Principles and Elements of SMS A Review

1
Principles and Elements of SMSA Review

• Patrick Hudson
• ICAO/Leiden University

2
Structure

• Why SMS?
• The principles
• Shells experience
• Implementation experience
• Conclusion

3
(No Transcript)
4
Why Safety Management Systems?

• Safety is a right for customers and staff
• Poor safety performance is a sensitive indicator
  of poor operations
• If you cant manage safety, how can you show you
  can manage anything else?
• Safety management systems are about getting
  systematic about the problems

5
Safety Management SystemA framework for Safety
Management
Continuous Improvement
Policy
Mgt. policy
Process
Safety (HSE Cases)
Task
Structure
No Structure
6
A Pacific Southwest Airlines Boeing 727 as it
goes down over San Diego, California after a
mid-air collision with a Cessna in 1978.
One-hundred-thirty-seven people along with 7 on
the ground were killed.
7
Early Safety Management

• Early safety management was an unstructured
  mixture of good things
• Progress was based upon response to accidents
• Measures were outcome based (crashes etc)
• There were no process definitions (how to do it)
• Regulations prescribed exactly what to do (what
  to do)
• This works very well to start with, but
  expectations have been raised over the years, now
  everyone expects that every flight is safe

8
Types of Certification

• There are three distinct ways of guaranteeing
  safety
• Type I - Classical ICAO/FAA/JAA certification
• Type II - Safety Cases and SMS
• Type III - Safety Culture and Good Practice
• These different approaches are complementary,
  especially II and III
• Types I and II are Imagination Limited
• Can people imagine what might go wrong
• Type III involves doing The Right Thing anyway

9
(No Transcript)
10
(No Transcript)
11
Why have a Safety Management System?

• A number of major disasters in the Petrochemical
  industry
• Flixborough
• Seveso
• Bhopal
• Nuclear disasters
• Three Mile Island
• Chernobyl

12
Flixborough1 June 1974

• Modification Control
• Use suitably trained, educated and responsible
  people
• Know what you dont know

13
SevesoJuly 1976

• Understanding safe state to leave reactions
• Multiple layers of protection
• Automated Reaction stop systems for exothermic
  systems

14
Longford25 September 1998

• Training needs to impart and refresh knowledge.
• Must identify other hazards and provide relevant
  training.
• Corporate knowledge must be captured and kept
  alive

15
Piper Alpha

• 1988 the Piper Alpha platform was destroyed
• The platform had just been audited by the
  regulator
• Lord Cullens report set up a new regime
• Goal Setting
• ISO 9000 type management systems
• Safety Case to provide assurance - a documented
  proof that the SMS is both in operation and
  effective

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
Piper Alpha

• Cost 1,500,000,000
• 167 killed
• Occidental UK went out of business in two years

20
The Cullen Report

• Cullen investigated the Piper Alpha disaster
• Report was published 1990
• Requirement made for every offshore facility to
  have an SMS in place by November 1992
• Proof by submission of a safety case
• If there was no acceptable safety case the
  operation would be shut down immediately

21
Shell Internationals Approach

• Shell is the largest operator in the North Sea -
  SMS was made mandatory
• Shell decided to get in first rather than wait
• A considered approach was designed
• The requirement for SMS was to be made world-wide
  for all Shell Group companies

22
Shells Approach - dont do everything

• Decision to operate in terms of hazards and a
  limited set of events to avoid
• Developed the Bow-tie model (next slides)
• Identification of safety critical activities to
  provide assurance
• Getting in first meant that they wouldnt have to
  operate a system foreign to their culture

23
(No Transcript)
24
(No Transcript)
25
The Swiss cheese model ofaccident causation
(Reason)
Some holes due to active failures
Hazards
Other holes due to latent conditions

Losses
Successive layers of defences, barriers,
safeguards
26
SAFETY MANAGEMENTBased on the Reason Model
World
Barriers or Controls
Hazard/ Risk
Work Organisation
Undesirable outcome
27
Safety Management Cycle
28
Hazard-based approach

• Construct a generic hazard register
• Assess which are relevant for a particular
  operation
• Use a Business Process Model to identify safety
  critical processes that allow management of the
  hazards
• Construct Bow Ties for control and recovery

29
HEMP

• HEMP - Hazard and Effects Management Process
• Identify - What are the hazards?
• Assess - how big are those hazards?
• Control - how do we control the hazards?
• Recover - what if it still goes wrong?

