ws 8 safety manag system

8/23/2019 WS 8 Safety Manag System

1/19GUI0128/01/02.11

Safety Management Systems

for major hazard facilitiesAdvice for operators of major hazard facilities on developingand implementing a Safety Management System.

June 2011

1. Introduction 1

1.1. Features of successful SMS development 2and implementation

1.2. Core concepts 2

1.3. Key denitions 3

1.4. Report of the Longford Royal Commission 4

2. Planning and preparation 5

2.1. Role of the SMS 5

2.2. Ensuring a compliant SMS 7

2.3. Workforce requirements 8

3. The Safety Management System 8

3.1. Required elements of the SMS 8

3.2. Establishing the SMS 9

3.3. Comprehensive and integrated SMS 13

3.4. Managing control measures within the SMS 14

3.5. Performance standards for the SMS 15

3.6. Summary of the SMS for the Safety Case 17

4. Review and revision 17

5. Compliance checklist 17

6. Further reading 19

1. Introduction

The major hazard facility parts of the OccupationalHealth and Safety Regulations 2007 (OHS Regulations)set out legal duties for control of risks from operatinga major hazard facility (MHF). They apply to the operatorof a facility who is the employer with management orcontrol of the facility.

To obtain a licence to operate an MHF in Victoria,operators are required to submit a Safety Case which setsout how the facility will be operated safely.

This guidance note will assist an operator through theprocess of establishing and implementing a SafetyManagement System (SMS).

The SMS is a signicant part of the Safety Case aswell as being the primary means of ensuring the safeoperation of the MHF. The MHF regulations require theoperator to establish, implement and use an SMS. TheSMS should embrace all attributes of the facility affectingsafe operation, over which the operator has direct orindirect control. These attributes may include: leadership;responsibilities; targets; planning; roles; culture; and thecontrol measures for safe operation. Overall, each facilitysSMS needs to address prevention and control of all risksto health and safety. However, only those elements of theSMS that relate to prevention and control of major incidentsare specically relevant to the MHF regulations, and hence

comments within this guidance note are directed to thoseaspects of SMS that have an inuence on major incidents.

The operator may have to develop a whole SMS, developor modify parts of an existing SMS, or may adopt systemsdeveloped by others (eg industry bodies) and adapt theseto be suitable to the specic facility. The MHF regulationsdo not prescribe a specic standard or model for theSMS, provided the system is capable of managing andmaintaining the adopted control measures and its contentmeets regulatory requirements.

The MHF regulations require that the operator continually

improve the system through a process of monitoring,audit and review.

Guidance Note


2/192

Guidance Note Safety Management Systemsfor major hazard facilities

The MHF regulations do not prescribe any particular

standard or model for the SMS. Each facility operatorneeds to implement a workable system appropriate tothe particular facility, its potential major incidents andassociated hazards, the adopted control measuresand resultant level of risk.

The SMS must be documented, and needs to beaccessible and comprehensible to those who use it,to ensure that it is followed correctly and is understood.Documentation of the SMS will also enable the operatorto test its implementation and assure its performance,and will enable WorkSafe to test the adequacy of thesystem and its implementation. A summary of theSMS must be contained within the Safety Case.

The SMS should incorporate processes to identify,select, dene, implement, monitor, maintain, review andimprove the range of control measures on which safeoperation depends. Errors, deviations and breakdownsin control measures and corresponding parts of theSMS need to be tracked under the SMS, to providedata on the actual safety performance of the facility.Performance standards must be used to facilitatethis process.

The SMS should be consistent with the safetymanagement approach or philosophy at the facility,

and the companys overall business managementsystem, and applicable to the facility as a whole.

Those responsible for the SMS should ensure itfully recognises the potential for major incidentsat the facility, incorporates understanding of causesand contributors to major incidents and activates acommitment to effectively manage the associated risk.

Management and workers need to participate inand understand the SMS.

The SMS should incorporate the generic managementsystem cycle of planning, implementation, monitoring,corrective action and review, so that safety is

maintained and improved. The SMS should besubject to regular review and improvement.

The processes for generating or reviewing a SafetyCase should be incorporated into the SMS so that theSafety Case is a product of the established SMS.

1.1. Features of successful SMS

development and implementationThe following factors are critical to the SMS. The SMS:

must be comprehensive and integrated with respectto the adopted control measures

must be implemented in practice and used as theprimary means of ensuring safe operation

should be consistent with the understanding of riskgained from the Safety Assessment

should have sufcient focus on major incident safety,from planning through to operations

must be documented and readily accessible and

comprehensible to those who use it must contain all of the required aspects identied

in reg 5.2.5 and Schedule 10

should contain the elements of a generic managementcycle eg dene objectives; plan and implementactivities; monitor, audit and review performance;act on deciencies

must have performance standards, which enablethe operator to measure the effectiveness of theSMS in ensuring safe operation

needs to cover the whole facility dened withinthe Safety Case

should be dynamic and continually improvingto adapt to changes and to reect reality

should reect the overall safety culture and valuesof the facility. It should not be a pure paperworksystem divorced from actual behaviours and attitudesof workers

all persons involved in safe operation should haveknowledge of and be committed to the SMS.

1.2. Core concepts

The operator of an MHF must establish and implement

an SMS which provides a comprehensive and integratedsystem for the management of all aspects of theadopted risk control measures.

The SMS must be the primary means of ensuring safeoperation in respect of major hazards, which is achievedby managing and assuring the performance of theadopted control measures.

The SMS needs to reect the hazards that are presentand support the actual practices on the facility. AnSMS that is divorced from reality or fails to focus on thespecic requirements for safe operation will not meetthe regulatory requirements.


