MODELLING OF SAFETY MANAGEMENT SYSTEMSMenkel, 1990), safety committees and quality circles (Palmer,...

Pergamon Safety Science Vol. 26, No. l/2, pp. 121-140, 1997

0 1997 Elsevier Science Ltd. All rights reserved

Printed in the Netherlands 0925.7535/97 $17.00 + 0.00

PII: SO9257535(97)00034-9

MODELLING OF SAFETY MANAGEMENT SYSTEMS

A.R. Hale a,*, B. H.J. Heming a, J. Catfhey b, B. Kirwan b

a Safety Science Group, Delft University of Technology, Delft, The Netherlands b industrial Ergonomics Group, University of Birmingham, Birmingham, UK

Abstract-Management systems for safety and environment and audits for assessing them have

been a major research topic of the last few years. This attention has been fuelled by increasing

emphasis in European directives on auditable safety management systems (SMS) ’ and by the

increasing interest in their certification following the principles of the IS0 9000 series, of

standards. This paper reviews briefly the literature on this topic and presents a framework

within which the total activity of an SMS can be presented using a consistent descriptive

language. The framework can be used to describe and evaluate an SMS or to assess the

completeness of audit tools designed for SMS evaluation. It can also be used as a didactic

framework for safety practitioners and managers and as a tool for accident analysis. The

framework combines the following principles:

* safety management seen as a set of problem solving activities at different levels of

abstraction in all phases of the system life cycle;

. safety related tasks are modelled using the Structured Analysis and Design Technique

(SADT). This shows the inputs, resources and criteria/constraints necessary to produce the

required outputs;

* risks are modelled as deviations from normal or desired processes.

The framework emphasises the dynamics of safety management as a process. It aims to provide

an abstract ordering of the field which can clarify and specify research and policy needs for the

future. It also provides a clear definition of safety culture. 0 1997 Elsevier Science Ltd.

1. Introduction: the need for a model

Safety management has become a topic of increasing interest in recent years. There are a number of reasons for this.

1. Regulatory interest was stimulated by the changing philosophy which led to the framework legislation of the 1970s and 1980s in many European countries (e.g. Great Britain, 1974;

* Corresponding author.

’ The concept ‘SM.?’ is used throughout this paper as a shorthand term to cover the

management of all unintended risks to life, health. property and environment. At the level of abstraction at which this paper is pitched there are claimed to be only minor differences

between these concerns.

121

122 A.R. Hale et al.

Netherlands, 1980; Norwegian Petroleum Directorate, 1985; Ministry of Local Government & Labour, 1987) and ultimately to the consolidating European Framework Directive of

1989 (European Community, 1989). Such legislation moved the emphasis from detailed technical safety concerns to issues of decision making and management formulated within

a safety policy. 2. This trend was strengthened by a series of official reports following major disasters (e.g.

Flixborough, Department of Employment, 1975; Zeebrugge, Department of Transport, 1987; Rings Cross, Department of Transport, 1988; Clapham Junction, Hidden, 1989; Piper

Alpha, Department of Energy, 1990). The main emphasis in these reports was on the failings of management to ensure that their plant or activities were designed, operated and maintained with sufficient safety. Recent amendments to the post-Seveso Directive (1994) require major hazard companies to have auditable safety management systems (SMS) and

another directive has set up a voluntary European system for environmental management

auditing (European Community, 1994a,b). 3. In parallel with regulatory concerns with assessing safety management systems has been

the increasing desire of governments to withdraw from their detailed regulatory tasks

(Ministry of Social Affairs and Employment, 1991). The International Standards Organisa- tion standards on quality management systems (International Standards Organisation, 1987a,b,c,d) have been, or are being used as a basis for devising standards for SMSs or

related environmental management systems (British Standards Institution, 1992, British Standards Institution, 1996). The third party certification system which has grown up to

assess compliance with the standards is increasingly seen, certainly in the Netherlands, as an opportunity for privatising some government assessment tasks (Ministry of Justice,

1994). These trends have produced a dramatic growth in the development and use of management

system audits to assess whether an SMS is adequate and how it can be improved (e.g

International Loss Control Institute, 1990; HASTAM, 1989; Williams, 1986). Such audit systems are largely based on the collected experience of long years of consultancy or

management and, with a few exceptions (e.g. Bellamy and Tinline, 1993; Brascamp et al.,

1992; Det Norske Veritas, 1994), do not have explicit management models underlying them. As a result they can give the impression of being arbitrary lists of topics clustered under convenient headings which vary from one audit instrument to another. It is not clear whether

they are too detailed or not complete enough (see e.g. Eisner and Leger, 1988, for criticism of one audit instrument). An explicit model of the SMS, which can present the dynamic nature of safety management processes, would provide a good starting point to assess the completeness of audits.

The development of courses for safety advisers and managers has also provided a stimulus to bring order into the topics which need to be taught. The shift in emphasis of this teaching in many countries to a greater concern with safety management (Hale, 1995; Storm and Hale, 1995) has created the need for a comprehensive and consistent framework for an SMS, within which the necessary knowledge to develop, evaluate and improve the SMS can be given a clear place (Swuste et al., 1994). Only with such a framework can the disparate and fragmented research literature be put into some order, so that conclusions can be drawn about what is established knowledge and where significant gaps in research and practice lie.

Research in Delft, culminating in a study sponsored by the British Health and Safety Executive, has aimed to produce such a framework, which is the subject of this paper.

Modelling of safety management systems 123

2. Literature on safety management

The standard texts on safety management (e.g. Heimich et al., 1980; Bird and Loftus, 1976; Petersen, 1978; Ridley, 1994) follow the format of general management textbooks or use legislation as their starting point for describing management obligations. They do not present

specific models of the safety management system. A review of the research literature on safety management (Carthey et al., 1994) revealed a

number of lines of research and isolated studies which seem to have few links with each other. Comparisons of high and low accident companies (Simonds and Shafai-Sahrai, 1977; Smith et

al., 1978; Zohar, 1980; Eyssen et al., 1980; Suokas, 1986; Chew, 1988; Haber et al., 1990; Nichols and Marcus, 1990) and case studies of high reliability organisations (Rochlin, 1989;

USNRC, 1989; Roberts, 1989; ACSNI, 1993) have produced lists of factors which seem to be associated with good safety performance. Analysis of major accidents, such as the official reports quoted above, and of more minor accidents or loss of containment incidents (Powell et

al., 1971; KjellCn, 1983; Hurst et al., 1991; Groenweg, 1992; McDonald et al., 1994; Wilpert et al., 1994) has provided a catalogue of organisational factors which went wrong in those cases and has even provided a first approximation of the relative importance of some of them (Bellamy and Tinline, 1993). Factor analytical studies of attitudes to safety and safety

measures have produced still other scales measuring factors which underlie these issues (Wagenaar et al., 1994; C ox and Cox, 1991; Canter et al., 1990; Dedobbeleer and BClarrd,

1991; Diaz Cabrera, 1994; Hayes et al., 1994; Donald, 19941, but there are as yet no published studies linking these scales to measures of safety performance.

