety Management - 6
Process StandardsRegulator
Sets overall safety requirementsPrescribes safety and verification processes
Company / Certificate HolderUses the process to design the socio-technical systemMakes argument that proposed mechanisms will be sufficientProvides evidence that process followed and design implemented
AssumptionsImplicit Secondary Argument
Reflects regulator’s judgement
System and/orOrganisation areSufficiently Safe
All Hazards areSufficiently
Mitigated Against
Methods and ProcessesUsed to Construct SafetyCase and its Evidence are
Fit For Purpose
...
......
...
Argument overindividual hazards
Argument overindividual methods
and processes
Definition of“Sufficiently Safe”:Mandatory Safety
Targets
Description of themethodology
List of identifiedhazards
...Evidence of implementation
...Evidence of the process being followed
The process isappropriate because it is
suggested by theregulator (with vast
experience andexpertise)
Safety Management - 7
Process StandardsWork well in some sub-sectors, where there is:
Degree of similarity between regulated organisations / productsRelatively slow and gradual evolution of practices in the sectore.g. some aspects of aircraft design / type certification
Unsuitable where there are fundamentally different business models
For example, modern civil aviation sector as a whole
Safety Management - 8
Risk-Based ApproachCompany / Certificate Holder
Selects the most appropriate methods and processesUses them to identify appropriate mechanisms for ensuring sufficient level of safetyProduces valid and coherent argument of safety plus supporting evidence (i.e. safety case)
RegulatorSets overall safety targetsAudits the safety case based on accumulated expertiseMay take into account items in Significant Issues List (SIL)
System and/orOrganisation areSufficiently Safe
All Hazards areSufficiently
Mitigated Against
Methods and ProcessesUsed to Construct SafetyCase and its Evidence are
Fit For Purpose
...
......
...
Argument overindividual hazards
Argument overindividual methods
and processes
Definition of“Sufficiently Safe”:Mandatory Safety
Targets
Description of themethodology
List of identifiedhazards
...Evidence of implementation
...Evidence of the process being followed
Significant SafetyIssues List (SIL)
Safety Management - 9
Risk-Based ApproachAdvantages
Enables companies to develop solutions suitable for their businessInput from regulator is at strategic policy level, e.g. top-level goals
Makes it clear that companies have liabilityNo “we complied with your standards” argument
Original risk-based approaches are now considered incompleteSafety activities of different organisations may not be coordinated
e.g. supply chainSafety not fully integrated into the management of the businessNeed to address “soft issues”: human factors, training, culture (see Part 2 of lecture)
Too static on its ownAssumes ideal safety case the first time
Practice may diverge from safety caseOrganisation and operational context may change
Doesn’t require or encourage learningReactive approach to safety management
Safety Management - 10
Safety ManagementA safety management system (SMS)
is defined for an organisationsets out approach to ensuring safety in all aspects of an organisation’s businesscovers operation and general principles of development
although not details of specific projectsis typically documented in a safety management manual (SMM)
A system safety programme plan (SSPP)is defined for a projectdetails safety-specific activities and products, e.g. safety caseswill link to project plans, e.g. milestones and reviewswill derive some of its contents from the SMS
but may over-ride the SMS, e.g. to reflect national legislation Focus on “functional safety” not occupational health and safety
Safety Management - 11
Purpose of an SMSPrimary aim
to provide a framework for the planning, execution and monitoring of all activities needed to meet safety objectives
including policies for reducing / managing risk
Secondary aimsto ensure consistency between projects
e.g. by using same risk assessment criteriato help meet / discharge legal and moral obligations
e.g. the “duty of care” to contain liability, should an accident occur
Aims met by setting outorganisation and responsibilities, e.g. for decision makingpolicies, e.g. on acceptable levels of riskprocedures, e.g. for incident reporting
Safety Management - 12
ICAO SMM 2006
OverviewResponsibility for Managing SafetyState Safety programmeUnderstanding SafetyBasics of Safety ManagementRisk ManagementHazard and Incident ReportingSafety InvestigationsSafety Analysis and Safety Studies
Safety Performance MonitoringEmergency Response PlanningEstablishing an SMSSafety AssessmentsSafety AuditingPractical considerations for operating a SMSAircraft OperationsAir Traffic ServicesAerodrome OperationsAircraft Maintenance
ICAO SMS: “a systematic approach to managing safety, including the necessary organizational structures, accountabilities, policies and procedures.”