3/193


Figure 1.1 Requirements of the SMS

1.3. Key denitions

Control measure (control): Any system, procedure,process, device or other means of eliminating, preventing,reducing or mitigating the risk of major incidents arisingat an MHF. Controls include physical equipment, processcontrol systems, management processes, operating ormaintenance procedures, the emergency plan andkey personnel and their actions.

Hazard (related to an MHF): Any activity, procedure,

plant, process, substance, situation or any othercircumstance that could cause, or contribute to causing,a major incident.

Hazard identication: The process of identifyinghazards as described in the WorkSafe guidance note Hazard identication.

Major incident (related to an MHF): An uncontrolledincident, including an emission, loss of containment,escape, re, explosion or release of energy, that

(a) involves Schedule 9 materials and

(b) poses a serious and immediate risk to health and safety.

Safety Assessment: A Safety Assessment processconsistent with international risk assessment standards,including AS/NZS ISO 31000 Risk management. A SafetyAssessment involves an investigation and analysis of themajor incident hazards and major incidents to provide theoperator with a detailed understanding of all aspectsof risk to health and safety associated with majorincidents, including

(a) the nature of each hazard and major incident

(b) the likelihood of each hazard causing a major incident

(c) in the event of a major incident occurring

(i) its magnitude and

(ii) the severity of its consequences to persons bothon-site and off-site

(d) the range of control measures considered.

Safety Management System (SMS): Comprises allpolicies, objectives, roles, responsibilities, accountabilities,codes, standards, communications, processes, procedures,tools, data and documents for managing safe operation ofthe facility. In the context of the MHF regulations, the SMSfocuses on the prevention, reduction or mitigation of majorincidents. The SMS is not just documentation but is theactual implementation of processes, systems, proceduresand practices on the site.

SMS tests

Comprehensive?

Integrated?

Accessible?

Comprehensible?

Documented?

Facility-wide?

Realistic?

Dynamic?

Improving?

Control measures

Management system elements

Design and construction standards

Engineering projects

Knowledge of facility

Operational/maintenance procedures

Engineering controls ResourcesProcess control systems

Mechanical integrity of facility assets

Materials used in facility

monitoringaudit

review

continualimprovement

implementation

standards andtargets

policy andobjectives

planning andprioritising

corrective action


4/194


providing sufcient knowledge of critical safe operating

parameters, control measures, hazards, and potentialmajor incidents?

Management of change. Are changes to the facility,management systems, organisational structure andhuman resources analysed and their impacts on safetymanaged? Are Safety Assessment programmeskeeping up with the intended assessment schedulesand with plant changes?

Learning from incidents. Are learning opportunities fromnear misses and other incidents being properly workedthrough, from analysis of root causes to communicationof lessons and solutions? Does the incident reporting

and investigation system facilitate learning or hinder it? Management of human resources. Are there adequate

human resources for carrying out all safety roles? Isthe management system actually devoting resourceto where it is needed for safe operation? Is there aneffective process for ensuring the necessary skillsand resources are available at all times? Are handoverrequirements properly implemented? Are absencesmanaged correctly? Is there adequate supervision ofworkers and checking of work, response to processinformation, adherence to procedures?

Communications. Do communications ensure all

relevant persons are aware of key process conditions,the status of control measures and other key issues?Do operating, engineering, maintenance and otherdepartments communicate with each other, to useeach others expertise, and to work together effectivelyto plan and ensure safe operation? Is there effectivetwo-way communication to ensure senior managementand workers are aware of problems and solutions? Areoperational communications unambiguous or can theybe misheard or misinterpreted? Are personnel makingcorrect assumptions about safety critical issues? Whatlevel of checking or verication of communications andoperational assumptions occurs?

Plant surveillance, facility oversight, trouble-shooting.Is there any routine process for monitoring plant/process condition and operational practices to identifyabnormal and potentially hazardous conditions? Isprocess or equipment monitoring information usedto identify underlying problems, evaluate trends andassist decision-making? Does any group or individualhave an overview of the facility as a whole? Is theresufcient awareness of the potential for interactionsbetween different equipment and installations withina complex integrated facility? Once a potentiallysignicant process deviation develops, is there an

effective and timely means of addressing the problem?Are there sufcient procedures, authorities, resourcesand expertise to step back, evaluate and control

So far as is reasonably practicable: To reduce risk

to a level so far as is reasonably practicable involvesbalancing reduction in risk against the time, trouble,difculty and cost of achieving it. This requiresconsideration of:

(a) the likelihood of the hazard or risk concernedeventuating

(b) the degree of harm that would result if the hazardor risk eventuated

(c) what the person concerned knows, or ought reasonablyto know, about the hazard or risk and any ways ofeliminating or reducing the hazard or risk

(d) the availability and suitability of ways to eliminate

or reduce the hazard or risk

(e) the cost of eliminating or reducing the hazard or risk.

More information on so far as is reasonably practicableas applied to major incident risk is found in the Guidancenote Requirements for demonstration. More informationon key terms is found in other MHF guidance materialavailable from the WorkSafe website and in the denitionsof the OHS Regulations (reg 1.1.5).

1.4. Report of the Longford

Royal Commission

The MHF regulations aim to address the ndings of theRoyal Commission on the 1998 Longford Gas PlantIncident to ensure similar incidents are prevented.The Longford Royal Commission report contains a widerange of observations and recommendations regardingsafe operation, many of which can be related broadly tothe management systems in place at an MHF.

Some of the key lessons from this particular incident aresummarised below, starting with fundamental issues andleading on to the immediate causes or contributing factorsof the incident. The list is not intended to be exhaustiveand all points will not necessarily apply in all cases.