Finally, descriptive studies of parts of the SMS have been carried out, focusing on how these parts work, the role played by different persons or functions in them and how effective

they are. Examples of aspects covered by such studies are safety information systems (Kjellen, 1982; KjellCn and Larsson, 1981), internal control systems (Hovden and Tinmannsvik, 1990; Flagstad, 1995) safety experts (Dawson et al., 1984; Oortman-Gerlings and Hale, 1991;

Menkel, 1990), safety committees and quality circles (Palmer, 1990; Saarela, 19901, supervision and behaviour modification (e.g. Komaki et al., 1978; N&&en and Saari, 1987), audits

(Eisner and Leger, 19881, and decision making (Gill and Martin, 1976) and safety culture

(Pidgeon, 1991, 1993; Turner, 1991; Cox and Cox, 1991; Hood et al., 1992; Westrum, 1988). In addition, as indicated in the introduction, many commercial audits are available, based on

accumulated professional experience. All of these research studies provide the ingredients for devising a model of the SMS and

underline the need for such a framework to make comparisons between the diverse results

possible. The only studies which have aimed to provide more explicit models were the following: The Nuclear Organisation and Management Concept (Haber et al., 1987) is an SMS model

explicitly derived from the model of a bureaucratic organisation developed by Mintzberg

(1980). It describes 37 key behaviours under 6 headings - decision making, planning and organisation, management attention, clarifying ambiguities, solitary work and non-work related activities - which form the basis of a management system. It also concentrates ou the communications role of middle management, especially in developing and communicating standards.

ASCOT (IAEA, 1991) introduces an hierarchical organisation of audit questions related to an explicit model showing different levels of safety organisation in nuclear plants. These are individual, management, corporate, regulatory and supporting organisation levels.


Bellamy and Tinline (1993) also derive a multilevel model from their analyses of loss-of-containment incidents in the process industry. They identify control and monitoring loops as a key element in process safety control. These operate between 5 levels, equipment reliability, operator reliability, communications and feedback, organisation, and management and system climate. The loops have both feed forward and feedback elements. The model has been used to develop an audit system, which can result in a management weighting factor for a risk analysis (see Muyselaar and Bellamy, 1993 for a comparison between this model and other audit techniques).

The quality assurance standards from IS0 have been mentioned above as a theoretical framework at an abstract level, which has been used to develop standards for environmental management, health and safety management and related audit systems (e.g. British Standards Institution, 1992). Studies have been carried out comparing management systems for quality, environment and safety based on such a structure (NEHEM, 1994; Zwetsloot, 1994). The studies demonstrate that all of these aspect systems can be considered within the same sort of abstract framework, but have not yet resulted in coherent models linking practice to the abstract principles.

The conclusion from the literature review is that there have been few attempts to produce coherent and comprehensive models of an SMS. Much research is fragmentary and studies have widely different foci, leading to disjointed and apparently contradictory results. There is an increasing literature in the area which is difficult to interpret and use without some framework which indicates how the results might be linked together. There is a need for a framework to represent the complexity and dynamics of management in this area. The Delft framework, set out below, is offered as a step in this direction.

3. The proposed framework

3.1. Origins of the De@ framework

From its inception the Safety Science group in Delft has felt a need to structure its research and teaching (Hale and de Kroes, 1997). In the inaugural lecture for the chair in Safety Science the unifying principle of a problem solving cycle was used as a framework (Hale, 1985). It was also central to a book on individual perception in the control of danger (Hale and Glendon, 1987). Subsequent research for government ministries led to the elaboration of this principle for use in structuring an SMS and the role of health and safety experts within it (Oortman-Gerlings and Hale, 1991). It was also used for clarifying the role of government inspectorates in assessing the SMS (Goossens and Hale, 1991; Hale et al., 1992). Work in a steel company extended the use of the model to a within-company study of shop floor, departmental and central company decision making on safety (Hale et al., 1993a,b). A study of maintenance management in the chemical industry provided a test of the framework in that phase of the life cycle (Hale et al., 1993a,b).

The problem solving framework was also used in devising courses for safety managers and advisers (Koomneef and Hale, 1993).

These various lines of research were consolidated in a theoretical study for the nuclear industry (Hale et al., 1994a,b) This extended the model into a format capable of explaining the dynamic nature of the SMS.


3.2. Objectives and criteria

The framework is offered as a way of structuring research into, and practice of, safety management. Its objective is to provide a systematic and complete description of what elements should be present in an SMS and how they should be related to each other. In particular it aims to make explicit the links between risks and direct preventive and control measures on the one hand and the organisational and management processes which ensure that the prevention measures are present and functional on the other hand. The purpose of this is to show what organisational and management factors can be introduced or improved in order to improve the performance of the SMS. The framework therefore aims to provide the basis for assessing and improving an existing SMS and for designing a new one from scratch. In its current state of development it has not been worked out to provide a complete audithrg instrument, but it can be used to evaluate existing audit tools.

Its objective is also to provide a coherent framework for training safety advisors and managers to understand the structure and functioning of the SMS and their roles in it.

The framework is based upon insights from literature and current practice, but is in no way proposed as the one correct model derived inevitably from proven studies. It has the status of a hypothesis or paradigm with an explicit structure, within which existing knowledge can be placed and compared, and from which predictions can be made for subsequent testing.

Safety management is a complex process. It permeates all parts of an organisation and touches all the phases of the life cycle of a project or company, from design to demolition. In the terms of systems theory, which is used as the basis for the framework, the SMS is an aspect system (in ‘t Veld, 1992), which is concerned with meeting a sub-set of the objectives of the whole system, or organisation. An aspect system usually involves the majority of the elements which make up the total system, but does not involve all of the relationships between them. In this case we concentrate on the relationships which have a significant effect on safety. ’ Modelling of an aspect of a complex system means that the model will be complex also. We set ourselves the following requirements for the model on the basis of the literature review: 1. It should model the complex, dynamic systems that the SMS exists in. 2. It must be able to focus in on elements of the system without losing the links to the whole

model. 3. It must provide a common language to describe and model all aspects of the system. 4. It must be compatible with existing ideas and principles in safety management, quality

management and the idea of the learning organisation 5. It must provide links to standard concepts used in management texts, e.g. the distinction

between policy, procedures and instructions. 6. It should model both the primary (technological) processes with their risks and the

management decisions which control them.

* We would also claim that the model is applicable for an aspect system to manage closely related risks such as

those to health, environment and quality. However, this aspect is not the central concern of this paper.


Controls/criteria

Inputs Transformation

outputs

Resources

Fig. 1. SADT analysis.

