April 2006ICAO Seminar Baku Principles and Elements of SMS A Review Patrick Hudson ICAO/Leiden University
April 2006ICAO Seminar Baku Structure Why SMS? The principles Shell’s experience Implementation experience Conclusion
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku Why Safety Management Systems? Safety is a right for customers and staff Poor safety performance is a sensitive indicator of poor operations “If you can’t manage safety, how can you show you can manage anything else?” Safety management systems are about getting systematic about the problems
April 2006ICAO Seminar Baku Safety Management System A framework for Safety Management Alcohol & Drugs Policy Audit Plans Road Safety Plan Safety Drills Security Policy Safety Policy No Structure Structure Policy Process Task Continuous Improvement Safety (HSE Cases) Mgt. policy
April 2006ICAO Seminar Baku A Pacific Southwest Airlines Boeing 727 as it goes down over San Diego, California after a mid-air collision with a Cessna in One- hundred-thirty- seven people along with 7 on the ground were killed.
April 2006ICAO Seminar Baku Early Safety Management Early safety management was an unstructured mixture of ‘good things’ Progress was based upon response to accidents Measures were outcome based (crashes etc) There were no process definitions (how to do it) Regulations prescribed exactly what to do (what to do) This works very well to start with, but expectations have been raised over the years, now everyone expects that every flight is safe
April 2006ICAO Seminar Baku Types of Certification There are three distinct ways of guaranteeing safety Type I - Classical ICAO/FAA/JAA certification Type II - Safety Cases and SMS Type III - Safety Culture and Good Practice These different approaches are complementary, especially II and III Types I and II are Imagination Limited –Can people imagine what might go wrong –Type III involves doing The Right Thing anyway
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku Why have a Safety Management System? A number of major disasters in the Petrochemical industry –Flixborough –Seveso –Bhopal Nuclear disasters –Three Mile Island –Chernobyl
April 2006ICAO Seminar Baku Flixborough 1 June 1974 Modification Control Use suitably trained, educated and responsible people Know what you don’t know
April 2006ICAO Seminar Baku Seveso July 1976 Understanding safe state to leave reactions Multiple layers of protection Automated Reaction stop systems for exothermic systems
April 2006ICAO Seminar Baku Longford 25 September 1998 Training needs to impart and refresh knowledge. Must identify other hazards and provide relevant training. Corporate knowledge must be captured and kept alive
April 2006ICAO Seminar Baku Piper Alpha 1988 the Piper Alpha platform was destroyed The platform had just been audited by the regulator Lord Cullen’s report set up a new regime –Goal Setting –ISO 9000 type management systems –Safety Case to provide assurance - a documented proof that the SMS is both in operation and effective
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku Piper Alpha Cost $1,500,000, killed Occidental UK went out of business in two years
April 2006ICAO Seminar Baku The Cullen Report Cullen investigated the Piper Alpha disaster Report was published 1990 Requirement made for every offshore facility to have an SMS in place by November 1992 Proof by submission of a safety case If there was no acceptable safety case the operation would be shut down immediately
April 2006ICAO Seminar Baku Shell International’s Approach Shell is the largest operator in the North Sea - SMS was made mandatory Shell decided to get in first rather than wait A considered approach was designed The requirement for SMS was to be made world-wide for all Shell Group companies
April 2006ICAO Seminar Baku Shell’s Approach - don’t do everything Decision to operate in terms of hazards and a limited set of events to avoid Developed the Bow-tie model (next slides) Identification of safety critical activities to provide assurance Getting in first meant that they wouldn’t have to operate a system foreign to their culture
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku The Swiss cheese model of accident causation (Reason) Some holes due to active failures Other holes due to latent conditions Successive layers of defences, barriers, & safeguards Hazards Losses
April 2006ICAO Seminar Baku SAFETY MANAGEMENT Based on the Reason Model Hazard/ Risk Undesirable outcome Work & Organisation Barriers or Controls World
April 2006ICAO Seminar Baku Safety Management Cycle
April 2006ICAO Seminar Baku Hazard-based approach Construct a generic hazard register Assess which are relevant for a particular operation Use a Business Process Model to identify safety critical processes that allow management of the hazards Construct Bow Ties for control and recovery
April 2006ICAO Seminar Baku HEMP HEMP - Hazard and Effects Management Process Identify - What are the hazards? Assess - how big are those hazards? Control - how do we control the hazards? Recover - what if it still goes wrong?