Ensuring the SMS is implemented and effective.Are the procedures within the SMS implementedand are they effective in ensuring safe operation?Is there effective monitoring, auditing, identicationof deciencies and corrective action? Is the SMSdocumentation comprehensible and used by workers?

Organisation, structure, roles and responsibilities.Are safety roles and responsibilities clearly denedfor all parts of the facility, all levels of the organisation,all operating conditions and all control measures?

Management of knowledge. Is there an effective

system for providing sufcient individual and collectiveknowledge, skills and experience to operate thefacility safely in the rst place and then for retainingthat knowledge, skills and experience? Is this system


5/195


Corporate culture. Does the corporate culture lead

to a challenging of norms? Is potential for corporateblindness recognised and guarded against? Is theoperator prepared to test and revise their systemsfor safe operation? Do the communication andreporting systems encourage an open exchangeof critical views and information?

MHF operators should read the Longford report and otherrelevant incident reports (eg P Texas City; Flixborough;unceeld) and take account of the issues raised inthe reports when establishing and implementing theirown SMS.

2. Planning and preparation

2.1. Role of the SMS

Reg 5.2.5 and 5.2.15 of the MHF regulations require thatan SMS provide a systematic means of ensuring safeoperation for the facility by managing the adopted controlmeasures in a comprehensive and integrated manner. Mostmodern management system standards or models featurea set of generic elements, forming a continual improvementcycle. For example, Figure 2.1 shows the basicmanagement elements required by AS/NZS 4804:2001 Occupational health and safety management systems.

No particular management system model is correct orbest; but it is generally recognised that sound managementsystems are all similar in fundamental terms. Compliancewith the MHF regulations does not require any particularstandard to be used, nor will compliance with an existingmanagement standard ensure compliance with the SMSrequirements of the MHF regulations. However, adoption ofa proven standard may assist an MHF operator by providinga sound framework on which to base their specic SMS.

the situation? Have all of the safety implications of

abnormalities and deviations been thought through, andprocedures developed accordingly? Are safety hazardsspelled out alongside production issues in operatingand trouble-shooting instructions?

Recognition of critical safety control measures.Do operators and other workers recognise criticalprocedures, equipment or controls and the implicationsof their failure? Are steps taken to prevent overridingof these measures?

Understanding signicance of process information .Are operators able to understand the signicance

of the signals provided by the process and other

monitoring systems regarding the state of the facility?Are all the necessary critical operating parametersknown and their safe operating limits dened? Arecritical alarms discernible from and prioritised overother alarms? Are operators able to respond to theinformation being generated by the facility duringday-to-day and abnormal conditions, and make safedecisions? Do procedures ensure safe response toalarm and other abnormal conditions? Do operatorshave the necessary time, resources, support and abilityto refer matters to additional expertise or authorityif needed?

Production demands. Could production demandspotentially compromise the ability to operate safely?Is there sufcient time and capacity within the systemto be able to limit or halt production on safety grounds?Do production demands result in short cuts being takenwith critical control measures?

Emergency response strategies, resources, proceduresand communications. Is there a robust and practisedemergency response plan which assists decision-making and reects the scale, nature and durationof incidents that can occur? Is there an effectivecommunications channel to ensure timely response?Are personnel clear on the roles they should adoptin the event of an emergency? Is there adequateunderstanding of the overall approach and strategy forreghting? Are adequate resources available to carryout this strategy? Is there up-to-date information onthe available inventory, isolation points and isolationpriorities? Is a credible emergency isolation andshutdown strategy in place?


6/196


design and construction standards and procedures

process control and automation systems

physical engineered devices which eliminate,reduce or mitigate major incidents

corporate and individual knowledge of the facilityand its safe operation

culture, attitudes and values of the operatorand workers in relation to safety

organisation, supervision and resourcing of tasksand processes required to ensure safe operation,permit to work and equipment isolation procedures

processes to maintain mechanical integrity of criticalassets (testing, inspection, maintenance, replacement)

operations/maintenance procedures needingto be performed in a certain manner to maintainsafe operation

procedures for procurement of devices, parts,raw materials and other commodities used inthe process

emergency plans and procedures.

Figure 2.1 Elements of the generic management system

The management system must manage and support thosespecic aspects of the facility and its operations that formthe control measures adopted to prevent and control majorincidents. The links between the management of controlmeasures and the SMS need to be clear.

There may be other health and safety issues (egoccupational exposure to chemicals or to noise) which areimportant and also managed through the SMS. Similarly,there may be other types of risk associated with thefacility (eg production loss, quality loss, damage to theenvironment) which the operator wishes to manage throughthe same integrated management system. Howeverthese are not specically relevant to the MHF regulations,and for the purpose of determining compliance with theMHF regulations, the SMS needs to have a specic andadequate focus on those control measures which havea role in relation to potential major incidents. For more

information, see the guidance note Control measures.Some example control measures are:

monitoringaudit

review

continual improvement

implementation




corrective action


7/197


These include:

An SMS contains the right management elements andaddresses the correct control measures but does notreect how these control measures are managed inpractice ie the elements exist but do not reect reality

An SMS contains the right management elements butmanages the wrong control measures ie those notrelevant to major incidents.

An SMS addresses the appropriate control measuresand reects reality but does not have the appropriatemanagement system elements to ensure propermonitoring and improvement of performance ie theSMS manages the controls but does not monitor orimprove performance.

2.2. Ensuring a compliant SMS

The SMS must be comprehensive and integratedwith respect to these control measures. This meansincorporated within a rational management cycle whichcontains the elements of good management practiceand which drives ongoing improvement (reg 5.2.5).A comprehensive SMS combines all the genericmanagement system elements and supports all thecontrol measures in proportion to their inuence onsafe operation. This concept is illustrated in Figure 2.2.