3.3. SADT. The language of the framework

Central to the framework is that it must model both the primary production processes of an organisation and its management decisions. Risks arise from the failure to control sources of danger in the primary processes. Well known models in safety science, such as MORT (Elsea and Conger, 19871, have defined these as energy flows which must be channelled. In broader terms the flows can also be of materials, such as toxic substances, which can cause harm to health or the environment if they escape. A modelling technique such as that of in ‘t Veld (19841, devised for production processes, provides a possible basis for modelling such flows and the controls which prevent failure. However, this technique is not so adapted for modelling the decision making and information flows which make up the processes of the management system. Such information flows are also central to the ‘production processes’ of non-manufacturing companies such as banks or consultancy companies, whose SMS we also wish to be able to model. For these reasons we have chosen to use SADT (Structured Analysis and Design Technique) which originates in the field of software and knowledge engineering, but has been used more widely to model decision making activities (Mama and MacGowan, 1988; Heins, 1993; Goossens et al,, 1991). Rasmussen and Whetton (1993) have indepen- dently adopted this technique for modelling process risks. Combining the two in one modelling technique provides one of the main innovations of our modelling approach.

The primary structure (Fig. 1) consists of an activity box controlled by three aspects, together producing the output. The logic of the modelling is that the inputs (I) must be necessary and sufficient to produce the outputs (01, given the resources (R) and the control criteria (C). 3

The inputs are fed into the activity and either transformed or used up during the course of it in order to produce the outputs. Inputs in an SMS analysis will be largely information or documentation (plans, designs, calculations, assessments, etc). At times, however it is convenient to model activities such as safety training courses, where people are inputs, or product safety testing, in which hardware may be an input. When the primary production process is being modelled the inputs can also be materials or energy and the output to be avoided by application of the SMS is an escape of either above the threshold specified by the safety criteria.

3 In the original notation instead of ‘R’ the label ‘M’ is used which stands for ‘Mechanism’. Use of the SADT technique in training has indicated that this term causes confusion and that ‘Resources’ is much more comprehensible.

Throughout this paper the latter term will be used.


Outputs are both desired products, by-products and unwanted outcomes. For the purposes

of our analysis the outputs must meet defined safety criteria, both in absolute terms and in relation to the circumstances in which they will be used as inputs or resources for other SADT boxes.

The resOUrceS are those things necessary for performing the activity, but which are not

changed or consumed in it, or at least not in the short term. They are generally hardware (e.g. measuring instruments) or people. If the activity is poorly managed, or goes on for a long

time, the resources may suffer degradation (wear and tear, ageing, injury or damage) and it should be an objective of the activity that degradation is avoided or limited to acceptable ‘expected wear and tear’. The resources used are themselves subject to a process of

specification, selection, provision, use, monitoring and maintenance, which can itself be

modelled as a SADT activity, within which this risk of unacceptable injury or wear and tear can be incorporated.

Controls or criteria are used as standards to judge whether the activity is successful. These

include all laws and safety standards laid down or recommended. Quality standards for the outputs of activities can also be modelled under this heading. For convenience the C-arrow is indicated as entering the middle of the activity box. In fact it can (and often should) be applied at different points:

- To the input arrow, to check that the inputs are of a suitable quality and completeness to be

transformable to the desired output. - To the resource arrow, to check that the resources are of sufficient quantity and quality to

perform the transformation required by the box. - To the transformation box itself, to check that the process by which it occurs meets the

criteria defined. - To the output arrow, to check, before the output is passed on to the next box, that it meets

the required specification. The activity or transformation which is modelled in any one SADT box can be defined as

broadly or as specifically as desired. In carrying the analysis further the overall activity can be opened out by zooming into the SADT box and splitting the activity into a number of sub-activities. For example, the SADT activity box can be conceived of at the highest level of

aggregation as the safe exploitation of a technology or the safe completion of a project. This

can be opened out at a first level into the life cycle phases (from conceptual design, to

de-commissioning and disposal). It can then be opened out or ‘unpacked’ again to reveal the processes going on inside each phase of the cycle and to describe the SMS further. This unpacking process can go on progressively until the analyst decides it has reached the level at

which it is no longer useful to go further. There are close similarities to hierarchical task

analysis (Shepherd et al., 1992) in this process of unpacking or re-description. Because the process of unpacking of each activity box must preserve the same overall

inputs, criteria, resources and outputs as ultimate links to the environment outside that activity, it forces the analyst to show how these globally defined elements must be translated into specific requirements to fit into the next level of detail. In particular, this process of translation and redefinition is crucial for the safety criteria (controls) which drive the safety of the activities.

The SADT notation provides both the common language for the mode1 and the necessary flexibility to meet the criterion, set out above, of being able to focus in on specific parts of the SMS without losing their relationship to other parts. It also meets the criterion of providing links to general management principles; the criteria related to safety (or related risks) are a


sub-set of the total criteria used to control the processes being analysed. In order to extend the analysis to a general management analysis one only needs to add criteria such as quality, profitability, cost limitation, etc.

3.4. The elements of the framework

Using the SADT notation we can model the two elements we require, the primary process of the organisation which produces the risks which have to be controlled, and the SMS which controls them. The framework is complex and consists of a number of subsidiary models which are set out in the following sections. Figure 4 at the end of the section draws all the elements together. It may help the reader to refer to this at intervals in reading the intervening sections.

3.4. I. Modelling the primary process The SADT notation can be used to model the primary process of any organisation. The

steps in the production process can be seen as SADT boxes with production criteria, including safety, controlling the transformations. Different levels of aggregation can be chosen for the analysis by zooming into any given SADT box. In order to model risks we need a model which links to this idea of flows. A deviation model has this potential. Deviations can be seen as undesired outputs arising from problems with inputs, controls and/or resources.

3.4.1.1. Risks as deviations Quality management systems are designed to detect and correct deviations from quality standards. This concept of deviation from a desired standard or ideal situation is also well known in safety (KjellCn, 1983; Hale, 1985). Fig. 2 shows a model incorporating this concept. This model emphasises that hazards built into a technology or

\I Choice an: design of (sub)system

1 +Elimination I , RL-

of hazards & Design Normal situation I

with in-built hazard I Hazard I R

+Control- I I >e Measures .l. C

Deviations from 0

normal situation v I e

+Detection & +r Recovery

I Loss 0: control

Y

(Release of energy + + exposure)

I L +Escape I ,e

J. a Transmission r

I n -+Secondary I >l

Safety .I. n Damage process g

Rescue. Damage *limitation. 1 4.

Treatment Stabitisation

Fig. 2. Deviation model.

Mode&g of safety management systems 129

activity and the preventive measures to eliminate and control them are largely conditioned by

the decisions made in the design phase of the activity. In the operational phase the model shows the process of deviation and the possibilities to prevent, detect, recover from, or minimise the effect of the deviation. It can be used, in principle, for all types of threat to the

integrity and functioning of any system element (life, limb, health [physical or mental], property, materials) or to its environment (water, soil, air, people). Since its origins are in the modelling of physical threats, it is least well adapted to portraying stress and threats to well-being.

The deviation model shows the activities and resources which need to be used to prevent

the deviation or to return the situation to the desired course if it does deviate. The deviations are the potential ‘problems’ which drive the second part of the model described in Section 3.4.2 below.

In using the framework it may be necessary to model separately the deviation process related to each one of the range of hazards present in a given process step. The safety system

to control each may differ, e.g. the detection and control of health hazards involves other detailed tasks than that for external safety hazards.