Safety Management - 13
Safety Management System- ICAO 9859 ViewEmbeds safety case into feedback and review layers
Continuous safety performance monitoring
Against clearly defined indicators and targets
Periodic internal SMS reviewThorough, open-endedReview of all relevant dataImprove cost-effectivenessand safety
Significant events investigationsInternal (staff self-reporting)
Non-punitive!Accidents & Incidents
Regulator leadExternal audits
Regulator
Safety Management - 14
Safety Management System- ICAO 9859 View Documented and Implemented policies and procedures for managing risks
that integrate operations and technical systems with the management of financial and human resources to ensure aviation safety and the safety of
the public
SMS standards apply general principles for a particular applicationBut no prescriptive or process requirements
Massive change in companies’ safety management philosophyComplete responsibility for safetyMust understand what safety means and how is it being achieved
In the context of their business and operations
Significant change in “philosophy of regulation”Regulator checks whether operators have asked themselves all right questions
and responded adequatelyRegulator ensures that information is disseminated in the sectorSignificantly more space for a “subjective” judgement
Based on the vast accumulated knowledge
Safety Management - 15
SMS – Questions to askStrategy and basic organisation:
What are overall safety objectives?Objective and measurable!
What is the safety management organisation?Who has key responsibilities?How are they supported?
“Basic” risk management:What are hazards and risks of the operations?
Consider all aspects of operations and the environmentHow do we ensure safety of our basic activities, considering:
Communication and collaborative workingSpecial challenges
Monitoring and performance evaluation:How do we check that safety management is effective?How do we notice safety issues before these develop into accidents?
Safety Management - 16
SMS – Questions to askEmergency Planning:
What do we do if things go wrong?To minimise the effects
How do we prepare ourselves to learn from experience?
Change:How do we ensure that our organisation remains safe?
In the context of changes to operations and environmentIn the context of changes to safety management practices
Proactive learning:How do we ensure organisation itself doesn’t become a source of risk?How do we “drive” improvement process?How do we identify promising changes?
Safety Management - 17
SMS: ChallengesCulture & paradigm shift
Higher degree of responsibilityLonger-term investment
Developing SMS from “first principles”Changing climate and attitudes in the organisation
Non-punitive reportingEncouraging whistle blowingMaking staff aware of SMS in general and their roles in particular
Reliance on genuine commitment!
Regulation approachPresumed trust
Steep punitive “pyramid” if trust is abused
From inspections to auditsMore flexible / open-endedMore constructiveMore time-consuming!Require more judgment
Small/Medium Enterprises (SME)
Too complex an approach for small businesses?Too much of an investment necessary?
Very large companies…
Safety Management - 18
Rail Safety ManagementExample 2: Rail Safety Management systems
Designed to limit risk of injury to persons or damage to property; and protect commercial interests by running safe railwayLegislated for by the Australian Rail Safety Act 1998
Rail Safety Regulations 1999 Part 2 reference Australian Standard AS 4292.1, as the standard for Rail Safety Management
AS/NZ 4292 – Rail Safety ManagementSection 1: Scope and GeneralSection 2: Management Policy and StructureSection 3: Risk and Incident ManagementSection 4: Personnel ManagementSection 5: Goods and Services ProcurementSection 6: Engineering and Operational Systems SafetySection 7: Interstate Operation (not contractor requirements)
Safety Management - 19
Organisation and ResponsibilitiesUltimate responsibility for safety at “the top”
main board for a companyperhaps just the Engineering or Technical Director
Secretary of State for the U.K. MoD
Organisation definesdelegation of responsibility
named individuals / posts with “sign off” authoritycommittees and other joint management
to ensure appropriate knowledge brought to bear, e.g. design, operations, maintenance
communication pathse.g. for incident reporting
independent reporting chainso junior staff can report safety concerns outside “the line”
Safety Management - 20
Independent ReportingPurpose of independent reporting
management decisions are often compromisesmay sometimes treat safety inappropriately