There are a number of problems or mistakes that caninuence the effectiveness of the SMS and compromisecompliance with the requirements of the MHF regulations.

Figure 2.2 A comprehensive SMS

Hazard identication,safety /riskassessment and

review of controlmeasures determineswhat controlmeasures arenecessary and setsstandards for theirperformance.

The SMSmanagementcycle assures(and improves upon)the necessaryperformance.

Design and construction standards

Engineering projects

Knowledge of facility

Operational/maintenance procedures

Engineering controls ResourcesProcess control systems

Mechanical integrity of facility assets

Materials used in facility

monitoring

audit

review

continualimprovement

implementation




corrective action


8/198


Operational controls. Operational controls include all

processes and procedures impacting on safe operation,for all modes of operation. Operational controls likely to beof particular importance at MHFs are the processes andprocedures for operating plant and equipment; maintainingthe integrity of that equipment; permitting work;starting up plant or commissioning; shutting down plantor de-commissioning; achieving safe isolation of equipmentand controlling abnormal conditions. Operational controlsshould in particular include processes for identifying,handling and reducing or eliminating human error, suchas procedural checks, error reporting, alarm handlingprocedures, fault-tolerant procedures and processesfor improving compliance with procedures.

Processes for compliance with divisions 3 and 5 also needto be included in the SMS eg procedures for carryingout hazard identication and Safety Assessment and forconsulting with health and safety representatives (HSR).

Management of change. This is an essential elementof a robust and comprehensive SMS, as changes canintroduce new major hazards or potential major incidents,or can increase the risk arising from existing hazards.There needs to be effective management of all changes inthe facility (past, present and future), including operational,organisational, procedural and equipment changes.

This subject is addressed in more detail in the guidancenote Management of change.

The MHF regulations note that a modication to thefacility could create a new hazard or increase the likelihoodor consequences of major incidents, and thereforerequires review and revision of hazard identication, majorincidents, control measures and Safety Assessment. TheMHF regulations also require a review and, if necessary, arevision of the SMS if a modication is made to the MHF.Hence management of change needs to track changes tothe facility, the control measures and the SMS itself, andthen trigger reviews and revisions as necessary. This is to

ensure that the SMS as a whole is monitored and revisedso that it continues to be applicable and appropriateto the facility. Modications with potential to erode theeffectiveness of the SMS, either due to obsolescence ormis-application of parts of the SMS, need to be avoided.

2.3. Workforce requirements

The MHF regulations have requirements which specifythat workers must have a safety role, including in followingprocedures for the establishment and implementationof the SMS. The operator must consult in relation toestablishing and implementing an SMS. The operatoris also required to provide information, instruction andtraining to workers in relation to the content and operationof the SMS. Hence the workforce requirements relate toboth establishing and implementing the SMS, and ensureongoing functionality of the SMS.

3. The Safety Management System

3.1. Required elements of the SMS

Reg 5.2.5 and Schedule 10 dene the matters thatmust be included in the SMS. The extent and means ofaddressing these matters must be such that the SMS isused as the primary means of achieving safe operation,including providing for compliance with divisions 3 and5 of the MHF regulations. These prescribed elementsare expected to provide a good basis for an SMS for allMHFs, although further elements are likely to be neededfor specic MHFs. The elements, previously summarised insection 2.1, are detailed below:

Safety policy and objectives. The MHF regulations donot require a policy on major hazards but they do requirea clear safety policy including the broad aims for the safeoperation of the MHF, which need to relate to the existenceof major hazards. WorkSafe will look for evidence that, at ahigh level, the operator recognises the potential for majorincidents at the facility and is committed to controlling theassociated risk. Detailed objectives must be set.

Organisation and personnel. The MHF regulationsrequire an explanation in the SMS of the organisationand personnel arrangements. This should dene theroles and responsibilities of individuals in ensuring safe

operation, and the overall means of ensuring they havethe necessary knowledge and skills to enable them toperform their allocated tasks and discharge their allocatedresponsibilities. It should also address the wide range ofhuman factor issues that can impact safe operation, suchas: management of knowledge; competency assurance;staff turnover; changes in skills or knowledge; clarityof command structures and responsibilities; handlingworkloads, morale, fatigue and shift work; communications;empowerment; disputes etc.


9/199


control and quality assurance are necessary as part ofthese processes: that is, checks are required that activitiesoccur, that the activities are being performed to a suitablestandard; and that the systems, procedures, controls etcare achieving the desired results. Review is the regular butless frequent process of stepping back and asking if theentire system and the standards within it remain adequate,t-for-purpose, and in-line with current good practice. A

combination of monitoring, audit and review is necessaryto ensure the ongoing effectiveness of the SMS and todrive continual improvement. Reporting and investigationof hazards and incidents are important aspects ofsafety management and need to be included within theoperational controls and/or the processes of monitoring,audit and review.

3.2. Establishing the SMS

The SMS should be established to reect the true safetymanagement approach of the facility (see the guidancenote Safety Case overview). For example, if the operator

places a signicant amount of reliance on workers toshow responsibility and initiative in maintaining safeoperation, then the SMS should be customised to focus

Figure 3.1 Management of change within the SMS

Principles and standards. These can include anydocuments or concepts used as the basis for ensuringsafe operation. These should be consistent with thesites Safety Case approach and can include technical,engineering or management principles developed orapplied by the operator. Examples include principlesfor management of human factors; standards fordevelopment or implementation of operating procedures;

design principles for control rooms and alarm systems;engineering design standards; re protection standards;maintenance standards; loss control principles; layers ofprotection and process control systems design basis.