April 2006ICAO Seminar Baku Bow-tie Concept Events and Circumstances Harm to people and damage to assets or environment HAZARDHAZARDHAZARDHAZARD CONSEQUENCESCONSEQUENCESCONSEQUENCESCONSEQUENCES BARRIERS Undesirable event with potential for harm or damage Engineering activities Maintenance activities Operations activities
April 2006ICAO Seminar Baku T H E B O W - T I E I d e n t i f y A s s e s s C o n t r o l R e c o v e r y H E M P CONSEQUENCE Hazardous Event HAZARD THREAT CONTROL ESCALATION MITIGATION MEASURES RECOVERY PROACTIVE REACTIVE
April 2006ICAO Seminar Baku Bow-tie Concept for a specific threat Events and Circumstances Harm to people and damage to assets or environment HAZARDHAZARDHAZARDHAZARD CONSEQUENCESCONSEQUENCESCONSEQUENCESCONSEQUENCES BARRIERS Undesirable event with potential for harm or damage Engineering activities Maintenance activities Operations activities
April 2006ICAO Seminar Baku RISK ASSESSMENT MATRIX Potential Consequence of the Incident Increasing Probability Env'ment Serious injury Multiple fatality Single fatality Minor injury Happened > 3 x in this location Minor damage < US$ 50K Local damage < US$ 250K Major damage < US$ 1M Extensive damage > US$ 1M Massive Effect Zero damage Localised Effect Major Effect Minor Effect 1 Assets Slight injury Slight damage < US$ 10K Slight Effect Zero Effect BC D EA No injury Known in aviation industry Happened > 3 x in the Company No Impact International I m p a c t Industry I m p a c t N a t i o n a l I m p a c t Slight Impact Intolerable incorporate risk reduction measure Unknown but possible in the aviation industry Happened in this company Local I m p a c t ReputationPeopleRating Manage Through Normal HSE-MS procedures
April 2006ICAO Seminar Baku Hazard Management and Control Bow Ties describe the hazards and the relevant controls Controls are provided by elements in the business processes Top events are a restricted set of unwanted events, not the final outcomes
April 2006ICAO Seminar Baku Bow Ties as Standard The Bow Tie is now the standard for the FAA in the USA There are a number of computer packages for making and maintaining bow ties The information needed can be shared Local differences are easily accommodated
April 2006ICAO Seminar Baku Shell’s HSE MANAGEMENT putting it together THESIS Risk Assessment Matrix EP HAZOP/ HAZID EIA/SIA/HRA etc. HSE MS EP Series Technical advice Minimum Expectations Design standards Group Guidance
April 2006ICAO Seminar Baku HSE MS “in place” Job Hazard Analysis Workplans Trends/ benchmarking Violation Survey Hazardous Situation Unsafe Act reporting Audits Reviews Incident Investigation (Tripod Beta) Incident Reporting Contract/ Contractor Management Competency Programmes Permit to Work System HSE Self Appraisal Site Visits Observation techniques HSE Standards & Procedures
April 2006ICAO Seminar Baku Advantages of an SMS The SMS provides a structure for measuring in system audits Bow ties provide a structure for operational audits –Are the barriers there? –Are the barriers intact and in operation –Is there sufficient defence- are there single point trajectories where everything relies on a single defence? The analysis of barriers and operations also provides a basis for incident investigation that is consistent with the Reason model
April 2006ICAO Seminar Baku What does it take? Regulators can force implementation, but it is much easier if you want to do it anyway Top management has to be convinced that implementing an SMS is in their interest Shell had to implement in the North Sea, but decided to make SMS obligatory world-wide in view of the benefits to Shell group BP and ExxonMobil have taken exactly the same approach with GHSSER and OIMS You have to do it yourself –Hiring consultants can only be as support –An off-the-shelf SMS will soon fail
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku
April 2006ICAO Seminar Baku Conclusion Safety management systems turn safety into a systematic process Development can be done with sharing of information and experience - you don’t compete on safety SMS models can be used to unify management, audit and incident investigation SMS does not guarantee everything - to get ahead you need to develop a safety culture as well - tomorrow
April 2006ICAO Seminar Baku