3.4.1.2. Life cycle The importance of the design stage of the life cycle has been introduced above. Consideration of the whole life cycle of a technology, material or product is central to recent thinking on environmental management (e.g. Ministry of the Environment, 1989; E&P

Forum, 19941. The European Machinery Standard (CEN, 1991) also incorporates the whole

life cycle of a machine into its requirement for risk assessment.

Six basic life cycle phases can be recognised, each of which can be subdivided: Design

(conceptual design, preliminary engineering, detailed design), Construction, Commissioning, Operation (start up, normal running, shut down), Maintenance and modification, Decommis-

sioning and demolition. As illustration two of the stages are broken down above rnto sub-stages. This process of dividing up the life cycle phases can go on indefinitely using the

SADT notation. Each life cycle phase has its own primary process, and each stage in that process has its hazards or potential deviations, which can be modelled as above.

Each phase of the life cycle is linked to all the other phases as SADT boxes. The product (output) of one phase is the input to the next and hence the safety of that next phase is

determined partly by the safety of that product. The completed design is input to the construction phase; the maintenance phase delivers the plant back as input to the operations

phase. We can therefore distinguish two sorts of safety which the SMS has to manage in each phase; the safety of the process in that phase and the safety of the product of that phase. The

example of the maintenance phase of a chemical plant helps to clarify this distinction. The

process safety of the maintenance phase concerns such problems (deviations or unwanted outputs) as falls from scaffolding, explosions due to hot work where flammable gas checks have not been adequate, etc. The product safety of maintenance concerns such issues as

leaving valves closed which should be open and modifications which are not included in the plant design drawings. These deviant outputs are incorrect inputs for the operators in the production phase, who may thereby, in their turn, make mistakes causing explosions. It is likely that a different mix of factors govern product and process safety, just as measures which result in a high product quality are not necessarily the same as those which lead to a high quality of working life in the company (= process quality in the terms of our model).

The SADT notation applied at a global level of total life cycle phases allows us to study the information flows, resources and criteria which ensure that the optimum decisions are made to


Criteria (standards) To higher level PSCs e.g. from higher level PSC

1 Current situation Desired situation

Problem recognitiin and description

Problem analysis (Causes)

Setting ;t;riorities

1 Development of solutions

(Technical, organisational, societal)

1 Choice of solutions

I

Im leiktation (= lin R to PSC below)

1. 6

Monitoring and evaluation of effectiveness

1 Planning for unforeseen circunstances

Fig. 3. Generalised problem solving cycle.

ensure safety in other phases (design specifications and reviews, permit to work systems, etc>. The feedback loops from later phases show how the total system learns from experience of

incidents and accidents, e.g. improving the maintainability of plant at the design stage. Such analyses are particularly useful to study the communication between parts of the life cycle

which are (going to be) managed by different people or organisations (e.g. emergency versus normal operation, on-line working versus shutdown maintenance, design phase versus com-

missioning).

3.4.2. Modelling the management process We define the focus of the SMS as the potential or actual deviations which occur in the

primary process of the organisation or activity. These are considered as (potential) problems

which must be recognised, studied and resolved.

3.4.2. I. Problem Solving Cycles (PSC) Hale (1985) introduced the problem solving cycle as

an organising principle for safety science activities. It is also to be found as the basis for the quality control cycle (Deming, 1990). The steps to be distinguished are shown in Fig. 3, which emphasises the feedback loop driving continuous assessment and learning within one PSC and linking one level to the one above (see Section 3.4.2.2 below).

This model defines tasks to be accomplished in relation to each safety problem. At an individual level it can be translated into a model of individual behaviour in the control of danger (see Hale and Glendon, 1987). Examples of how the tasks are filled in for direct control of specific hazards in the operations phase are as follows: (a) Criteria may be exposure limits, compliance with the specific articles of the law or

regulations, housekeeping standards, etc. (b) Problem recognition can occur through overt injury, deviations discovered through

inspection, complaints, etc.


(c> Problem analysis may involve simple tests of the working of guards or instrumentation.

(d) Priority setting occurs on the basis of individual estimates of the urgency of corrective action.

(e) Solution development may involve searching in a user manual for the correct procedure. (f) Solution choice will normally be linked directly to the diagnosis of the problem, but may

involve discussions with a supervisor.

(g) Implementation can involve machine adjustment or some improvisation in a work procedure.

(h) Monitoring and evaluation closes the loop to monitor the achievement of goals, through checks and inspections

(i) Contingency planning copes with residual risks through emergency evacuation, fire-fighting or first aid.

All of these are tasks which must be executed on the primary process to prevent or recover

from deviations. The PSC at the level of people in direct contact with the hazards can be modelled as a SADT box whose inputs are signals of potential or actual danger, whose criteria

are exposure or risk standards or standards of compliance with regulations or policy, and whose resources are time, hardware and people with the necessary knowledge and skills to

carry out the problem solving and control and the commitment to regard the safety criteria as important. Each step of the PSC is then a sub-division of the SADT box, modelled in the same

way. As with the analysis of life cycle phases in Section 3.4.1.2 the flows of information and resources between the boxes can be studied to see whether there is effective coordination of

the problem resolution across the various people involved in the PSC.

3.4.2.2. Levels of decision making and management activity within each phase of the life cycle

Individuals control their environment at three levels, knowledge-based, rule-based. and

skill-based (Reason, 1990). These can be seen to correspond in many ways to the levels of routinisation of decision within a company. We distinguish three levels of activity, which

correspond broadly to the classical management split between policy, planning and control, and execution. We have called these S = System structure, P = Planning, organisation and procedures, E = Execution. These three levels must operate in each of the life cycle phases.

The notation in brackets in the descriptions below (I = inputs, C = controls, 0 = outputs, R = resources) refers to the lines in Fig. 4.

At the execution Zeuel (E) the actions of those involved directly influence the occurrence

and control of the hazards (deviations): these are the problems it solves. It concerns itself primarily with the recognition of already known hazards (I1 1) and the choice and implementation of already learned actions to eliminate, reduce or control them (08). The degrees of freedom present at this level are therefore limited and its feedback and correction loop

(09/110) is concerned essentially with correcting deviations from agreed procedures and returning practice to that standard. As soon as a situation is identified where the agreed norm

is no longer thought to be appropriate, the next level (P> is activated (161. The problem solving cycle for detecting and removing hazards at the execution level during the design stage resembles closely the (P) level in the next paragraph.

The planning, organisation and procedures level (P> is concerned with devising and formalising the actions to be taken at the E level in respect of the whole range of expected hazards. The P level is that found in many safety manuals, setting out responsibilities, procedures and reporting lines, etc. It provides the continuity in the SMS; providing the repository of lessons learned from successes and failures in the functioning of the E level (16).


It is activated to design or change the E level (04/C3, 05/H), but does so within an overall philosophy and style which derives from the S level. It makes the translation of abstract principles (14) (i.e. those found in this framework) into concrete task allocation and implementation (05, 06). It is the level which keeps an eye open, and develops new procedures, for hazards new to the organisation (15) and modifies existing procedures to keep up with new insights about, or standards (Cl) and solutions relating to, hazards. It therefore corresponds to the improvement loop required in quality management systems. For this level the ‘problem’ is therefore a signal either from below that the E level is not working well enough (161, from above that the S level wants e.g. a step change in safety achievement (C2), or from outside, a new hazard or standard (1.5). The steps of the PSC at this level cover the range of tools available to safety science, from design reviews and accident statistics (problem recognition), through cost-benefit analysis (solution choice) to auditing (monitoring) and first aid (contingency planning).