Monitoring, audit and review. Monitoring comprisesthe routine checking that activities under the SMS areactually being conducted, the measurement of actualperformance of the SMS elements and the comparisonof this performance with the dened standards ortargets. Audit is the process of checking that the overallestablished SMS is understood and is being used, and thatthe management framework (in particular the monitoring

and corrective action processes) is being implemented andis effective. It can also include evaluation of the degreeof compliance against the dened standards. oth quality

Audit

Review

Incident reporting

Investigation

Records and drawings

Knowledge base

Supervision

Troubleshooting

Operationalprocedures

Maintenance systems

Process condition data

Existing controls

Hazardidentication

New controls

Emergency responseplans

Safety Assessment

Modication projects

Plant condition monitoring

Policy and objectives Culture

Standards Consulting and informing

Improvement/corrective action

Resourcing Roles and responsibili ties

Training Management of change

Learning from experienceAnticipated future

intended or unintended

changes and events

Managing currentconditions

and variations


10/1910


Examples of modern SMS standards applicable to control

of major hazards are: AS/NZS 4804:2001 Occupational health andsafety management systems General guidelinesand AS/NZS 4801:2001. Occupational health andsafety management systems Specication

American Petroleum Institute, API 9100 (1998),Model Environmental Health and Safety Management System and Guidance Document

US OSHA 3132/3133, Process Safety Management

AIChE/CCPS, Guidelines for Implementing ProcessSafety Management Systems

UK Health and Safety Executive HSG65, SuccessfulHealth and Safety Management

Figure 3.2 shows some examples of standards that maybe relevant, taken from the American OccupationalSafety and Health Administration (OSHA).

on competency, information, knowledge and training

to support the workers in this role. Alternatively, if theoperator emphasises the strict adherence to systemsand procedures, there may be less emphasis on workerelements and more emphasis on written procedures andensuring compliance with these procedures. Anotherexample would be an operator reliance on engineeringcontrols, so the SMS may emphasise maintenance anddesign standards rather than operating procedures. It isunlikely that such differences would result in any basicelements being absent but a different balance of emphasisshould be discernible from the Safety Case philosophy.

Figure 3.2 OSHA Process Safety Management standard

Process saety inormation

Responsibilities and participation o personnel

Written operating procedures or all operating phases and limitations

Permit system

Compliance auditing

Employee and contractor saety inormation and training

Mechanical integrity evaluation and maintenance systems

Quality assurance or design, abrication and installation

Emergency planning and training

Pre-start up saety reviews

Management o change procedure

Incident investigation

Workplace and process hazard analysis, consultation and action planning


11/1911


and safety, quality, production, environment and nance

(see Figure 3.3 for example). Other companies mayemploy integrated management systems for the businessas a whole. It is up to the operator to choose how theSMS is structured. However, in all cases the SMS mustprovide a management focus on the specic controlmeasures required for safe operation of the particularfacility with regard to major incidents. Any corporate orstandard management system should be tailored and/orsupplemented to reect the specic conditions and controlmeasures of the facility.

Some companies, in particular operators of multiple sites,

may have corporate standards for the SMS. These mayprescribe the entire SMS or only common high-levelcomponents such as the overall policies and procedures.In other cases, corporate SMS requirements may be limited,and the site will then need to develop its own systems.Many corporate systems specify that local regulationsoverride corporate requirements if they are more stringent.Depending on their corporate requirements and businessculture, some companies may employ specic, dedicatedmanagement systems for individual issues such as health

Figure 3.3 API Model Environmental Health and Safety Management System

Corporate vision

policy management

commitment

Continual

improvement

Do

Personnel, training andcontractor services

Documentation and communications

Facilities design and construction

Operations, maintenance andmanagement of change

Community awareness andemergency response

Plan

Management leadership,responsibilities/accountabilities

Risk assessment/management

Compliance and other requirements

EHS management planningand programs

Adjust

Management review

and adjustment

Continual improvement

Assess

EHS performance monitoringand measurement

Incident investigation,

reporting and analysis

EHS management system

Audit


12/1912


demonstrate that major incident safety issues are not

being neglected or obscured by other issues like keepingthe plant running and controlling routine emissions.Conversely, if a management system specic to majorincidents is presented, there needs to be a demonstrationof the ability of the operator to implement this alongsideother management systems.

The intent of the MHF regulations is not to create an overlycomplex system relative to the nature of the facility, asthis may divert attention from the fundamental activity ofmanaging safe operation, but to develop and implement asystem that is t for purpose (see Figure 3.4), reects thecomplexity and risks inherent in the facility and achieves

the basic requirements outlined in the MHF regulations.

Major incident risk requires a more disciplined approach

to the management of risks than common OHS risksdue to the inherently lower frequency of major incidenttype hazards. This is to ensure control of these hazardsis not overshadowed by more frequent but less severehazards. While there may be some overlap between thedifferent types of risk, a specic and targeted focus onmajor incident risk management is required for all facilities.Whatever SMS basis is used, WorkSafe expects thatthe operator will document the basis of the SMS andshow that it provides this focus and is appropriate tothe specic facility.

