Safety management is a specific form of risk management that focuses on risk to “life and limb”.
A brief history of safety management
Safety management first arose as a formal discipline in response to chronic worker safety and public safety issues that arose in capitalist societies during the industrial revolution, when commercial interests and the exploitation of vulnerable workforces led to highly dangerous workplaces and work practices.
Paralleling the rise of politically active labour union movements in the UK, and then in Europe and North America, legislation began to impose requirements on organizations to protect the health, safety and welfare of workers. The discipline of occupational medicine also evolved to the point where an evidence-based approach to worker safety was possible, particularly in industries such as mining, manufacturing and construction.
Safety management became more formalized and effective in the industrialized world throughout the 20th Century, although commercial interests often continued to challenge worker protection. Generally, safety management evolved “tombstone by tombstone”, driven by a long series of industrial mishaps and disasters that forced adoption and improvements. Today, in historically industrialized countries, safety management is a mature and accepted (if not always effective) body of practice.
However, even today, safety management in non-industrialized and newly industrialized nations often lacks an underpinning of effective legislation and cultural expectation, and may be ignored outright or trumped by commercial priorities. Since the globalization that drives those commercial priorities also promotes a gradual normalization of practices and expectations, the hope is that safety management will eventually become accepted, expected and normalized in all industrial settings.
Another important transition that took place throughout the 20th Century was a broadening of the scope of safety management to include public safety as well as workforce safety. This transition was also driven by legislative changes that instituted public and consumer protections against unsafe industrial activities and products. Modern safety management now addresses domains such as food safety, pharmaceutical safety, safety of healthcare products and services, environmental safety, and transportation safety, to name only a few.
A more recent but important evolution is the inclusion of environmental safety in overall safety management, with the recognition that environmental safety is public safety.
Role of an organizational management system
Safety Management System (SMS)
An SMS is a specific form of management system designed to control safety risk in the workplace and safety issues arising from work and business activities. The primary goal of an SMS is to ensure that safety risk is kept as low as is reasonably practical (ALARP).
A typical model for an SMS includes the following elements:
- Establish requirements for adequate resources.
- Define top management commitment.
- State occupational and public safety targets.
- How is the organization structured?
- How is responsibility and accountability defined?
- How does the organization communicate internally and externally?
- What documentation is required and how is training and competency defined?
- Planning and Implementation
- How does the organization plan for, develop and implement its approach to risk management?
- How are hazards identified and risk effectively managed?
- What goals and objectives are set to drive safety performance and measure progress?
- What arrangements are made for contingency and emergency situations?
- How is safety performance measured and assessed?
- What is the processes for the reporting and investigation of accidents and incidents?
- What internal and external audit processes are in place to review and verify the system?
- Action for Improvement
- How are corrective and preventive action created, managed and closed out?
- What processes are in place to ensure continuous improvement?
Integrated management system
Organizations operating in regulated environments or facing significant quality, operational or other risk with respect to business activities and/or products typically control that risk and ensure compliance by implementing an integrated organizational management system, which governs how the organization conducts its activities. In high-consequence environments, the integrated management system typically includes a particular focus on safety, making Safety Management a top-level management domain rather than a separate SMS.
How safety is implemented and where responsibility for safety assurance lies within an integrated system depends on the nature of the organization and its activities.
Traditional organizational safety management – including workplace safety – may fall under the direction of a Risk Manager and/or specialized safety managers, such as site safety or health, safety and environment (HSE) managers. Safety expectations are communicated to the workforce, and appropriate specialists ensure that processes, procedures, practices and compliance adequately protect workplace safety. Specific safety-related responsibilities are imposed on roles throughout the organization in order to implement and support safety controls.
For organizations operating high-consequence facilities or systems (such as nuclear facilities, aerospace and space operations, and critical infrastructure), safety management goes beyond worker and workplace safety to include a greater focus on the protection of the public and the environment. In these organizational systems, safety assurance begins with cultural indoctrination to ensure that the workforce and management consider safety constantly and automatically, that the workforce is empowered to protect safety, and that safety is prioritized over all other interests. Responsibility for defining how the organization maintains safety, and to monitor safety performance, lies with appropriately qualified top-level managers, but the assurance of safety is woven throughout the organization’s roles and responsibilities, processes, procedures, practices, standards, training, and most importantly, cultural and behavioural reinforcement.
For organizations responsible for the design of safety-critical systems, safety management is achieved through control over the design of the organization’s products. In these organizations, the function of safety management establishes design requirements and provides expert oversight of third-party design processes and products. The related function of vendor management establishes and verifies requirements and quality across the design supply chain.