independent mechanismsgive way for concerned engineers to bring such lapses to senior management attention
once attempts to resolve locally have failed
Often have separate director for independent reportinge.g. Quality Director, when projects report to Technical or Engineering Director
Use of independent reporting should be exceptionsa good safety culture will promote resolution “in the line”
Final resort“whistle-blowing”
Safety Management - 21
Purpose of an SSPPPrimary aim
to define the process for achieving and assessing product safety, for a given project
including defining links to the primary development plans
Secondary aimto ensure project risks are controlled, as well as safety risks
for example, by defining a safety case strategy early in the project
Aims met by setting outproduct identification and project scopeproject organisation and responsibilitiesrequirements and applicable standardshazard log and hazard tracking strategysafety case strategya technical plan, e.g. a bar chart, and definition of methods
Safety Management - 22
Organisation and ResponsibilitiesProject Leader
safety responsibility for the projectaccepts and signs off key documentsultimately makes decisions
trade-offs between safety and availabilitybut advised by various committees (e.g. System Safety Panel)
Primary safety workdone by designers, or safety specialistsat minimum, specialists act as independent reviewers
Independent Verification and Validation (IV&V)main design assessment work, independent of designers
e.g. review and testing
Safety Management - 23
Technical PlanProgramme of work
technical safety activitiesbar chart expanding on PHI, PHA, etc. defined in a phased manner
e.g. plan for SSHA defined as a result of PHA and associated design revisions
identify what methods or techniques to use at each stagedefine methods or techniques
e.g. guidewords and team structure for HAZOP often done by reference to other company documentation
link to development plan
Safety Case Strategyhow it is intended to demonstrate safety
Safety Management - 24
ISAsIndependent Safety Auditor (ISA)
provides independent check thatplan implemented as defined
analogy with financial auditorusually audits SMP and method definitions
and samples other deliverablesis not intended to give advice
Can be confusion with Independent Safety Advisor
providing advice to help direct project, not check on progressIndependent Safety Assessor
safety aspect of IV&V, as defined here
Other specialist advisors, if needede.g. on nuclear safety, lasers or software
Safety Management - 25
Managing Safety RiskBest approach is to establish a single, closed loop, hazard tracking system
to be used throughout development and in service
Most safety standards require establishment of a Hazard Log, with entries for (at least)
description of hazard, and hazard risk indexstatus of hazard and its controlresidual riskactions to address the hazardrecommended hazard controls signature of appropriate authority to close out
Explicit hazard log not a requirement of ARP guidancesystematic approach to tracking safety issues clearly a necessity
Safety Management - 26
Hazard Log Entry
Hazard No. HM034Hazard Title Windscreen overheats Status: OpenDescription Loss of structural integrity of windscreen due to overheatingCons. A3 Sev. 2 Prob. 3e-8 HRI: 10ClosureSummaryPrimaryeffects
Windscreen: strength reduced / damaged / fractured
Consequences Pilot injury, and possible loss of aircraftSystems Structures, Elec. Heating, ECS Heating, WarningResponsibility Electrical
Risk assessment results - separate consequence description
Responsibility assigned
Action not specified - will be for reduction of hazard probability
Safety Management - 27
Hazard Tracking Example
Hazard No. HM034Hazard Title Windscreen overheats2/7/94 PHA Report BAe/WAW/075 – Hazard Identified10/4/96 SCR Assessment – accepted for development flying, within
specified reduced envelope, at 9th CSG20/9/96 SCR Assessment for Windscreen anti-misting system
(BAe/WAW/487 Issue D updated with amended reliability forhazard log summary (table updated)
Hazard No. used as cross-reference to log
Progress of hazard management from
identification to closure
Decision before mitigation action complete - flight
restriction to manage risk
Safety Management - 28
Revised Hazard Log Entry
Hazard No. HM034Hazard Title Windscreen overheats Status: ClosedDescription Loss of structural integrity of windscreen due to overheatingCons. A3 Sev. 2 Prob. 2e-10 HRI: 18ClosureSummary
Anti-misting system reduces probability of hazard to tolerablelevel. Training required to ensure pilots use anti-mistingsystem, in appropriate conditions.