If an integrated management system, which addresses

a range of issues, is presented, the operator will need toFigure 3.4 Fit for purpose SMS

Size and complexity of facility

Small, simple Large, complex

Inherent risk of facility

High risk

Low risk

Simpler SMS

Extensive monitoring,auditing, review

World-class highintegrity SMS

Less extensive monitoring,auditing, review

Simpler SMS

Less extensive monitoring,auditing, review

World-class highintegrity SMS

Extensive monitoring,auditing, review


13/1913


disabled. Hence the SMS needs to ensure that the control

measures work together effectively as a whole, in particularthat they do not conict with each other, and henceprovide layers of defence. Furthermore, to ensure thatthe core elements of the SMS work together effectively,communications and actions should be linked andconsistent throughout the SMS. For example, if monitoringindicates that there are problems in implementation ofa particular procedure, this should be reected in thecorrective action processes. The SMS should providea communication, decision-making and action processwhich is on the look-out for interactions within the systemwhich could combine to cause major incidents.

The MHF regulations require the SMS to be accessible,comprehensible and documented . For the SMS to beaccessible, the contents, layout, format and location ofthe SMS should enable all workers who use the SMS toaccess the parts they need, so that they understand therelevant SMS requirements before carrying out any safetycritical task. The SMS should be written in such a waythat the users of the SMS can understand it and exactlywhat is required to implement it. All critical information anddecisions should be documented sufciently to providean audit trail which enables both the organisation andWorkSafe to be satised that the SMS is functioningeffectively and is being implemented in practice.

The SMS should be applicable facility-wide . Prioritylevels within the SMS for different parts of the facility,and different risks, should be determined by their relativeimportance to safe operation. However an SMS whichneglects entire components of the facility may be awed.

The SMS should be realisticand should reect the actualpractices on the facility. The SMS is not purely an OHSdocumentation activity. It should incorporate the wide rangeof human culture issues, commitment levels, attitudesand communication and control processes, any of whichcan have a profound effect on the risk of major incidents.

All workers and management who have a role in safetyparticipate in and inuence this broad system. The MHFregulations stipulate that establishing and implementingthe SMS must be the subject of consulting, informing,instructing and training of workers to ensure that thenal SMS is realistic. Any systematic difference betweenthe SMS and actual practices on the facility may be amajor aw in the safe operation of the facility. However,occasional divergences or non-compliance events mayarise because of the complexity of some operations.These do not indicate failure of the SMS, as long as theyare monitored and corrected (whether correcting thepractice or modifying the system).

3.3. Comprehensive and integrated SMS

The key factor that needs to be demonstrated in theSafety Case is that the SMS is comprehensive andintegrated with respect to the control measures.There are some additional fundamental principles that needto be addressed, which follow from the MHF regulationsand the lessons of the Longford incident describedpreviously, and that are good management practice.These principles include that the SMS should beaccessible, comprehensible, documented ,facility-wide , realistic, dynamicand continuouslyimproving. These factors do not need to be explicitlydemonstrated in the Safety Case but they may impact

on the MHF licence requirements and therefore needconsideration.

For the SMS to be comprehensive, it needs to ensurethat any risk control measure is properly implementedand maintained in every sense. This can include:

identifying what are the control measures

dening their performance requirements

implementing the measures themselves andany associated training etc

monitoring and maintaining the control measuresagainst the performance requirements

rectifying any shortcomings that may arise reviewing and improving the control measures.

These elements should ensure that the operator has anunderstanding of the effectiveness of a control measurein eliminating or controlling major incidents. Situationswhere the assumed effectiveness of a control measurewas not achieved in practice would indicate that the SMSis not comprehensive in relation to that control measure. Inthis regard, it is more important for the SMS to accuratelyportray standards achieved in practice (ie reality) thanto promote any particular standard of performance thatmight not be achieved in practice and may therefore

result in a false sense of security. If the SMS does notgive an accurate measurement of the effectiveness of thecontrol regime, then adequacy of safe operation cannot bedemonstrated and the Safety Case will be fundamentallyawed.

The requirement for the SMS to be integrated with respectto the control measures recognises the fact that failures incomplex systems often stem from a complex combinationof circumstances. For example, frequent failures ofinstrumentation may not become critical as long as thefailures are reported and rectied promptly, and thereare other control measures fully functional in the interim.

However, the problem may become serious if proceduresor communications break down, failures are not recognisedor not rectied, or if other control measures are also


14/1914


3.4. Managing control measures

within the SMSThe identity and relative importance of the differentadopted control measures are likely to be specic to eachfacility and their signicance should be determined inthe Safety Assessment process. The level of priority andresource allocated in the SMS to each control measureshould then be broadly proportionate to its inuenceover the overall risk level of the facility (ie a risk-basedapproach should be used), and should be made clearin the SMS.

There can be exceptions to this, where for some otherreason a particular control requires more or less attention

than its inuence on risk would suggest, or the SMShas elements due to corporate requirements or goodmanagement practice, but not directly linked to the riskof major incidents. However, the SMS should providea rational basis for the decision-making and resourceallocation processes inuencing safe operation. Hencethe links between the SMS, the control measures and theSafety Assessment should be clear. These concepts areillustrated in Figure 3.5 below.

The SMS should be dynamic. An SMS that does not

adapt to changing conditions at the facility will not retainthe ability to ensure safe operation and will lead todeterioration in safe operations. As well as monitoringand reactively responding to changes, the SMS should beproactive by setting goals and forcing necessary changeon the facility. An important aspect of a dynamic SMS isthat it is able to accommodate and learn from any variabilityor change in the facility which may require workers to takeaction above and beyond established working proceduresand instructions. This is a crucial point which relates backto the safety management approach and workplace culture:the SMS does not necessarily need to override workerstaking initiative and making adjustments in the face of

developing events within the facility if that is requiredto ensure safe operation. The SMS should howeversupport and adapt to this way of working and this shouldbe reected in the dened responsibilities and workingprocedures. The SMS should not be such as to preventthe worker from being able to recognise and deal withunexpected circumstances.