The system structure and management level 6) is concerned with the overall principles of the SMS, how it is set up and maintained and how it functions. The S level embodies the framework set out in this paper (11) and the broad principles upon which it is adapted to fit into the culture of a particular organisation (e.g. degree of decentralisation and self-regulation, expert versus line management culture, in-house versus contracted out tasks in different life cycle phases). This level is activated (recognises a problem) when the organisation considers that the current P level is failing in fundamental ways to achieve acceptable performance or continuing improvement in the E level (12) and that a step change is required in the way in which the problems are tackled. It is a meta-level at which the ‘normal’ functioning of the SMS is critically monitored (13) and through which it is continually improved or maintained (02, 03) in the face of changes in the external environment of the organisation. Signals to activate it may come from the occurrence of major accidents in the plant (12) or industry, a decision to work for an IS0 9000 certificate, an unfavourable report from an inspectorate, or an unfavourable comparison with the safety performance of a rival company (11). At this level the problem solving tasks are hardly different from those found in any management consultancy or organisational change process.

It should be emphasised that these three levels are abstractions corresponding to three different types of feedback (correction, learning/improvement and structural (re)design). They are emphatically not to be seen as contiguous with the hierarchical levels of shop floor, first line and higher management. The activities specified by each abstract level (E, P, S) can be allocated in many different ways: operators or a safety service may have the task of writing procedures (P level); autonomous work groups may have freedom of action to set up and monitor their own SMS within agreed boundaries, or the SMS may be specified rigidly by plant management (P + S levels); external consultants or senior managers may conduct routine inspections on occasions (E level) and be involved in accident investigations (feedback E to [ + Sl P levels); etc. The choice of how to allocate tasks reflects the culture and methods of working of the individual company.

By modelling each of the three PSC levels as a SADT box we can make clear the importance of the links between them, a number of which are shown in Fig. 4. Note the importance of the way in which safety criteria are translated from S to P to E (Ol/C2, 04/C3) and of the feedback loops from below to modify the higher levels (09/16/12, 07/17/13).

Modelling of sqfety management systems 133

Laws, regulations. standards I

c II

t I1

and deviations

Fig. 4. Relations between SMS levels.

4. Using the framework

The framework gives a normative statement about the way in which an SMS should be

structured and should operate. It does this at a relatively abstract level. For example it prescribes that specific problem solving tasks should be carried out to control hazards, but it does not specify who in the company should perform them. It emphasises flows of information

and resources, which implies that there must be channels along which they flow, but leaves it open to the company to define what these should be. It prescribes that criteria are formulated for assessing the safety of each step in the primary process and the adequacy of each step of

the PSCs, and that they should be consistent between levels, but it leaves the specification of them to the individual company. The content of the flows have been elaborated further in Hale et al. (1994b). We propose that the differences in the way in which this translation from

abstraction to practice is made in organisations operating the same primary process should be

seen as a definition of their safety culture. Such a definition would remove some of the confusion in the current literature.

We are still exploring the uses and full potential of the framework. Apart from the studies mentioned in Section 3.1, a first assessment of the model was carried out by presenting it to five representatives of the nuclear industry in the UK (Kirwan et al., 1994). They were asked to rate its potential for use in four areas: incident and accident investigation, training, SMS auditing and SMS design. It was regarded as providing no advance on other existing techniques in the first area, as having some usefulness as a communication tool in the second, and as having high potential for use in the auditing and SMS design areas. The method of use in the four areas is summarised in the following paragraphs.


4.1. Accident analysis

There is no experience yet with this use of the framework. Potentially it offers the possibility of carrying out the following steps: locating the accident in a primary process step;

modelling the deviations in this step and tracing their determinants back through earlier process steps and, as appropriate, into other life cycle phases; tracing the deviations into the PSCs and assessing where at the three levels the SMS failed, in particular in relation to

decision flows, resources and criteria. Such an analysis has some resemblances to the MORT accident analysis method, with its distinction between two aspects of the investigation, the

barriers and controls and the management system (Elsea and Conger, 1987). Since MORT is a

fully developed system, it may indeed not be a high priority to develop the model in this area.

4.2. Training

The model is already in use in the postgraduate and post-experience course run by the

Safety Science group in Delft. Experience shows that safety advisers and managers find the SADT notation an attractive way to analyse their role and the role of their service in the company. Analysis of the flows to and from the tasks which they themselves perform clarifies

the interdependencies in the SMS and enables them to concentrate on exploring and improving

them. The model was used explicitly in this way in their final project report for the most recent Masters examination in Management of Safety, Health and Environment by 4 of the 11 students.

4.3. SMS assessment and auditing

The framework has been used to make a preliminary assessment of the ISRS auditing tool

(Det Norske Veritas, 1994) to indicate areas in which it is strong and to point out areas not covered by the questions (Heming et al., 1994). This analysis indicated that the audit tool is

more specific in its demands in some areas than the framework, i.e. it is more prescriptive as regards the safety culture. For example ISRS requires particular communication channels such as tool box meetings to be present, as opposed to pitching a requirement at the level of an

effective channel to communicate with the shop floor. This is helpful for organisations which have no existing system, but may be disruptive for those with an existing culture. More

detailed analyses and comparisons could provide a basis for classifying audit instruments and

posing researchable questions about their effectiveness. The framework itself provides generic criteria for assessing directly what would be a poor

SMS in practice. These need to be worked out in detail, but it is clear from the logic that the following would be among them: (a) PSC steps are missing or tasks are not allocated, e.g. no evaluation of the effectiveness of

safety measures. (b) Resources of adequate quantity or quality are not made available at the appropriate place

or time, e.g. lack of safety training for designers. (c) Tasks are allocated to persons without appropriate authority and freedom of decision or

with built-in conflict with other tasks allocated to them, e.g. managers judged on their accident record who are required to encourage accident reporting.

(d) Tasks are not accepted or carried out adequately

Modelling of sqfey management systems 135

(e) Communication and coordination between tasks (flow of information) does not take place

within the appropriate time constraints, e.g. between maintenance and operations over

plant modifications. (f) Inputs and outputs and activity boxes are not subject to appropriate quality and safety

checks, and safety criteria are not worked out, e.g. in passing plant designs to the construction phase.

(g) Deviations of a significant nature occur with an unacceptable frequency and are not corrected, but tolerated as inevitable.

(h) Information about success or failure is not openly and willingly volunteered. discussed and

acted on, i.e. a blame culture exists. 61 The system does not constantly adapt itself to a changing environment and demands. This

includes actively seeking out the signals that it should and can improve (e.g. new

technology, legislation, societal or customer demands, etc.>. This use of the framework is currently being tested in a project concerned with the

management of safety in relation to maintenance in the chemical process industry (Heming et

al., 1995). This provides the opportunity to look closely at flows of information between design, operations and maintenance phases and between planning and execution levels.