In all cases, while the responsibility for the governance, oversight, measurement and assurance of quality rests with qualified, top-level managers, all personnel throughout the organization have a standing responsibility to protect and prioritize safety.
Key elements of safety assurance
The prevention of events and conditions that could create safety risk is the most important and obvious strategy for assuring safety.
Analyze systems, processes and the operating environment in order to recognize what harm could result from normal operation and atypical events, and take steps to prevent adverse outcomes that could injure workers, consumers, the public, and the environment.
When prevention fails, mitigation measures can reduce the resulting harm. Mitigations may reduce the scope and reach of safety failures and incidents, and/or reduce the effect on people and the environment.
Consider the types of failures that are possible, and identify ways to limit the harm that would occur. Implement barriers, controls and contingencies to mitigate the adverse outcomes that could result from failures to prevent breakdowns, outages, releases and other harmful events.
Where mitigations require active intervention (for example, through emergency response, evacuation, aid, etc.), prepare to deliver the response capabilities needed to minimize harm and aid in recovery.
Preparation could include measures such as:
- Emergency first response
- Transportation capabilities
- Key messaging and informational resources
- Site security
- Environmental containment and cleanup
- Search and rescue
- Medical response
- Financial aid
- Housing and social support.
Preparation typically involves:
- Stakeholder engagement
- Response planning and contingency development
- Emergency planning
- Obtaining and/or assuring prompt access to resources
- Delivering training
- Performing drills and exercises
- Assessing and auditing capabilities and performance.
Preparation is not limited to preparing to respond to an event; it is also about ensuring that the organization will quickly recognize both the latent conditions that could lead to an event, and the onset of an adverse event.
Depending on the types of events that could occur, response may need to be prompt and/or robust. During response, the organization executes the appropriate contingencies and/or emergency plans, but may also have to respond tactically to address issues or conditions that plans did not anticipate. Thus, response relies on capable leadership able to adapt quickly to new situations and challenges.
The first step in response is recognition that a safety hazard is emerging or that an adverse event has occurred. Rapid recognition and response may prevent an adverse event, or allow more effective mitigation once one occurs.
The time needed to launch an effective response can often mean the difference between a trivial abnormal operating event, and outright disaster. Thus, all parties involved in response must maintain a readiness to respond even when affected by the adverse event themselves.
Response must also be sustained for the full time needed to protect affected parties from an ongoing event, and to support recovery of affected parties back to normalcy.
Since most adverse safety events arise after a pattern of near misses and close calls, the trending of safety incidents can be of great help in preventing serious events and prioritizing mitigating measures. Trending involves the surveillance of organizational activities and recognition of conditions, actions and events that either caused minor harms, or could have caused significant adverse outcomes. Increasing trends trigger greater attention and help identify opportunities for preventive action.
Trending begins with the identification of compliance and performance indicators relevant to safety: what can be measured, how to measure it, and what criteria will be applied. Processes are then established and applied to measure, analyze, and trend indicators.
Adverse trends then trigger analysis by appropriate specialists and stakeholders, who rank the importance of the trend with respect to safety, and prescribe actions to re-establish or protect safety.
Root-cause analysis (RCA)
Root cause analysis is used to ensure that fundamental issues that could challenge safety are identified, rather than focusing on the symptoms of those issues.
RCA includes the following steps:
- Identify and describe the problem clearly.
- Establish a timeline from the normal situation up to the time the problem occurred.
- Distinguish between the root cause and other causal factors (for example, using event correlation).
- Establish a causal graph between the root cause and the problem.
A typical approach to root cause analysis is to “keep asking why”. Each time an event or condition is recognized as a cause, ask why that event or condition arose. Continue this process until the answers become trivial or stop yielding useful insights.
Defence in depth
Defence in depth is a strategy used to ensure that single points of failure and foreseeable combinations of failures don’t result in adverse safety events. Defence in depth relies on layers of independent protection against safety threats and failures.
Management of human performance helps to prevent challenges to safety. This includes:
- Qualification, to ensure that workers are competent to perform activities
- Prevention of human error through the use of human-performance tools
- Procedural control, having workers perform critical activities by following prescribed processes or step-action procedures that have been designed to control risk.
Auditing and observation
Observation of critical activities helps to ensure that activities are being and will be performed appropriately to control risk, and that the outputs of those activities have met and will meet requirements.