Continual improvement is required in all aspects of theSMS. This may mean improving actual safety performanceby more diligent application of existing systems or it maymean improving the system to improve performance or tocater to new hazards which have been introduced. Ensuring

continual improvement requires performance standardsand indicators for the SMS itself.

Figure 3.5 Decision-making and resource allocation within the SMS

SMS

Control measures

Saety Assessment

Are there new saetyproblems developing?

How should resourcesbe allocated?

How do decisions infuencesae operation?

What are the keysaety problems?

What are thesaety priorities?

What are the eects o change?


15/1915


operator to have performance standards for measuring

the effectiveness of the SMS. These need to relate toall aspects of the SMS. Performance standards shouldbe of sufcient detail and transparency to enable theeffectiveness of the SMS to be apparent from thedocumentation. They should be dened in such a wayas to provide a meaningful measure of effectiveness.For the purposes of continuous improvement of the SMS,there should also be processes and measures designed toidentify and implement improvements to the system itself.

A comprehensive set of workable SMS performancestandards appropriate to the facility will be necessary.Performance standards can be dened at a high level

for the system as a whole, and at a lower level for individualelements of the system. The standards could includeboth the current required level of performance, and alsoa target level to be achieved within a specied timeframe.Operators should consider the principle of SMART(Specic, Measurable, Achievable, Realistic, Targeted)in dening performance standards.

Operators should also consider using a combinationof performance standards which include both proactivestandards (ones that measure the activities or inputs ofthe organisation to managing safety) and reactivestandards (ones that measure the outputs or actual

performance achieved).

The priority elements within the SMS at any time may

include a set of issues which require ongoing attentionand resources, and a set of new issues which have arisenor may be about to arise which require attention. MHFsare expected to rely on a number of different controlmeasures which have an inuence on safe operation.The relative priorities of these will change from time to timeas management effort takes effect, existing key concernsare brought under control, conditions in or around thefacility alter and new knowledge or problems arise.As a result there will be a variety of control measuresmanaged under the SMS, with control measureimprovements identied and given priorities under theSMS. The improvement priorities will change over time,

as specic improvements are implemented, existingproblems resolved and new problems and improvementopportunities identied. The SMS should identify thechanging priorities for safety management/improvementbased on the Safety Assessment process.

3.5. Performance standards for the SMS

The operator must develop and apply performancestandards for the SMS. These should support theoperators safety objectives, which mean that performancestandards need to be set for the systems and proceduresthat are in place to ensure that the objectives are met

(reg 5.2.5). In particular, Schedule 10(7) requires the

Table 3.1 Examples of SMS performance standards

System expectation (standard) Performance measure

Process measures Outcome measure

Safety critical equipment

A system is in place to identify

test and maintain the equipment

to ensure the required design and

reliability standards for safety critical

equipment are met.

Selection, design, modication etc in

accordance with company standards.

Equipment tested to schedule.

Audits of the above processes

completed to schedule.

Results from scheduled testing.

Results from breakdown maintenance.

Results from incident investigations

where safety critical equipment

caused or contributed to incident. Actions from audits, testing and

incidents etc relating to safety critical

equipment is completed to schedule

to ensure system is continuously

improved.


16/1916


System expectation (standard) Performance measure

Process measures Outcome measure

Mechanical integrity

A system is in place to test, inspect

and maintain mechanical assets to

applicable standards.

Mechanical assets inspected

and tested to schedule.

Temporary/interim repairs replaced

with permanent repair to schedule.

Reported mechanical defects

corrected to schedule.

Audits of the above processes

completed to schedule.

Number of incidents/leaks due

to mechanical integrity issues.

Results from inspection and testing

of assets.

Actions from audits, testing and

incidents etc relating to safety critical

equipment is completed to schedule

to ensure system is continuously

improved.

Procedures

A system is in place for the

development, implementation and

review and revision of effective

operating and maintenance

procedures.

Procedures issued and reviewed

and revised to schedule.

Audit of the above processes.

Number of procedures current

and available for use (eg results

from audits).

Number of incidents with cause(s)

relating to inadequate procedures.

Actions from audits and incident

investigations completed to schedule

to ensure procedures are effective.

Training

A system is in place to ensure

employees have necessary skills and

knowledge to effectively do their job.

Required training (including refresher

training) for specic jobs completed

to schedule.

Audit on training requirements forspecic jobs (eg status against risk

matrix, number attending training

sessions etc).

Number of incidents related to

inadequate/insufcient training.

Findings from survey or tests on

competency and knowledge.



to ensure training system is effective.

Management of change (MOC)

A system is in place for the

management of temporary and

permanent changes.

Number of approved temporary

changes still in place beyond

approval expiry date.

Number of changes made that

bypassed or shortcut the MOC

process.

Audit or quality review of change

documentation, sign off and approvalprocess are completed to schedule.

Number of incidents related to MOC

process inadequacy.



to ensure MOC process is effective.


17/1917


summary of the links between the SMS, hazard

identication, Safety Assessment and adoptedcontrol measures.

The SMS matters listed in schedule 12 are additionalto the above.

4. Review and revision

An MHF operator must review and revise the SMS if amodication is made to the MHF or a major incident occursat the MHF and at least once every ve years. In practicethe review and revision of the SMS as a whole at leastonce every ve years often coincides with the reviewand revision of the Safety Case for relicensing purposes.

MHF operators also often review and revise elements ofthe SMS at different times, depending on current needsand knowledge, but operators need to ensure that theSMS continues to function as a whole and that thedifferent elements do not contradict or conict withone another following partial review and revision.

5. Compliance checklist

Table 5.1 contains information on the MHF regulationsas they relate to SMS.