4.4. SMS design

So far no work has been done on this application. Design of an SMS from scratch does not often occur. It is more likely that the framework would be useful in making thorough analy$es

of an existing, but poorly functioning system and suggesting radical redesign. This would be very similar to the use under Section 4.3.

5. Validation

As with any complex model validation is problematic. In the section discussing the objectives of the framework we indicated that it is at present more of a paradigm than a

model. It offers a language and structure within which an SMS can be placed and described. As such an initial test is of its acceptability to other researchers, and its fruitfulness in

explaining existing research results and generating new, interesting research questions. The studies mentioned in the last section are promising in this respect.

It is possible to conceive of a falsification of the framework, if companies with successful

SMSs were to be found which either could not be described within the framework, or which did not have all of the elements which the framework requires. The most difficult practical issue is an independent measure of success which does not rely on some equally unvalidated

audit instrument. In the medium term two lines of research suggest themselves. Firstly the description of the

SMSs of a number of companies using the framework in order to explore its practicability and

the ease with which it can be used to clarify and discuss potential shortcomings with the company. Once a number of descriptions are available it should also be possible to see whether certain parts of the framework are consistently absent or poorly represented, and whether this is accompanied by any measurably poor performance in safety.

Secondly the framework can be used to analyse accidents to indicate whether these can be systematically traced back to particular failures in the SMS, or whether they distribute themselves over the whole framework. The first finding would be a possible indication that some parts of the framework were at least more crucial to safe performance.


6. Conclusions

This paper has presented a theoretical framework which appears, at first reading, highly complex. It is, however, constructed from relatively simple building blocks with proven value. Its main claim as a framework is that it offers for the first time a consistent language (the SADT notation) to describe and analyse all aspects of safety analysis and management, from

the primary technological process to the top management policy. The proof of its usefulness will come with its application in practice.

References

ACSNI (1993) Organising for Safety. Third Report of the Human Factors Study Group of the Advisory Committee on

Safety in the Nuclear Industry. Health & Safety Commission, HMSO, London.

Bellamy, L.J. and Tinline, G. (1993) Development of a safety management system audit which addresses loss of

containment risks on major hazard installations. Paper to 3ASI Conference, Milan, Nov. 1993.

Bird, F.E. and Loftus, R.G. (1976) Loss Control Management. Institute Press, Loganville, GA.

Brascamp, M.H., Koehorst, L.J.B. and van Steen, J.F.J. (1992) Management Fact0r.s in Safety. Department of

Industrial Safety, TNO, Apeldoom.

British Standards Institution (1992) Specification for Enoironmental Management Systems. BS7750, London.

British Standards Institution (1996) Guide to Health and Safety Management Systems. BS8800 London,

Canter, D., Chalk, J., Donald, I., King-Johannessen, K., Lewand, K. and Thrush, D. (1990) The Effects of

Organisational Management and Human Factors on Accidents in Steel Plants. Psychology Department, Univer-

sity of Surrey, Safety Research Unit.

Carthey, J., Hale, A.R., Heming, B. and Kirwan, B. (1994) Extension of the model of behaliour in the control of

danger: Literature review and analysis of model development needs. Report to the Health & Safer?, Executicve, UK,

February. Industrial Ergonomics Group, School of Manufacturing & Mechanical Engineering, University of

Birmingham.

CEN (1991) Safety of Machinery: Basic concepts, general principles for design. Part 1: basic terminology,

methodology. Part 2: technical principles and specifications. (Report Nos. EN292-1 and EN292-2).: CEN,

Brussels.

Chew, D.L.E. (1988) Effective occupational safety activities: findings in three Asian developing countries. Intema-

tional Labour Review 127, Ill- 125.

Cox, S. and Cox, T. (1991) The structure of employees attitudes to safety: a European example. Work & Stress 5,

93-106.

Dawson, S., Poynter, P. and Stevens, D. (1984) Safety specialists in industry: roles, constraints and opportunities.

Journal of Organisational Behauiour 5, 253-270.

Dedobbeleer, N. and BCland, F. (1991) A safety climate measure for construction sites. Journal of Safety Research

22(2), 97- 103.

Deming, W.E. (1990) Out of Crisis: Quality, Productiuity and Competitive Position. Cambridge University Press,

Cambridge.

Department of Energy (1990) The Public Enquiry into the Piper Alpha Disaster (Cullen Report). HMSO, London.

Department of Employment (1975) The F&borough Disaster: Report of the Court of Enquiry. HMSO, London.

Department of Transport (1987) Report of the Formal Investigation into the Sinking of the Herald of Free Enterprise

(Sheen Report). HMSO, London.

Department of Transport (1988) Inuestigation into the Kings Cross Underground Fire (Fennel Report). HMSO, London.

Det Norske Veritas (1994) International Safety Rating System. 6th edn.

Diaz Cabrera, D. (1994) Some measures for the evaluation of safety courses. Paper to 23rd lnternationul Congress on

Applied Psychology, Madrid.

Donald, I. (1994) Profiling safety climates. Paper to 23rd International Congress on Applied Psychology, Madrid.

E&P Forum (1994) Guidelines for the Development and Application of Health, Safety and Environment Systems.

London.

Modelling of safe8 management systems 137

Eisner, H.S. and Leger, J.-P. (1988) The international safety rating system in South African mines. Journal of

Occupational Accidents 10, 141-160.

Elsea, K. and Conger, D. (1987). MORT User’s Manual. EG&G Services, Woodstock, GA.

European Community (1989) Directive concerning the execution of measures to promote the improvement of the

safety and health of workers at their work and other subjects (Framework Directive). Oflcial Journal of EC. 12 June 1989.

European Community (1994a) Proposal for a Dire&tie Concerning the Controlling of Danger from Serious

Accidents lnuoluing Dangerous Substances. European Union, Brussels.

European Community (1994b) ELI Decree Concerning the Voluntary Participation of Companies in the industrial

Sector on a Community Environmental Management and Environmental Audit System. EMAS, &uSSdS.

Eyssen, G.McK, Hofmann, J.E. and Spengler, R. (1980) Managers attitudes and the occurrence of accidents in a

telephone company. Journal of Occupational Accidents 2(4), 291-304.

Flagstad, K.E. (1995) The functioning of ihe Internal Control Reform: Case Studies in Small and Medium-Sixed

Enterprises. Doktor IngeniQrachandling. Department of Industrial Management & Work Science, Norwegian

Institute of Technology.

Gill, J. and Martin, K. (1976) Safety management: reconciling rules with reality. Personnel Management 8(6), 36-39.

Goossens, L.H.J. and Hale, A.R. (1991) Releidskader Chemische Procesindustrie (Framework for Policy Relating to

the Chemical Process Industry). Safety Science Group, Delft University of Technology.

Goossens, L.H.J., Heimplaetzer, P.V. and Heins, W. (1991) Risk/effect modelling of inland waterway transport using

SADT. In Probabilistic Safety Assessmenf and Management. ed. G. Apostolakis. Elsevier, New York.