30
Bow-tie Concept
Events and Circumstances
Harm to people and damage to assets or
environment
BARRIERS
HAZARD
CONSEQUENCES
Undesirable event with potential for harm or
damage
Engineering activities
Maintenance activities
Operations activities
31
HAZARD
THREAT
PROACTIVE
CONTROL
ESCALATION
CONTROL
T H E B O W - T I E
H E M P
I d e n t i f y A s s e s s C o n t r o l R e c
o v e r y
RECOVERY
ESCALATION
REACTIVE
CONTROL
CONSEQUENCE
MITIGATION MEASURES
32
Bow-tie Conceptfor a specific threat
Events and Circumstances
Harm to people and damage to assets or
environment
BARRIERS
HAZARD
CONSEQUENCES
Undesirable event with potential for harm or
damage
Engineering activities
Maintenance activities
Operations activities
33
RISK ASSESSMENT MATRIX
Potential Consequence of the Incident
Increasing Probability
D
B
C
E
A
Happened gt 3 x in this location
Known in aviation industry
Happened gt 3 x in the Company
Unknown but possible in the aviationindustry
Happened in this company
Env'ment
Assets
Reputation
People
Rating
Zero damage
Zero Effect
0
No injury
No Impact
Slight damage lt US 10K
Slight injury
Slight Effect
Slight Impact
Manage Through Normal HSE-MS procedures
1
Minor damage lt US 50K
Minor injury
Minor Effect
Local I m p a c t
2
incorporate risk reduction measure
Local damage lt US 250K
Serious injury
Industry I m p a c t
3
Localised Effect
Major damage lt US 1M
Single fatality
Major Effect
N a t i o n a l I m p a c t
Intolerable
4
Extensive damage gt US 1M
Multiple fatality
International I m p a c t
Massive Effect
5
34
Hazard Management and Control

• Bow Ties describe the hazards and the relevant
  controls
• Controls are provided by elements in the business
  processes
• Top events are a restricted set of unwanted
  events, not the final outcomes

35
Bow Ties as Standard

• The Bow Tie is now the standard for the FAA in
  the USA
• There are a number of computer packages for
  making and maintaining bow ties
• The information needed can be shared
• Local differences are easily accommodated

36
Shells HSE MANAGEMENTputting it together
Minimum Expectations
EP 95-0300 HAZOP/ HAZID EIA/SIA/HRA etc.
EP 95000 Series Technical advice
Group Guidance
Design standards
37
HSE MS in place
Contract/ Contractor Management
Permit to Work System
Job Hazard Analysis
Workplans
Hazardous Situation Unsafe Act reporting
HSE Self Appraisal
Observation techniques
Violation Survey
Site Visits
Trends/ benchmarking
HSE Standards Procedures
Incident Investigation (Tripod Beta)
Competency Programmes
Incident Reporting
Audits Reviews
38
Advantages of an SMS

• The SMS provides a structure for measuring in
  system audits
• Bow ties provide a structure for operational
  audits
• Are the barriers there?
• Are the barriers intact and in operation
• Is there sufficient defence- are there single
  point trajectories where everything relies on a
  single defence?
• The analysis of barriers and operations also
  provides a basis for incident investigation that
  is consistent with the Reason model

39
What does it take?

• Regulators can force implementation, but it is
  much easier if you want to do it anyway
• Top management has to be convinced that
  implementing an SMS is in their interest
• Shell had to implement in the North Sea, but
  decided to make SMS obligatory world-wide in view
  of the benefits to Shell group
• BP and ExxonMobil have taken exactly the same
  approach with GHSSER and OIMS
• You have to do it yourself
• Hiring consultants can only be as support
• An off-the-shelf SMS will soon fail

40
(No Transcript)
41
(No Transcript)
42
Conclusion

• Safety management systems turn safety into a
  systematic process
• Development can be done with sharing of
  information and experience - you dont compete on
  safety
• SMS models can be used to unify management, audit
  and incident investigation
• SMS does not guarantee everything - to get ahead
  you need to develop a safety culture as well -
  tomorrow

43
(No Transcript)