It is important to establish standards and systems that

are practical, and which ensure open, comprehensiveand accurate reporting of errors or problems. This meansthe systems should not place an unworkable burden onworkers, or result in repercussions that may discourageopen reporting. The SMS should enable the operatorto look into the detail of the performance monitoringinformation and decide if an absence of evidenceof problems really is indicating high performance,or whether there is a breakdown in recognition orcommunication of problems.

3.6 Summary of the SMS for the

Safety CaseReg 5.2.15 requires the Safety Case to include a summaryof the content of the SMS. The following aspects shouldbe included in this summary:

identication and brief description of all key elementsof the SMS

indication of how these elements relate to each other

overview of the foundations, standards or modelson which the SMS is based

outline of how the SMS meets the requirementsidentied in section 3.1 of this guidance note

Table 5.1 MHF regulations relating to SMS

Section Requirement

Reg 5.2.5 The operator of an MHF must establish and implement an SMS for the MHF. The operator must use the

SMS as the primary means of ensuring the safe operation of the MHF. It must be documented and provide

a comprehensive and integrated management system for all aspects of risk control measures adopted under

this part.

The SMS must be readily accessible and comprehensible to persons who use it. The SMS must contain the

safety policy, the operators broad aims in relation to safe operation and the operators specic safety objectives.

It must describe the systems and procedures for achieving these, and must describe how the operator intends to

comply with divisions 3 and 5 of the MHF regulations.

The SMS must be reviewed and, if necessary, revised if a modication is made to the MHF or a major incident

occurs at the facility and, in any event, at least once every ve years.

Reg 5.2.13 The operator must develop a role for the operators employees including the specic procedures employees

are required to follow to assist the operator to (d) establish and implement an SMS.

Reg 5.2.15 The Safety Case must contain a summary of the content of the SMS, and must be sufcient to demonstrate

that the SMS provides a comprehensive and integrated management system of risk control measures in relation

to major incident hazards and major incidents.

The Safety Case must include a signed statement by which the operator certies that the summary of the SMS

is accurate and that persons who participate in the implementation of the SMS have the necessary knowledge

and skills to enable them to undertake their tasks and discharge their responsibilities in relation to the SMS.

Reg 5.2.18 The operator of an MHF must consult in relation to (d) establishing and implementing an SMS.


18/1918


Reg 5.2.19 The operator of an MHF must provide information, instruction and training to employees of the operator

in relation to (d) the content and operation of the SMS. The information, instruction and training is monitored, reviewed and, if necessary, revised in order to remain relevant and effective.

Reg 6.1.44 WorkSafe may suspend or cancel an MHF licence if it is satised in the case of an MHF that the SMS for

the MHF no longer provides a comprehensive and integrated management system for all aspects of risk control

measures adopted in relation to major incident hazards and major incidents.

Schedule 10 The SMS must incorporate the following:

The safety policy and safety objectives, including the means of communicating these and an express

commitment to ongoing improvement of all aspects of the SMS.

Description of the organisation and personnel, including identication of persons participating in the SMS,

their responsibilities and accountabilities, the means of ensuring they have the necessary knowledge

and skill, and the command structure.

Description of the operational controls (whether technical, organisational or managerial).

The procedures for safe operation of plant, for mechanical integrity, for plant processes,

and for control of abnormal and emergency activities.

The provision of means of isolation for servicing and maintenance, and in emergencies.

The roles of personnel, and of the interfaces between plant and personnel.

Provision for alarm systems.

Description of the means of compliance with divisions 3 and 5 of the MHF regulations.

Processes for management of change.

Principles and standards for design and operation.

Processes for performance monitoring of the SMS and of adopted control measures.

Processes for audit, in particular of performance against standards.

Schedule 12 The Safety Case must contain clear references to the documented SMS. It must also contain a description of

those parts of the documented SMS that address the maintenance of the SMS (that is, its ongoing effective

implementation and its ongoing improvement).


19/19


6. Further reading

UK HSE (1998), HSG65, Successful Health and SafetyManagement.

UK HSE (1999), HSG48, Reducing Error and Inuencingehaviour. NSW Department of Infrastructure, Planningand Natural Resources (August 2004), (Consultation Draft)Major Industrial Hazards Advisory Paper No. 4 Safety Management Systems.

US Department of Labour, OSHA Standard CFR 291910.119, Process Safety Management.

American Petroleum Institute (1998), API 9100A, ModelEnvironment, Health and Safety Management System .

American Petroleum Institute (1998), API 9100,Guidance Document for Model EHS Management System.

American Petroleum Institute (1990), API RP750,Management of Process Hazards.

American Institute of Chemical Engineers, Centerfor Chemical Process Safety (1994), Guidelines forImplementing Process Safety Management Systems.

Australian Standard, AS/NZS 4804:2001 Occupational health and safety management systems.

Note: This guidance material has been prepared using the bestinformation available to the Victorian WorkCover Authority and shouldbe used for general use only. Any information about legislative obligationsor responsibilities included in this material is only applicable to thecircumstances described in the material. You should always check thelegislation referred to in this material and make your own judgement aboutwhat action you may need to take to ensure you have complied with thelaw. Accordingly, the Victorian WorkCover Authority cannot be heldresponsible and extends no warranties as to the suitability of theinformation for your specic circumstances; or actions taken by thirdparties as a result of information contained in the guidance material.

Further InformationContact the WorkSafe Victoria Advisory Service on1800 136 089 or go to worksafe.vic.gov.au

Related WorkSafe publications

Guidance Note Requirements for demonstration

Guidance Note Hazard identication

Guidance Note Control measures

Guidance Note Management of change

Guidance Note Safety Case overview

ws 8 safety manag system

Documents