Great Britain (1974) Safety and Health at Work etc. Act 1974 (c.37). HMSO, London.

Groenweg, J. (1992) Controlling the controllable: the management of safety. Ph.D. thesis. University of Leiden.

Haber. S.B., O’Brien, J.N., Metlay, D.S. and Crouch D.A. (1987) Influence of Organisational Factors on

Performance Reliability: Oceruiew and Detailed Methodological Development, NUREG/CR 5538, Vol. I. US

Nuclear Regulatory Commission.

Haber, S.B., Metlay, D.S. and Crouch, D.A. (1990) Influence of organisational factors on safety. Proceedings of the

Human Factors Society, pp. 871-875.

Hale, A.R. (1985) The Human Paradox in Technology and Safety. Inaugural Lecture. Safety Science Group, Delft

University of Technology.

Hale, A.R. (19951 Occupational Health and Safety Professionals and Management: identity, marriage, servitude or

supervision? Safety Science 20, 233-245.

Hale, A.R. and Glendon, AI. (1987) Indicidual Bebaviour in the Control of Danger. Elsevier, Amsterdam.

Hale. A.R., Goossens, L.H.J. and Timmerhuis, V.C.M. (1992) Staafstoezichf op de M&en: Een Verkenning t:an :Rol

en Toekomst (State Supercision of Mines: An Assessment of Role and Futurel. Safety Science Group, Delft


Hale, A.R., Guldenmund, F., Heming, B. and Swuste, P. (1993a) Evaluating improvements in safety management

systems. SRA Conference: European Technology and Experience in Safety Analysis and Risk Management.

Rome.

Hale, A.R., Smit, K., Rodenburg, F.G.T. and Heming, B.H.J. (1993b) Onderhoud en Veiligheidc Een Studie naclr de

Relatie tussen Onderhoud en Veiligheid in the Chemische Procesindustrie. (Maintenance and Safety: A Stuch; of

the Relation between Maintenance and Safety in the Chemical Process Industry). Safety Science Group. Delft


Hale, A.R., Heming, B., Carthey, J. and Kirwan, B. (1994a) Extension of the Model of Behaviour in the Control of

Danger: Main Report. Report to the Health & Safety Executiue. UK, March. Industrial Ergonomics Group, School

of Manufacturing & Mechanical Engineering, University of Birmingham.

Hale, A.R., Heming, B., Carthey, J. and Kirwan, B. (1994b) Extension of the Model of Behaeiour in the Confrol of

Danger: A New Framework. Report to the Health & Safety Executive, UK, March. Industrial Ergonomics Group,

School of Manufacturing and Mechanical Engineering, University of Birmingham.

Hale, A.R. and de Kroes, J. (1997) System in Safety: 10 years of the chair in Safety Science at the Delft University of

Technology. Safety Science 26, 3-19.

Hayes, B.E., Perander, J., Trask, J., Johnson, P. and Strom, S. (19941 Main and buffering effects of employee

perceptions of work safety. Paper to 23rd International Congress on Applied Psychology, Madrid.

Health and Safety Technology and Management (19891 Complete Health and Safety Eualuation (CHASE). HASTAM,

Birmingham.

Heinrich, H.W., Petersen, D. and Roos, N. (1980) Industrial Accident Prevention: A Safety Management Appraach,

5th edn. McGraw-Hill, New York.


Heins, W. (1993) Structured Analysis and Design Technique (SADT): Application on Safety Systems. TopTech

Studies, Delft.

Heming, B., Hale, A.R., Carthey, J. and Kirwan, B. (19941 Extension of the Model of Behaviour in the Control of

Danger: Assessment of the Potential of Tailoring ISRS in the Context of the Model. Report to the Health & Safety

Executive, UK, October. Industrial Ergonomics Group, School of Manufacturing and Mechanical Engineering,

University of Birmingham.

Heming, B.H.J., Rodenburg, F.G.T., Hale, A.R., van Leeuwen, D. and Smit, K. (1995) Onderhoud en Veiligheid:

Beoordeling van Bedrijven in de Chemische Industrie. (Maintenance and Safety: Evaluation of Companies in the

Chemical Industry). Safety Science Group, Delft University of Technology.

Hidden, A. (1989) Investigation into the Clapham Junction Railway Accident. HMSO, London.

Hood, C., Jones, D., Pidgeon, N.F., Turner, B.A. and Gibson, R. 1992. Risk management. In Risk: Analysis,

Perception and Management. Royal Society, London.

Hovden, J. and Tinmannsvik, R.K. (1990) Internal control: a strategy for occupational safety and health: experiences

from Norway. Journal of Occupational Accidents 12, 21-30.

Hurst, N.W., Bellamy, L.J. and Geyer, T.A.W. (1991) A classification scheme for pipework failures to include human

and sociotechnical errors and their contribution to pipework failure frequencies. Journal of Hazardous Materials

26, 159-186.

IAEA (1991) International Nuclear Safety Advisory Group, Safety Series No. 75. INSAG-4. International Atomic

Energy Agency, Vienna.

International Loss Control Institute (1990) International Safety Rating System fISR.S). ILCI, Loganville, GA.

International Standards Organisation (1987a) Quality Systems - Model for Quality Assurance in Design/

Development, Production, Installation and Servicing. IS0 9001.

International Standards Organisation (1987b) Quality Management - Model for Quality Assurance in Production and

Installation. IS0 9002.

International Standards Organisation (1987~) Quality Management - Model for Quality Assurance in Final

Inspection and Test. IS0 9003.

International Standards Organisation (1987d) Quality Management and Quality System Elements - Guidelines. IS0

9004.

Kirwan, B., Carthey, J., Hale, A.R. and Heming, B. (1994) Extension of the Model of Behaviour in the Control of

Danger: Adaptation of the Model to the Nuclear Power and Reprocessing Industries. Report to the Health &

Safety Executive, UK, March. Industrial Ergonomics Group, School of Manufacturing and Mechanical Engineer-

ing, University of Birmingham.

Kjellbn, U. (1982) Evaluation of safety information systems in six medium-sized and large firms. Journal of

Occupational Accidents 34). 273-288.

Kjelltn, U. (1983) The Deviation Concept in Occupational Accident Control Theory and Method. Occupational

Accident Group, Royal Technological University, Stockholm.

KjellCn, U. and Larsson, T.J. (19811 Investigating accidents and reducing risks: a dynamic approach. Journal of

Occupational Accidents x2), 129-140.

Komaki, J., Barwick, K.D. and Scott, L.R. (1978) A behavioural approach to occupational safety: pinpointing and

reinforcing safety performance in a food manufacturing plant. Journal of Applied Psychology 63(4), 434-445.

Koomneef, F. and Hale, A.R. (1993) Masters course in the Management of Safety, Health and Environment: Delft

University of Technology. Paper to International Conference on University and Advanced Training Courses in the

Field of the Techniques and Sciences of Danger, Bordeaux, January 1993.

Mama, D.A. and MacGowan, CL. (1988) SADT; Structured Analysis and Design Technique. McGraw-Hill, New

York.