Primaryeffects
Windscreen: strength reduced / damaged / fractured
Consequences Pilot injury, and possible loss of aircraftSystems Structures, Elec. Heating, ECS Heating, WarningResponsibility Electrical
Revised HRI (now Tolerable)
Reduced hazard probability
Closure addedNote: other entries not modifiednature of hazard not changed
May be better to havenew entry, so changecan be seen explicitly
Safety Management - 29
Safety Life-Cycle - Link to Hazard Log
- P latform Concept- In itia l Hazard L ist
- Safe P latform- Safety Case
(Predictive) Causal Analysis Causal Analysis
In tegration of Safety Evidence
PSSA SSA
Hazard Identification
Consequence Analysis
FHA
PHI
1. Initial entry made
2. Severity added3. Risk estimate added
4. Risk estimate revised
5. Risk figure finalised
Risk reduction action
Design completed
Numbered items are actions on hazard log
Safety Management - 30
Management of Hazard Log 1Hazard logproduced and maintained during development
tool support desirablespecialist tools, but can do with a database
issued periodically (hazard log reports)open hazards revieweddecisions on tolerable levels of reduction made
this is (typically) an ALARP decisionmay need to involve operational authorityis almost inevitably assessed by a committee (e.g. the Project Safety Panel)Panel will have to balance cost and likely risk reduction
period depends on scale of project, number of open risks, etc.may also be on identification of significant new risk
Safety Management - 31
Management of Hazard Log 2
Hazard No. HM034Hazard Title Windscreen overheats2/7/94 PHA Report BAe/WAW/075 – Hazard Identified10/4/96 SCR Assessment – accepted for development flying, within
specified reduced envelope, at 9th CSG20/9/96 SCR Assessment for Windscreen anti-misting system
(BAe/WAW/487 Issue D updated with amended reliability forhazard log summary (table updated)
Hazard No. HM034Hazard Title Windscreen overheats Status: ClosedDescription Loss of structural integrity of windscreen due to overheatingCons. A3 Sev. 2 Prob. 2e-10 HRI: 18ClosureSummary
Anti-misting system reduces probability of hazard to tolerablelevel. Training required to ensure pilots use anti-mistingsystem, in appropriate conditions.
Consider use of web technology to manage log
ConsequenceDescription
Fault Tree Analysis
Instance ofHRI Table
PHI (A) Report
Meeting Minutes
Safety Analysis Report
May Contain
Extract from Hazard Log
Extract from Hazard Tracking System
Safety Management - 32
Transition to ServiceHandover of hazard log to operational authority
joint review of hazard log / hazard tracking systemall risks addressedall risks reduced ALARP, or practical procedures to manage
e.g. operational limitations, pending remedial developmentwill need “sign off” by operational authority
status of ongoing remedial action adequately understood
hazard log passed on as basis for operational safety management
FRACAS - so the severity of events (incidents) is knownaction limits to give early warning of impending problems
Safety Management - 33
Operational SafetySafety management does not stop at end of development process
Also need to ensure operation is accident freeor at least to keep accidents to a tolerable level
Main safety-related activities in-service are:maintenance
preserve (safety related) system as designed and manufacturedimprove the design where design not “safe enough”, or improvements now possible
monitoring and management of failuresAccident and incident analysisMonitoring and evaluation of failuresCorrective actions based as a result of analysisARP 5150 defines systematic approach
Safety Management - 34
ARP 5150 Monitoring Process
ESTABLISHEXPECTATIONS ESTABLISH
MONITORPARAMETE
RS COLLECT &ANALYZE
DATA
PROBLEMOR
TRENDNOTED?
NO
LESS
ONS
LEAR
NED
ASSESSEVENT& RISK
SIGNIFICANTEVENT-- ACTION
REQUIRED?
INTERNAL/ EXTERNAL
ACTION?
INT
EXT
NO
NOTIFYRESPONSIBLE
PARTY
A
SELECTACTION
ACTIONAPPROVED?
NO
YES
MOREANALYSIS?
YES
ACTIONAPPLICABILIT
Y REVIEWIMPLEMENT
ACTION?
SCHEDULE
DOCUMENT &CLOSE
NO
YES
INPUTS FROM OTHER
LEVELS ORMONITORING
OUPUT TO "ASSESSEVENT AND RISK"
AT OTHER LEVEL(S)
ACTIONSFROM OTHERLEVELS ORSOURCES
DEVELOPACTIONS
ACTIONSTO OTHER LEVELS
DETERMINEINTERNAL/EXTERNAL
ISSUERESOLUTION
YES
REVIEWSELECTED
ACTION FORAPPROVAL
NO
YES
A
A
Establish Monitor Parameters
Monitor For Events
Assess Event & Risk
Develop Action PlanDisposition Action Plan
IMPLEMENT
Safety Management - 35
Roles in ARP 5150 ProcessSupplier AssessmentProcess
Airframer AssessmentProcess
Operator AssessmentProcess
ESTABLISHEXPECTATIONS
ESTABLISHMONITOR
PARAMETERS
COLLECT &ANALYZE DATA
PROBLEMOR
TRENDNOTED?
NO
LESS
ON
S LE
AR
NED
ASSESSEVENT& RISK
SIGNIFICANT EVENT--ACTION REQUIRED?
INTERNAL/ EXTERNAL
ACTION?
INT
EXT
NO
NOTIFYRESPONSIBL
E PARTY
A
SELECT ACTIONACTIONAPPROVED?
NO
YES
MOREANALYSIS?
YES
ACTIONAPPLICABILITY
REVIEWIMPLEMENT
ACTION?