Auditing is the review of policies, processes, and procedures, and the confirmation of compliance, adherence, and outcome, used to ensure that those Management System elements are effective in controlling risk.
Auditing is also used to apply quality management to third-party providers of products and services, including design products and services.
Review, or testing and inspection
Reviews, testing and/or inspection of the outcomes and outputs of critical activities can identify safety issues.
Spot testing/review of samples can help to identify trends and assess overall safety. Mandatory review, testing and/or inspection may be used to provide positive control over outputs that create high safety risk. Review, testing and inspection can also be used to apply safety management to third-party providers of products and services, including design products and services.
Workers may report (or self-report) issues with the performance of activities or the outputs of those activities. Self-reporting expectations must be communicated and reinforced through expectations documentation and training.
When safety deficiencies are identified, corrective actions are performed to:
- Reject, discard, and replace the deficient work product or input, or correct or mitigate the deficiency
- If appropriate, correct or mitigate the deficient conditions, processes, procedures, or other elements that led to the safety deficiency, in order to reduce the likelihood or severity of recurrence.
Corrective action must also be supported by appropriate processes and procedures, including processes and procedures for ensuring the correction of deficiencies in work products and services received from third parties.
Vendor management and vendor quality assurance (VQA)
In organizations that rely on third-party services, products and inputs, the function of vendor management is very important. The identification of requirements, negotiation of contracts, and oversight of contract performance is critically important to an organization’s ability to meet customer needs, ensure safety in design, services and products, and exercise control over its offerings. Thus, vendor management is typically a top-level management domain. The VQA function coordinates vendor management, safety management, and quality management to ensure that work products and services received from third parties have adequate safety and quality.
Culture and behaviour
Culture is critical to safety, since your workforce’s automatic behaviours are the most effective, reliable defence against safety risks and failures. Culture begins with leadership and positive modelling, but it also requires formal indoctrination, communication, reinforcement, recognition and reward for safe behaviours.
Workers must be empowered to identify safety risks and make safety decisions, regardless of their role and position in the corporate hierarchy. This means not only reinforcing the message that workers should take individual responsibility for safety, but also incentivizing safety reporting and appropriate safety decisions, protecting workers from peer pressure and sanctions arising from operational priorities, and providing positive recognition when workers take responsibility for safety.
How NOCTURNE can help
Implementing or improving safety management within your organization can be challenging. While safety management should be led by professionals with safety qualifications appropriate to your industry, NOCTURNE can help by doing much of the heavy lifting needed to implement or revise safety documentation and records systems, processes and procedures, job aids, training, etc. throughout your management system. We work with your safety leaders to ensure that safety information and process controls have the appropriate quality and scope needed to keep your workers, customers, assets and the general public safe.
When implementing and supporting safety elements in organizational management systems, NOCTURNE focuses on:
- Engagement. Safety is a general objective everyone understands, but many organizations have stakeholders with unique or particular interests in safety and/or specific safety risks. NOCTURNE starts by identifying and understanding stakeholders and stakeholder interests.
- Constraints. What resource and operational constraints must be accommodated. A “Cadillac” system is of no use if the organization lacks the capability to apply it properly.
- Simplicity. The system must be kept as simple as possible. Complex systems impose unnecessary burdens on organizations, but also tend to be less effective. Complexity should be limited to specific procedures or roles where it is required, and the overall system should be simple enough for all workers, managers and stakeholders to understand.
- Relevance. Safety relies first and foremost on worker performance. Workers must take safety seriously. For that to happen, workers have to understand why safety matters, and why specific safety measures and controls are needed.
- Maintainability. The safety system needs to evolve as the organization grows, its activities change, and its regulatory environment evolves. Thus, the system must be easily maintainable by the organization as a whole, and by the personnel assigned responsibility for safety management.
- Robustness. Safety systems can become ineffective in the face of organizational or operational challenges. Thus, the system needs to be designed to operate effectively even when operations and organizational activities are disrupted by internal or external challenges. This means the system needs redundancy, defence in depth, surge capacity, and the ability to “fail gracefully” when challenges become extreme.
- Measurability. Safety controls must be designed to be measurable, so that safety managers and stakeholders can assess performance and capability before a safety challenge arises.
NOCTURNE considers all these factors when designing and examining management-system elements, including systems designed to assure safety. The end goal is to ensure that stakeholders recognize, understand and trust in the organization’s commitment to safety, and that the organization will fulfill that trust.
Tell us about the safety objectives or risks you’re trying to address. We’d love to help!