McDonald, N., Fuller, R. and Walsh, W. (1994) Management of aircraft ground handling accidents. Paper to 23rd

International Congress of Applied Psychology, Madrid.

Menkel, E. (1990) Safety engineers and accident prevention: an inventory of activities in one industrial sector in Sweden. Journal of Occupational Accidents 12, 271-282.

Ministry of the Environment (1989) National Environmental Policy Plan. Staatsuitgeverij, ‘s-Gravenhage.

Ministry of Justice (1994) Van Keursliff naar Keurmerk (From Strait-Jacket to Mark of Approval). (Kortmann

Report). Commissie voor de Toetsing van Wetgevingsprojecten, Mini&tie van Justitie, Den Haag.

Ministry of Local Government & Labour (1987) Report: Internal Control in an integrated strategy for working

environment safety. (Report No. l).: Internal Control Committee, Oslo.

Ministry of Social Affairs and Employment (19911 Integraal Beleidsplan Arbeidsomstandigheden (Integral Policy

Plan for Working Conditions). Den Haag, November.

Model&g of safety management systems 139

Mintzberg, H. (1980) Structure in fives: a synthesis of the research on organisation design. Managemenj Science

26(3).

Muyselaar, A.J. and Bellamy, L.J. (1993) An audit technique for the evaluation and management of risks. Paper to the

CEC DG 11 workshop on safety management in the process industry, Ravello, Oct. 1993.

Niis’rinen, M. and Saari, J. (1987) The effects of positive feedback on housekeeping and accidents at a shipyard. J.

Occupational Accidents 8, 237-250. NEHEM (1994) MILKA: Een Instrument uoor de lnfegratie uan Zorgsystemen c’oor Kwaliteit en Arbeidsomstandighe-

den. Handleiding Aangevuld met Ercaringen can 7 Bedrijuen (MILKA: An Instrument for the Integration of Management Systems for Quality and Working Conditions. Guidance Notes Accompanied by the Experience of 7 Companies). NEHEM, ‘s-Hertogenbosch.

Netherlands (1980) Arbeidsomstandighedenwet (Working Ewironment Law1 1 Y80. Staatsuitgeverij. s’-Gravenhage.

Nichols, M.L. and Marcus, A.A. (1990) Empirical studies of candidate leading indicators of safety in nuclear power

plants: an expanded view of human factors research. Proceedings of the Human Factors Society, pp. 876-880. Norwegian Petroleum Directorate (1985) Regulations Concerning the Licensee’s Internal Control in Petroleum

Acticities on the Norwegian Continental Shelf with Comments. Oortman-Gerlings, P.D. and Hale, A.R. (1991) Certification of safety services in large Dutch industrial companies.

Safety Science 14, 43-59. Palmer, T. (1990) Safety management: Wonderland management? Occupational Hazards 52(4), 65-67. Petersen, D.C. (19781 Techniques of Safety Management, 2nd edn. McGraw-Hill Kogakusha, New York.

Pidgeon. N. (199 I) Safety culture and risk management in organisations. Journal of Cross Cultural Psychology 22( 11,

129-140.

Pidgeon, N. (1993) The role of organisational factors in major accidents: from human factors to institutional design.

British Health and Safety Society Conference. Birmingham, April 1993.

Powell, PI., Hale, M., Martin, J. and Simon, M. (1971) 2000 accidents: a shop floor study of their causes. (Report

No. 2 11.: National Institute of Industrial Psychology, London,

Rasmussen, B. and Whetton, C. (1993) Hazard identification based on plant functional modelling. (Rise Report No.

R712 (EN)).: Roskilde.

Reason, J.T. (19901 Human Error. Cambridge University Press, New York.

Ridley, J. (Ed.1 (1994) Safety at Work, 4th edn. Butterworth-Heinemann, Oxford.

Roberts, K.H. (1989) New challenges in high reliability research: high reliability organisations. Industrial Crisis Quarterly 3, 11-125.

Rochlin, G.I. (1989) Informal organisational networking as a crisis-avoidance strategy: US naval flight operations as a

case study. Industrial Crisis Quarterly 3(2), 159- 176.

Saarela, K.L. (1990) An intervention programme utilising small groups: a comparative study. Journal of Safety Research 21(4), 149- 156.

Shepherd, A. in Kirwan, B and Ainsworth, L.K. @is.) (1992) Guide to Task Analysis. Taylor & Francis, London.

Simonds, R.H. and Shafai-Sahrai, Y. (1977) Factors affecting injury frequency in 11 matched pairs of companies.

Joumul of Safety Research 9(3), 120-127. Smith, M.J., Cohen, H.H., Cohen, A. and Cleveland, R.J. (1978) Characteristics of successful safety programs.

Journal of Safety Research lo(l), S-15.

Storm, W. and Hale, A.R. (1995) Training course for working conditions specialists in four countries. Report to the

International Social Security Association Section on Safety Training. Working group 3. Safety Science Group,

Delft University of Technology.

Suokas, J. (1986) The role of management in accident prevention. 1st International Conference on Industrial Engineering and Management, Paris,

Swuste, P., Heming, B., Hale, A.R. and Koomneef, F. (1994) Safety, health and environment experts: training in

problem solving and influence. Paper to the 4th International Congress on Occupational Health, Amsterdam.

Turner, B.A. (1991) The development of safety culture. Chemistry & Industry, April, 241-243.

USNRC (19891 Human Factors and Regulatory Research Programme. United States Nuclear Regulatory Commis-

in ‘t Veld, J. (1984) Inleiding uoor Managers in Bedriifs-Informatiesystemen (Introduction to Company Information Systems for Managers). Delft University of Technology.

in ‘t Veld, J. (1992) Analyse uan Organisatieproblemen (Analysis of Organisational Problems), 6th edn. Stefen

Kroese, Lciden.

Wagenaar, W.A., Groeneweg, J., Hudson, P.T.W. and Reason. J.T. (19941 Promoting safety in the oil indusstry.

Ergonomics 37( 12). 1999-2013.


Westrum, R. (1988) Organisational and intra-organisational thought. World Bank Conference on Safety Control Kc

Risk Management, October 1988.

Williams, J.E.C. (1986) The Management Assessment Guidelines in the Management of Risk (MANAGER) Technique.

Technica Ltd. London.

Wilpert, B., Freitag, M. and Miller, R. (1994) Human factors in nuclear power plant incidents. Paper to 23rd

International Congress on Applied Psychology, Madrid.

Zohar, D. (1980) Safety climate in industrial organisations: theoretical and applied implications. Jooumal of Applied

Psychology 65(l), 96-102.

Zwetsloot, G. (1994) Joint Management of Working Conditions, Environment and Quality. Dutch Institute of

Working Conditions, Amsterdam.

MODELLING OF SAFETY MANAGEMENT SYSTEMSMenkel, 1990), safety committees and quality circles (Palmer,...

Documents

Transcript of MODELLING OF SAFETY MANAGEMENT SYSTEMSMenkel, 1990), safety committees and quality circles (Palmer,...