SCHEDULE
DOCUMENT &CLOSE
NO
YES
INPUTS FROM
OTHER lEVELS ORMONITORING
ACTIONSFROM OTHER LEVELS
OR SOURCES
DEVELOPACTIONS
ACTIONSTO OTHER LEVELS
DETERMINEINTERNAL/
EXTERNAL ISSUERESOLUTION
YES
REVIEWSELECTED
ACTION FORAPPROVAL
NO
YES
A
A
Establish Monitor Parameters
Monitor For Events
Assess Event & Risk
Develop Action PlanDisposition Action Plan
IMPLEMENT
OUPUT TO "ASSESSEVENT AND RISK"
AT OTHER LEVEL(S)
OUPUT TO "ASSESSEVENT AND RISK"
AT OTHER LEVEL(S)
OUPUT TO "ASSESSEVENT AND RISK"
AT OTHER LEVEL(S)
INPUTS FROM
OTHER lEVELS ORMONITORING
INPUTS FROM
OTHER lEVELS ORMONITORING
ACTIONSFROM OTHERLEVELS ORSOURCES
ACTIONSFROM OTHER LEVELS
OR SOURCES
Safety Management - 36
ObservationsSMS/SMM and SSPP may overlap a lot
don’t repeat, refer (but better to repeat than not to write it down!)
SSPP may legitimately conflict with SMS/SMMe.g. if product is for a new market, uses new technology, or involves work with another company
It is possible to “overwhelm” a project with plansif the safety activities are limited, just extend the main plan
Ultimately, safety is achieved by peoplethe way they work (and the culture in which they work) are key
Slides 37-42 are to be used as reference material and will not be presented
Safety Management - 37
Organisational Concerns
Compliance-orientedDo minimum - anything more is beyond ALARP
Reactive / inertial frameworkAssume right until proven otherwise
Looking for safety issues discouraged
Unfair reporting systems
Static safety managementAssume environment and organisation unchangingIgnore uncertainty in safety assessment
No fixed requirementsProvides rational incentives for “over-compliance”Reinforces ALARP
Proactive frameworkOnly assumes SMS is good enough to operate
Recognise inherent uncertainty
Proactive & predictive “feedback”Fair (non-punitive) reporting
Active management of change and uncertainty
Assess changesMonitor performancePeriodically review the whole SMS
Concerns SMS “response”
Safety Management - 38
Organisational ConcernsSafety an “over the wall” activity
Not integrated into overall managementUnrealistic policiesClumsy internal regulation
Unmanageably complex and bureaucraticNot acted upon
Poor safety cultureIts something we have to do to ‘tick’ regulator’s boxesIts of no utility to businessAccidents are too unlikely to worryYou need to “really try” to cause an accident
Integrated approach to safety Integrated into overall managementRational & realistic policies
Recognises primary function of the business
Allows flexibility in designing most suitable SMS
Audits check for “dead weight”
Requires and encourages strong safety culture
Covered by auditsEncourages staff engagement in safety managementRequires safety promotion
Concerns SMS “response”
Safety Management - 39
SMS Content 1What should organisation
consider?
What are overall safety objectives
how do we know if we have achieved them?
Who has safety responsibilityhow are they supported?
What goes in SMS?
Definition of safety requirementsmeasurableobjectiveachievable
Individual roles and responsibilitiesOrganisation
reporting structuresincluding independent lines of reporting
committees, panels
Safety Management - 40
SMS Content 2What should organisation consider?
How do we ensure safety of our basic activities, considering
environmentlocations in which we operateoperations
especially those demanding high levels of skill or concentration
communication and collaborative workingequipmentspecial challenges
hazardous materials
What goes in SMS?
Hazard identification and risk assessment methodologyProcedures for hazard logging / trackingApproach to risk control/reduction
Risk acceptance criteriaBasis for trade-off decisions
Specialist safety analysis methodologySafety-related working procedures
Skills, training
Safety Management - 41
SMS Content 3What should organisation
consider?
How do we ensure safety of activities is maintained?
What do we do if things go wrong?
What goes in SMS?
Performance monitoringData collectionReview and analysis
Trends and anomaliesCorrective actions
Policies for managing change
Emergency planningTraining and drills
Safety Management - 42
SMS Content 4What should organisation
consider?
How do we ensure organisation itself does not become a source of risk?
What goes in SMS?
Policies for continual self-review
Auditing
Policies for continual improvement
Improving safety targets
Organisational learning
Cultural aspirations
Training
Communication